So hear me out. I understand exchanges have hot/cold wallets and mostly use their hot wallets. But at some point they need to send crypto from their cold wallet to their hot wallet.

Who does this? The CEO & only the CEO? Technically whoever holds the password to these keys could send it to any address and it not be retrievable. The person would be in a lot of trouble but the crypto would probably be unobtainable.

Even if that crypto is "insured" the insurance company would probably only be able to payout in fiat.

Basically, how do exchanges keep your crypto secure?