Custody over the rewards is handled via a 'Multisig' mechanism, which in turn is governed via a Decentralized-Autonomous-Organization (DAO).
A Multisig mechanism requires a certain threshold of different parties signing a transaction before it is considered valid, e.g. 2 out of 3 parties need to sign a transaction before it can be processed.
A DAO is a decentralized organization that is governed through programmatic and transparent rules. The right to participate in the DAOs governance is represented through tokens.
Reward custody risk refers to who has control over the delegators pending rewards.
There are three subcategories through which the reward custody risk can be clustered: 'Validator-Custody'; 'Self-Custody'; or 'DAO Multisig'.