Firms holding digital assets sit somewhere on a spectrum of custody sophistication. The engineering differs enormously across that spectrum. The human terminus does not.
Tier I — Ad hoc self-custody
Keys live on hardware wallets, in seed phrases, or in a multisig where the signers are the founders. There is frequently no dedicated security function. The people who built the company are the people who hold the keys.
At this tier the insider threat and the physical threat are not two problems. They are one problem viewed from two angles. The key cannot be reached remotely because it was never exposed to a network. It can only be reached through the person. That makes the human the entire attack surface, and you cannot firewall a founder's house.
Tier II — MPC and wallet-as-a-service
Key material is sharded and the single private key ceases to exist. This is a real and worthwhile security investment, and many firms emerge from the migration believing they have solved custody risk.
They have not solved it. They have relocated it. What replaces the key is a policy engine, a set of quorum definitions, and a platform operator — each a control surface, each administered by a human. Whoever can edit transaction policy or approval thresholds can move funds without ever touching key material. And a 3-of-5 signing policy is only 3-of-5 if the five are genuinely independent: if two report to the same executive and one is a contractor, the cryptographic threshold and the real-world threshold are different numbers.
You cannot wrench-attack a key shard. You can absolutely wrench-attack a quorum member.
Tier III — Qualified custodian
Custody is delegated to a regulated institution with hardware security modules, a fiduciary duty, and an audit trail. For the asset owner this feels like the problem has been solved by delegation.
It has been split into two insider problems, and one of them is still yours. The custodian is a company staffed by people whose insider-threat program is now load-bearing for your assets and which you have almost certainly never reviewed. And delegating custody does not delegate authorization: somebody at your firm still instructs the custodian to release funds. When that person is compromised or coerced, the custodian faithfully executes a perfectly authenticated instruction. The theft is fully authorized, because the authorizer was the target.