Decrypting crypto: How insurers can catch the cryptocurrency boom
This is an edited version of Sydney Wotton + Kearney solicitor Jessica Chapman’s paper that won AILA’s inaugural Gill Award.
The sheer value of the cryptocurrency industry presents a welcome opportunity for insurers worldwide.
Although there are risks with providing cover to cryptocurrency exchanges, and related companies holding cryptocurrencies, they can be mitigated. Insurers contemplating entering the burgeoning industry should consider holding their own crypto-assets and writing policy limits in cryptocurrency as opposed to fiat currency.
Insurers also must be willing to conduct in-depth due diligence on prospective insureds’ approaches to cybersecurity, governance and storage. Underwriters should seek out the relevant expertise before attempting to engage with prospective insureds.
The large amounts of cover required for key cryptocurrency exchanges worldwide probably require the participation of multiple international insurers to ensure the risk is diversified and the industry remains profitable. Experience shows cryptocurrency exchanges are willing to pay massive premiums in exchange for mitigating the significant risk of large-scale hacks.
The cryptocurrency insurance industry has been characterised by huge demand, but a lack of supply and capacity. It is time for insurers to play a role in assisting the industry to prioritise risk management and consumer protection, which will be facilitated by the growing role to be played by global financial regulators.
Since Bitcoin’s introduction and the mass growth of global cryptocurrency exchanges, media reports have focused on the risks for individuals buying and trading cryptocurrencies, the fact that many exchanges do not ensure their holdings are fully asset-backed at any given time, and that exchanges are not insured against cryptocurrency theft.
However, insurers have already dealt with cryptocurrency in the context of cyber policies. Hackers have begun demanding ransom payments in Bitcoin or other cryptocurrencies following successful ransomware infections. The experience of many insurers has been that ransomware claims have increased in value in parallel with increases in the value of Bitcoin.
Beazley reported ransomware claims had increased in value by about 70% and XL Group reported an increase from average payments of $300 to $20,000 to $60,000.
AIG sold its first blockchain-based policy to UK-based Standard Chartered Bank in 2017, with a blockchain ledger used to record insurance data and track policy and payment data in real time.
So insurers have already been required to become comfortable with their insureds paying ransoms in cryptocurrency and insurers have shown interest in adopting blockchains for their own governance and claims management purposes. Writing policies for the theft of cryptocurrency from cryptocurrency exchanges, however, appears to be a different ball game in which insurers are reluctant to participate.
The market for cryptocurrency insurance is suggested to be worth US$200 million to US$500 million in annual premium revenue once insurers work up the courage to, and establish guidelines and internal policies around, accepting the risks. The industry is also expected to outpace the growth insurers have seen globally in cyber insurance.
Insurers should not hesitate in entering the market to, at the least, increase competition and consumer protection, stimulate the market and encourage cryptocurrency exchanges to establish stronger cybersecurity and risk management practices.
What are cryptocurrencies?
The concept of a blockchain ledger first arose from Satoshi Nakamoto’s white paper on the cryptocurrency Bitcoin. Bitcoin and blockchain are not the same. Bitcoin and other cryptocurrencies are an application of the underlying blockchain technology. Some central banks around the world are investigating and developing the possibility of a sovereign cryptocurrency to replace or operate alongside the sovereign fiat currency.
The term blockchain reveals the key features of its structure: blocks linked together in a chain. Each block individually stores pieces of information and, as more information is added to the database, more blocks join the chain indefinitely. For a cryptocurrency operating on a blockchain, the information stored includes anything required to identify the parties to a transaction and the amounts involved. The chain over time creates a database of transactions which continues to grow.
The chain structure is necessary for verifying the integrity of the data stored in each block (ie to confirm a valid transaction took place). The accuracy of the contents of a block is ensured by linking it successively down the chain. That is achieved by assigning each block a cryptographically generated hash key so the previous block can be conclusively identified. That ensures the order of the blocks is maintained, thus guaranteeing the integrity of the chain.
The blockchain ledger begins with a single block of information and builds block by block to become an ever-growing succession of records. The ledger is accessible by any computer running the same protocol, however data stored within each block are encrypted and only accessible via an access key.
For new blocks to be added or changes made, the participants in a decentralised ledger must reach a consensus about that addition or change. Different blockchains have different requirements for reaching consensus. Some have a central authority responsible for authorising changes.
A widely publicised apparent benefit of blockchain technology is strong data security. A decentralised ledger “rais[es] the barriers for manipulation of stored data”, as there is no central authority’s server to attack to force consensus to a proposed change.1 A hacker would be required to intercept several nodes to achieve consensus, in circumstances where they may not know the consensus mechanism used or the total number of participating nodes.
