How do big exchanges such as coinbase, binance and okex manage their keys?

There is a common saying: "not your keys, not your coins", for the obvious reason that the person who holds the key manages the assets.

When it comes to crypto, I'm wondering how big exchanges manage this problem. One data breach could result in huge losses.

I've understood that they use the following security tactics:
– Having hot and cold storage ( most is in cold storage, not connected to their servers )
– Having multisig ( no key is stored by itself, but with parts in different parts of the world, where any 3 out of 5 for example can re-create the key )

What else are they doing to protect customer assets?

I'm asking as I'm interested in the best practice in the space.

I understand a lot of exchanges probably operate with some degree of secrecy, and the goal here is not to get info that shouldn't be public. The goal is to understand how professional exchanges operate, and how to spot "bad practices".