For approximately the past decade, cryptocurrencies were used by those who wanted to transact business anonymously and without oversight or restrictions imposed by any governmental authority.  More recently, the concept of cryptocurrencies has been used to raise capital outside of traditional financial structures.  Indeed, the rise of raising money through the issuance of “virtual tokens” using “Initial Coin Offerings” (“ICOs”) has caused a sharp rise in the prevalence and market value of cryptocurrencies.

Those involved with cryptocurrencies believe that their virtues include stronger security against theft, easier transactions, and insulation from government-induced currency fluctuations, among other things.  But the inescapable reality is that hackers, technical errors, and fraud happen.  In addition, regulators have been taking notice and have been attempting to flex their authority, although the manner in which any given regulation applies to cryptocurrencies is far from certain.  One thing that is certain, is that the cryptocurrency “industry” poses unique and evolving risk.  Given this, the insurance industry is also engaged in attempting address the needs of this emerging market, although underwriters can be expected to rigorously assess the risks posed, and insurance procurement can be a challenge for some.

Regardless, the following is a list of questions that any company engaged in this space should ask itself to determine the lines of insurance it might need and which it should consider.

Does the company need Cyber Insurance?

  1. Does the company provide a technology service that might be subject to errors and omissions? For example, a crypto-currency exchange provides a service to its customers that could be subject to mistake that causes a loss.
  2. Is there a risk of a privacy breach or breach of privacy regulations?
  3. Is there a risk of a security breach with respect to third parties that results in one of the following:
    1. Corruption, destruction or deletion of a third-party’s electronic data?
    2. Disclosure of a third party’s private information?
    3. Theft of a third party’s data?
    4. Failure to prevent the transmission of malicious code into a third party’s network?
  4. Is there a risk of a threat of cyber extortion, such as:
    1. A threat to introduce into, or activate malicious code in, a computer system?
    2. A threat that someone will interrupt a computer system?
    3. A threat that someone will damage or destroy a computer system?
    4. A threat that someone will improperly utilize a computer system or disrupt a network?
  5. Is there a risk that some “network” disruption will cause a loss of business income?

Does the company need Commercial Crime Insurance?

  1. Is there a risk of employee theft?
  2. Is there a risk of vendor theft?
  3. Is there a possibility of loss of money or securities through a fraudulent electronic transfer?
  4. Is there a risk of “identity fraud” – using a company’s or a person’s identity to commit a crime?

Does the company need Director’s & Officer’s Liability Insurance?

  1. Is there a risk that a shareholder or investor will allege that an officer or director was guilty of omissions, misstatements, misleading statements, neglect, or breach of duty that resulted in a decrease in the value of stock or other assets such as, possibly, a token?
  2. Is there a risk that a shareholder or investor will bring a claim against the company alleging actual or alleged omissions, misstatements, misleading statements, neglect, or breach of duty that violated securities laws and thereby caused a decrease in value of stock or other assets such as, possibly, a token?
  3. Is there a risk that a shareholder or investor will demand that the company investigate itself for some corporate wrongdoing for the purposes of determining whether the company should prosecute a derivative action?
  4. Is there a risk that a governmental enforcement authority (e.g., SEC, FinCEN) will demand an interview of an officer or director for the purposes of investigating a possible regulatory or other legal violation?

Does the company need Kidnap & Ransom Insurance for some employees?

  1. If company employees, particularly directors and officers, travel with “cold storage” wallets (i.e., wallets that are not on-line but, rather, on thumb-drives, etc.), there could be a risk of kidnap or extortion in some regions.

This is, of course, is not meant to present an exhaustive list of all of the types of insurance that any company might need.  Those determinations can only be made after a very specific assessment of the role that a company is playing in the crypto-currency space and the risks that it faces. Further, there are nuances to all of these lines of coverage, and the specific coverage provided varies among different insurers.  In addition, all companies engaged in the crypto-currency space should expect to undergo fairly rigorous scrutiny by insurance underwriters who will seek to determine, for example, whether a company is at least attempting to be compliant with potentially-applicable regulations and has appropriate safe-guards in place, such as a data security incident response plan.