Hackers can exploit the programming of a blockchain to allow users to withdraw more than the balance of their accounts. That occurred during Ethereum’s initial coin offering (ICO), when hackers diverted US$50 million from the US$150 million raised.2
In time, new developments, such as in quantum computing, could break the encryption underlying any blockchain ultimately adopted to store data. The code behind blockchain “is written by humans and always subject to human error”, so blockchain should not be treated as a “magical cybersecurity silver bullet”.3
Blockchains are not immune from hacking. One key risk is the misuse or loss of access keys. Keys must be resistant to digital theft, but that is difficult to achieve, given the safety and management of keys is ultimately in the hands of individual cryptocurrency holders.
Hackers may choose to exploit vulnerabilities in how access keys are managed to intercept transactions and steal digital assets, rather than target the blockchain ledger (which is protected by complex cryptography).
In the Asia Pacific region, there are huge disparities in whether and how cryptocurrencies are regulated, and ICOs have been controversial. China and South Korea are among the strictest jurisdictions and Singapore among the most lenient.
In Australia, ASIC has issued guidance to the effect that, in most cases, a “crypto-asset” will be treated as a financial product for regulatory purposes, and cryptocurrency exchanges may then be treated as financial markets, given they facilitate the sale and exchange of cryptocurrencies. If an exchange is treated as a financial market, the operator will be required to hold an Australian market licence and be subject to applicable regulatory rules.
The slow shift towards more regulatory certainty for cryptocurrency exchanges and cryptocurrencies is useful and reassuring for insurers looking to enter the market.
The opportunity for insurers
According to CipherTrace, losses of cryptocurrency by hacking in 2018 amounted to US$1.7 billion and were 3.6 times higher than 2017.4 The total current market cap for Bitcoin (excluding other cryptocurrencies) at September 2019 was about US$185 billion according to CoinMarketCap.5 Insurers have access to a highly valuable market which, although subject to significant risks, also offers strong opportunities for insurers to encourage cryptocurrency exchanges to improve their governance and cybersecurity processes and policies.
In January 2018, Tokyo’s Coincheck cryptocurrency exchange reported a cyber theft of US$534 million of coins. A Coincheck representative said, “[i]n a worst-case scenario, we may not be able to return clients’ assets”6. That was the highest reported loss of cryptocurrencies since their introduction.
Binance, one of the largest global exchanges, suffered a US$40 million theft in 2020 and did not hold any external insurance. Binance reimbursed customers through its Secure Asset Fund for Users (SAFU), which it had announced on 3 July 2018. The SAFU is funded by diverting 10% of all trading fees into it and operates as self-insurance.7 That was a missed opportunity for insurers, as Binance is willing to funnel significant funds into SAFU which could otherwise have been paid in annual premiums.
After a large-scale hack, BitFinex replaced 36% of the cryptocurrency held in each customer account with a token that could be used to redeem the value later. Thanks to the rapid surge in the value of Bitcoin, BitFinex repaid its customers within a year. However, had that not occurred, customers would have been left in an indefinite lurch awaiting the redemption of their tokens. The risk was put on customers rather than the exchange itself to preserve the exchange’s existence in the short term.8
Although cryptocurrencies are described as currency, and exchanges are equivalent to traditional banks, that ignores the fact that fiat currency has real value backed by insurance and banks are governed by legislation and regulatory schemes.
The market for Bitcoin and other cryptocurrencies has not yet developed to the point where that applies universally or even in a majority of cases. Instead, cryptocurrencies are seen as “‘highly speculative, largely unregulated and uninsured against theft”.9 If Coincheck had held a cryptocurrency theft policy, similar to existing traditional crime policies covering criminal theft, the outcome for all parties would likely have been different.
Insurers enter market
There are examples of insurers globally starting to enter the cryptocurrency market. However, they are relatively secretive and minimal details have been made public. In early 2018, XL Catlin, Chubb and Mitsui Sumitomo were reported as providing cover for companies which held cryptocurrencies. XL Catlin’s Greg Bangs has confirmed the insurer offers annual crime coverage of up to US$25 million per incident. AIG has had an interest in cryptocurrency theft coverage since as early as 2015, however few policies have been written.10
Some insurers expressly exclude hacking events when insuring companies which hold cryptocurrency, given the perceived volatility and insecurity of cryptocurrency wallets. Great American Insurance Group began offering protection for employee theft to insureds that accepted payment from customers by Bitcoin in 2014 as an optional extension to its standard employee theft policy.11 Other insurers commonly exclude cover for coins held online in “hot storage” because they are more vulnerable to hacking than coins held offline in “cold storage”. Cold storage includes the secure storage solution created by Custodian Vaults and Decentralised Capital, which is a specialised vault with strong physical security. The companies have an insurance policy for cryptocurrency held within the vault.12 The crypto-assets themselves continue to exist on the blockchain, but the vault can protect the access keys.
Coinbase, one of the largest cryptocurrency exchanges, has insurance for all the coins it stores in hot storage, which is 2% of its overall holdings.13
Australian-based insurers have not expressed any publicised interest in the cryptocurrency insurance sector. However, Independent Reserve became Australia’s first insured cryptocurrency exchange in 2020, underwritten by Lloyd’s of London.14 The policy is said to cover loss or theft of cryptocurrency from Independent Reserve’s trading accounts only, not from customers’ accounts being hacked. Any loss of value from the cryptocurrency’s volatility is also excluded.
