Ever since the introduction of bitcoin in 2009, cryptocurrencies have become increasingly relevant to business transactions over the internet. Blockchain technology does afford additional protections to businesses using cryptocurrencies, but bitcoin, Ethereum and other cryptocurrencies represent value, and are at risk of loss, just like any other currency or asset. Insurers are in the formative stages of addressing these emerging risks, but there are still avenues, as well as new insurance products, to protect your virtual assets.
Bitcoin is an open source public payment system operating over the internet. It was designed to bypass the central bank model by using peer-to-peer technology. [For more information about bitcoin and blockchain technology, see “Treatment of Bitcoin Under U.S. Property Law.”] Use of cryptocurrency involves what is known as public key cryptography, which uses digital signatures to secure information. Basically, the signatures consist of a public key (known to everyone) and a private key known only by the cryptocurrency owner. The private key is required to access and use the cryptocurrency. As such, the protection of those private keys is critical. Such keys can be lost or stolen. Is there coverage in the event of an inadvertent loss, a mistake or a hacking incident?
To the extent cryptocurrencies like bitcoin are characterized as the equivalent of money or securities (e.g., by a court or regulatory authority), then traditional forms of insurance coverage—like D&O, cyber, E&O and commercial crime insurance—should respond to losses faced by those owning and using cryptocurrency in their transactions.
But, given the conflicting views about how to characterize assets like bitcoin (e.g., currency vs. commodity), and because of the unique structure for owning and using such assets, there continues to be uncertainty about whether traditional forms of insurance will properly respond.
Here are some insurance-related suggestions for any business that plans to use cryptocurrency in its business:
- Make sure your cyber policy is broad enough to include triggering events that relate to bitcoin or other cryptocurrency transactions. For example, since the ownership and use of private keys is so central to bitcoin transactions, the definition of a claim event triggering the insurer’s obligation to investigate, to fund remedial efforts, to provide notice to affected persons and to defend against claims must be broad enough to include the disclosure of confidential private key information or damage to the private key owner’s security system.
- Commercial crime policies and financial institution bonds insure against the loss of assets caused by criminal or fraudulent activities, including employee dishonesty. At least one insurer has offered an endorsement to its policy that specifically includes “bitcoins” in the policy definition of “money.” Also, check the causation requirements of the policy. To the extent coverage is limited to direct actions by third-party hackers, then your coverage may not respond to those situations—like a phishing attack—where a company employee is unknowingly controlled by an outside hacker. Bitpay’s insurer denied coverage based on such a reading of a crime policy. Bitpay v. Massachusetts Bay Ins. Co., Case No. 15-03238 (N.D. Ga.).
- It appears that bitcoin has become a favored currency for criminals responsible for ransomware, kidnaping and various forms of extortion. Kidnap and ransom insurance, as well as many cyber policies, provide indemnity for ransoms that must be paid to such extortionists. Check your policies to make sure that bitcoin is included as a currency subject to indemnification, and if possible, seek to include bitcoin expressly within the definition of money or currency.
As noted above, the insurance industry is responding to changes in the market by developing specialized products with cryptocurrency in mind. If your company is planning to provide bitcoin-related services or join the growing number of companies using cryptocurrency in its e-commerce, then you would be well-advised to consult with your broker about new professional liability, cyber and commercial crime policies that may be available.
At the very least, if your business could be using cryptocurrency in future transactions, you should carefully review traditional insurance provisions to determine whether definitions of things like “money” can be modified in your renewal or enhanced by an express endorsement.