According to ZDNet, hackers successfully breached eleven major cryptocurrency exchanges in 2019 and stole more than $283 million worth of cryptocurrency (view reference here). We should expect this number to increase in 2020 as governments and cybersecurity experts warn that hackers will seek to take advantage of the coronavirus crisis to infiltrate corporations and as a vast number of employees move to teleworking. Specifically, cryptocurrency owners who maintain “hot wallets” should be particularly vigilant in protecting their assets because hot wallets are more vulnerable to theft and may not be covered by current insurance policies. Lloyd’s of London, however, recently announced the development of a new policy that will provide coverage for hot wallets. This blog has previously discussed the insurance industry’s attempts to develop new policies and endorsements to cover risks related to the cryptocurrency industry. See relevant past articles: Prepare for the Future With Cryptocurrency Insurance and The New Money: Cryptocurrencies and the Role of Insurance.
Back in mid-2018, a spokesperson for Allianz stated that insurance for cryptocurrency storage represented a “big opportunity.” Nevertheless, insurers have been reluctant to take on the risk of covering loss related to hacks of “hot wallets.” A “hot wallet” is a tool, connected to the internet, that permits the owner of cryptocurrency to receive and send tokens. Unlike “cold wallets,” which are not connected to the internet, hot wallets are by definition less secure and susceptible to hackers and technical vulnerabilities. On the flip side, hot wallets have the advantage of providing individuals with quick access to their cryptocurrency. It is common for owners of cryptocurrency to have both hot and cold wallets.
Previously, some large crypto exchange services established insurance funds equivalent to the amount held in their hot wallets to prevent a security breach in the future from affecting the exchange’s operations. For instance, an exchange may allocate a certain percentage of its trading fees to a fund specifically designated to protect its users from theft.
At the beginning of March, Lloyd’s of London announced that its Atrium syndicate had partnered with crypto firm Coincover to provide a liability policy that covers losses due to hacks of hot wallets. The Lloyd’s policy will have a dynamic limit that increases or decreases in line with the price changes of the cryptocurrency. In other words, the insured purportedly will be covered for the full monetary value of their cryptocurrency at the time of the breach or hack. Further, the policy seems to be geared to both retail and corporate insureds, with a minimum requirement of a 1,000 British pounds ($1,275) in protected assets.
According to various reports, the coverage protects insureds against losses sustained as a result of theft from their hot wallets, including hacking, phishing scams, malware, insider attacks, device theft, and criminal extortion. However, a significant potential obstacle to coverage is the fact that the policy requires that the breach or attack be verified with local law enforcement authorities. Many local law enforcement agencies may not be prepared or equipped to verify a cyber-attack on a hot wallet. Also, it is not clear whether the policy defines the term “local law enforcement agency,” the meaning and scope of which may become the subject of disputes as it may mean, e.g., the agency with jurisdiction over the physical location of the mobile phone or computer at the time of the breach, or the agency with jurisdiction over the named insured’s physical address (or have yet another meaning). Additionally, disputes over the timing of the breach are inevitable in light of the fact that the policy covers the fiat value of the cryptocurrency at the date and time of breach, and as that value can fluctuate significantly in a short period of time.
Moreover, whether the policy provides meaningful coverage will greatly depend on its exclusionary language. The policy reportedly excludes coverage for a willing yet mistaken transfer of cryptocurrency to a third-party, and for direct hardware loss or damage. Further, the policy does not protect against disruption or failure of the blockchain underlying the asset.
Despite the outstanding unknowns related to the Lloyd’s policy, the fact that Lloyd’s has developed it seems to signal the insurance industry’s further acceptance of cryptocurrency markets as legitimate and growing businesses. At this point, other insurers have not indicated whether they will offer similar products. With the cumulative capitalization of cryptocurrencies exceeding $273 billion in 2019, however, there appears to be space in the market place for additional providers. In the meantime, corporate investors should discuss with their brokers if they can obtain similar or bespoke products to cover their cryptocurrency held in hot wallets.