Aon has been leading the pack for brokers globally and lists “blockchain, cryptocurrencies and ICO solutions” as part of its expertise and overall service offering.15 It has been involved in obtaining insurance for cryptocurrency exchanges and custodians such as Gemini Trust Company LLC16 and Coinbase (a US$255 million policy announced in April 2019 through Lloyd’s).17
Insurance options are also becoming available for individuals. BlockRe offers policies to crypto-asset holders providing cover for loss or theft of private access keys and hacking, among other things.18 In September 2019, Axa XL announced it would provide contractual liability insurance to Hoyos Integrity Corp for amounts paid out if there was a breach of its digital hot wallet. Wallet users could be reimbursed up to US$1 million.
The short list of cryptocurrency-related companies which have obtained insurance for their cryptocurrency holdings shows that is just the tip of the iceberg of opportunities available for insurers worldwide.
Suzanne Barlyn has suggested annual premiums for a standard US$10 million in theft coverage would typically be around US$200,000. That is double the 1% premium which would be typical for traditional financial institution insureds.
Risks and due diligence
The many risks associated with underwriting policies for cryptocurrency exchanges are the primary reason behind insurers’ reluctance to enter the cryptocurrency insurance industry, or their tendency to withhold information about policies written and companies seeking cover.
Lloyd’s issued a directive to all its syndicates in July 2018 warning them to proceed with caution when approached by crypto-asset companies and to ensure managing agents involved with such companies had the expertise to properly assess the risk.19 Ten syndicates had indicated interest in crypto exposures, and Lloyd’s syndicates now appear responsible for the vast majority of coverage available to cryptocurrency exchanges.
It appears companies which have secured coverage have predominantly been able to do so by evidencing well-tested, well-recorded security protocols, including features like external oversight, regular due diligence and daily reconciliation audits.20 Cold storage tends to be preferred by insurers as it correlates with decreased risks, most importantly of hacking. The primary remaining risk for cold storage is social engineering and companies like Kingdom Trust secured cover because they employed security mechanisms to combat that, like address whitelisting.21
Premiums offered by insurers can fluctuate based on the security measures adopted by prospective insureds. That approach has already seen insurers charging far more for coverage for hot wallet exposures as opposed to cold storage alone.
Apart from security issues and insurers conducting extensive due diligence, there are also issues arising from the valuation of cryptocurrencies, given their volatility.
Insurers face the question of how to quantify claims and what cryptocurrency valuation ought to apply to payments made to insureds. Coinbase, which holds an insurance policy underwritten by Lloyd’s, has argued that issue would be ameliorated by insurers holding crypto-assets themselves and offering policy limits denominated in cryptocurrency.22 Regardless of how insurers choose to navigate that complexity, it does not appear to make practical sense for policies to be denominated in fiat currency but cover assets which can only be denominated in cryptocurrency.
Insurers can take advantage of guidelines issued by governments and non-government organisations or industry bodies to assess the risk posed by prospective insureds. They can act as much-needed benchmarks in an industry otherwise relatively devoid of data to draw on. For example, the Depository Trust & Clearing Corporation has issued a clear set of guidelines about governance for blockchains used as part of finance solutions.23 Although non-binding, the guidelines will assist insurers to understand industry expectations affecting prospective insureds and set their own benchmarks for providing cover.
1 Dirk A Zetzsche, Ross P Buckley and Douglas W Arner, ‘The Distributed Liability of Distributed Ledgers: Legal Risks of Blockchain’ (2018) 2018 University of Illinois Law Review 1361, 1371.
2 MaryGrace Johnstone, ‘Catch Me If You Can: Resolving Bitcoin Disputes with Class Actions’ (2019) 15(1) The Canadian Class Action Review 45, 52.
3 Dalmacio V Posadas Jr, ‘The Internet of Things: The GDPR and the Blockchain May Be Incompatible’ (2018) 21(11) Journal of Internet Law 1, 24; Noah Webster and Aaron Charfoos, ‘How the Distributed Public Ledger Affects Blockchain Litigation’ (2018) 37 Banking & Financial Services Policy Report 6, 13.
4 CipherTrace, ‘Cryptocurrency Anti-Money Laundering Report, 2018 Q4’ (Report, January 2019).
8 MaryGrace Johnstone, ‘Catch Me If You Can: Resolving Bitcoin Disputes with Class Actions’ (2019) 15(1) The Canadian Class Action Review 45, 53.
9 MaryGrace Johnstone, ‘Catch Me If You Can: Resolving Bitcoin Disputes with Class Actions’ (2019) 15(1) The Canadian Class Action Review 45, 59.
23 Depository Trust & Clearing Corporation, ‘DTCC Guiding Principles for the Post-Trade Processing of Tokenized Securities: A White Paper to the Industry’ (White Paper, March 2019).