Who is responsible for protecting an asset that has value, while in one's possession?

Protecting an asset while it is in someone’s possession is the responsibility of the custodian. The custodian is the party charged with safekeeping and implementing the day-to-day security controls for the asset—controls like access management, storage, backups, monitoring, and incident response. They turn policy into practice and ensure the asset remains protected during handling and when in use. The data owner or controller sets the business requirements, defines what must be protected, and bears accountability for risk and policy decisions, but they typically do not perform routine protective duties. Confidentiality is a security objective, not a role. In this context, the custodian is the best fit for the responsibility of protecting the asset during possession.