Better Safe Than Sorry: How High-profile Hacks Are Stimulating Insurance For Digital Assets

Insurance. It always seems expensive until its needed. In the token economy where even the most established players have suffered losses, we are constantly reminded of the threats to client funds through 3rd party hacks, insider collusion or key person risk.

In 2019 alone, many well-recognized players have fallen victim and lost client funds. Starting off the year, QuadrigaCX had lost access to US$190mm in client funds in February when the founder allegedly died abruptly and their cold wallets were later found to be empty. Bithumb had US$13mm worth of EOS stolen in what was suspected to be insider collusion in March. Binance, an industry titan, had US$40mm of Bitcoin stolen in a hack which compromised user credentials and 2FA of several high net worth accounts, allowing hackers to steal the assets that were stored in hot wallets in May.

On the face of a fast-growing need for insurance coverage against the loss of client assets in the digital asset domain, the insurance industry has responded by adapting crime and specie type policies to address the needs of the token economy. However, the growth of digital asset risk capacity from insurance underwriters remain muted. Murray Wood, Asia head of financial specialties at Aon said that “the number of insurers and reinsurers that are willing to underwrite cryptocurrency cybersecurity risk is extremely narrow. The amount of available coverage capacity today is under US$1 billion per transaction.”

The lack of capacity is due to the two-pronged issue of digital asset companies largely having poorly designed protection and control processes, and a lack of understanding of digital asset-specific risks on the side of the underwriters. According to market intelligence from Aon, only 2% of digital asset organizations in Asia are insurable through traditional underwriting[1]. As such, the risk appetite of insurers remain limited and premiums, higher. According to Usman Ahmad, Group CIO of BC Group, “underwriters need to gain a far more robust understanding of the crypto industry as well as its specific risks before we can expect growth in the availability of accurately priced insurance policies with adequate levels of coverage.”

With the market for such insurance still nascent and extremely expensive, many industry players have opted to market what is now commonly referred to as “self-insurance”. Self-insurance is when a company puts aside a portion of the fees collected to pay for potential future loss incidents. However, with only the company’s verbal assurance to provide coverage for stolen assets, the concern arises as Ouriel Ohayon at Forbes rightly asked, “What if, instead of…$40 million, the hackers stole $400 million?”[2]

Self-insurance: sounds great but is this sufficient?

As requirements are still being hashed out by regulatory bodies, the self-insurance model is designed to provide comfort while avoiding the large premiums that come with ensuring digital assets. However, it is important to remember that self-insurance is not real insurance. Clients are simply provided with an unwritten assurance that the company will cover any losses incurred from hacks or fraudulent activities with company funds that were not targeted or stored separately. As such, self-insurance hinges solely on the degree of trust end-users have in the company’s ability to pay back any and all losses following an incident resulting in the loss of assets.

Of course, this is not to say that self-insurance isn’t without its own benefits. Due to the structure of self-insurance, it provides a cheaper product to the end client by reducing large overhead costs for the custodian. However, the cost-saving benefits need to be balanced with the risks that come with self-insurance for both the custodian and the end-user. Self-insurance is effectively a slush fund where a portion of revenues are stored in a segregated wallet so that there is a reduced likelihood of being targeted during an attack on the client wallet. However, the custodian is not legally obliged to cover the losses to its users. We should also consider that if the company’s cold wallet has been compromised or in cases of collusion, their segregated assets may also meet the same fate.

More importantly for regulated funds and entities, the question remains whether a policy of self-insurance will carry any credibility in the minds of regulators whose primary role is to protect the interests of investors in their jurisdictions. As such, for digital asset companies that want to capitalize on institutional interest in the asset class, the ability to bring together best-in-class security and insurance coverage is critical.

Digital asset underwriting: Types of insurance policies expanded to cover digital assets

In light of the limitations of self-insurance, third-party insurance has been adapted from traditional asset types to provide coverage for digital assets. As mentioned above, the coverage is offered under two policy types: Crime insurance and Specie insurance. These policy types have been extended by a limited number of underwriters to cover digital assets.

Specie insurance

Specie insurance traditionally provides coverage for high-value items such as fine art, gold bullion, and jewelry stored in vaults. When applied to digital assets, this type of insurance is effective at protecting against natural disaster scenarios and the insider theft or destruction of private keys that are stored in the vault.

Crime insurance

As the name entails, crime insurance offers protection against the loss of property when a malicious actor perpetrates fraud, embezzlement, forgery or theft against the company. This policy type is effective at providing coverage against a security breach or hack, employee theft, employee collusion, or fraudulent transfers triggered within the insured party.

Digital asset custody and insurance: Working hand-in-hand to provide peace of mind

The principal purpose of custodians for digital assets is the safekeeping and servicing of an investor’s asset such that investors can efficiently build and maintain their wealth[3]. Leading custodians will protect against three main threat vectors. The first and most common cause of loss is digital threats, which includes the risk of hacking and electromagnetic eavesdropping.  The second is physical threats, which involves the destruction or theft of wallet infrastructure used to hold the private keys. Last but not least, weaknesses in process design, where poorly designed operational and control processes allow for insider collusion and key-person risk. However, while providing protection against this trifecta of threats is necessary to effectively protect customized digital assets, the risk of a loss incident is not completely eliminated.

The role of insurance is to provide a final backstop, giving confidence to investors that they will be able to recover their investments in an unforeseen loss incident, through credible third-party coverage.

ANXONE Custody

ANXONE provides digital asset custody solutions supported by an extensive insurance policy covering digital asset wallets maintained in our air-gapped infrastructure. Our insurance policy is underwritten by a panel of London insurers with S&P ratings of A or better and arranged by Aon.

Learn more about how ANXONE Custody can bring value to your digital asset storage needs. Contact custody@anxone.io for an in-depth discussion today.

[1] https://www.spglobal.com/marketintelligence/en/news-insights/trending/AjKSJXeoK5XYf9Wd1x1ypw2

[2] https://www.forbes.com/sites/startupnationcentral/2019/05/22/whats-missing-from-crypto-insurance-that-makes-sense/#5a21839d60ae

[3] https://www.davispolk.com/files/20160728_tch_white_paper_the_custody_services_of_banks.pdf