As prior posts on this blog have noted (most recently here), the rise of cryptocurrencies is one of the most important and interesting recent developments in the financial arena. The rise of cryptocurrencies presents a number of challenges. Among the challenges is providing appropriate insurance solutions for cryptocurrency companies. In the following guest post, Karen Boto, a Legal Director at Clyde & Co law firm, takes a look at these cryptocurrency-related insurance issues. A version of this article was previously published as a Clyde & Co client alert. I would like to thank Karen for her willingness to allow me to publish her article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to readers. Please contact me directly if you would like to submit a guest post. Here is Karen’s article.
As with any new exposures, cryptocurrencies bring with them new insurance needs. Whilst the premium earned from cryptocurrency businesses is modest, to date, insurers are beginning to accept this as an area of possible organic growth and they are seriously considering the risks versus rewards of underwriting crypto-related businesses.
What is blockchain and cryptocurrency?
Blockchain is a digital ledger of records, called blocks. Every block links to a previous block (the chain) containing an individual time and date stamp. The ledger records transactions chronologically and publicly in a distributed network. The transactions cannot be copied or reversed, meaning that the ledger is virtually incorruptible. It is a decentralised network, self-managed by the various parties engaged in the transaction, who all verify the information provided. Put simply, it is a sophisticated spreadsheet that is duplicated thousands of times across multiple computers, which is constantly reconciled and updated.
Blockchain has attracted considerable support over recent years since it does not require coordination from an intermediary i.e. a central bank or administrator. As there is no central location, it is harder to hack since the information exists simultaneously in millions of places.
The first blockchain was developed as the supporting ledger for bitcoin, the first cryptocurrency created in 2009. The underlying blockchain technology now has multiple applications outside of cryptocurrencies.
Cryptocurrencies are essentially a form of electronic cash. It is important to note that in this new and fast-developing area, there is no consensus as to terminology and that this adds to the risk environment. Broadly, there is a distinction between pure cryptocurrencies, which act as stores of value, units of account and/or mediums of exchange akin to traditional (or fiat) currencies; and cryptotokens which – again utilising blockchain – serve as digital assets for use only within a specific network or platform (and not sharing the traditional qualities of a currency as a medium of exchange, unit of account or a store of value). We focus here on cryptocurrencies.
Cryptocurrencies can offer a low cost, relatively fast means of transferring value across the globe anonymously. They present an attractive alternative to the established banking and money transfer systems, which typically require bank accounts and the payment of transaction fees.
Whilst bitcoin remains the most established form of cryptocurrency, many alternative digital currencies have now entered the market. Most of these operate using blockchain technology.
This developing technology, and the volatility of the price of bitcoin, has resulted in the public forming strong views over the long term viability of digital currencies generally.
As bitcoin is not guaranteed by a central bank or government, its value is based purely on its popularity at any given time. Although it has been described by some as “the money of the future”, others firmly believe it to be nothing more than an economic bubble.
Regardless of these opposing views, and bitcoin’s turbulent ride so far in 2018, its value has recently bounced back. Shortly after its creation, bitcoin was valued at a mere $0.8 per coin. Its value escalated to a staggering $20,000 per coin during late 2017, reaching its highest value to date. Although the market is still prone to high volatility, it is currently trading at around $6,250 per coin.
Considering recent developments and trends, it appears that cryptocurrencies – in their various guises – are here to stay, at least for the foreseeable future.
New crypto-related businesses are continuously being developed. They typically have one of the following functions (or deploy a mixture of them):
Security: developing and selling hardware and/or software to keep the crypto holdings secure.
Custody: offering custodial services i.e. third parties who protect and keep safe crypto assets.
Money transfers: offering services that allow users to transfer value to each other anywhere in the world instantly.
Exchange and investments: offering a secure trading environment to buy, sell and invest in cryptocurrencies.
As more applications are being designed and implemented utilising blockchain technology, the risks to businesses providing crypto related services, as well as those using and accepting cryptocurrency in their e-commerce, are naturally increasing. Whilst the blockchain technology, itself, offers additional protection to businesses using bitcoin (and alternatives), cryptocurrencies do represent value and are, therefore, at risk of loss, like any other currency or asset.
The risks include both acts of a deliberate nature, as well as unintentional acts, such as: (i) cyber-crime, hacking, theft or fraud; (ii) technological malfunctions, network issues or user errors; and (iii) use of crypto-currency to support criminal activity, particularly where transactions involve decentralised and/or anonymous actors.
As cryptocurrencies have characteristics of both a digital asset and a network, it is easy to see why they are an attractive target for cyber-attacks. Indeed, cryptocurrency investors have already lost millions from high profile hacks during the first part of 2018.
To deal with cryptocurrencies, a digital signature is required to secure the information and process the transaction. This digital signature consists of a public key, known to everyone, and a private key known only to the cryptocurrency owner. The private key is required to withdraw and transfer the cryptocurrency, rendering protection of the private key imperative.
In the event of a hack, the stolen data (i.e. the private key) has an instant value, allowing the hacker to make immediate transfers. Due to the manner in which blockchain operates, the transactions are irreversible and completely anonymous.
Blockchain security firm CipherTrace recently reported that USD 731m worth of cryptocurrencies were stolen from crypto exchanges in the first half of 2018, with an expectation that losses could reach USD 1.5bn by the end of 2018. This compares with losses resulting from security breaches of crypto exchanges of approximately USD 266m for 2017.
Unsurprisingly, the staggering size of these losses is causing investors concern over security measures implemented by crypto trading platforms, in particular.
Two of the biggest hacks in 2018 concerned Coincheck, in Japan, and Coinrail, in South Korea. Both allegedly stored unusually large amounts of cryptocurrency in their “hot wallets” (i.e. the online wallets connected to the internet), instead of “cold wallets” (i.e. those stored offline). This made it easier for hackers to steal large amounts, immediately upon accessing the platform.
With the spotlight currently focused on crypto thefts, and the problem looking unlikely to go away anytime soon, regulators worldwide are actively engaging on what preventative measures are necessary.
Various measures are being considered globally, as regulators strive to strike a balance between providing protection for investors and consumers without stifling innovation.
The new European Union Anti-Money Laundering Directive (“5AMLD”), which entered into force on 9 July 2018, is one example of the pro-active steps being taken globally. 5AMLD looks to bring cryptocurrencies within the scope of traditional anti-money laundering and counter-terrorist financing requirements. Specifically, it introduces measures to increase transparency around cryptocurrency exchanges and custodian wallet providers where traders buy, sell and store virtual currencies. Member States of the EU are obliged to implement the new provisions into national law by 10 January 2020.
Accordingly, as the industry takes steps to adapt to become more secure, many leading insurers are considering whether they can play a role in the risk management process.
There is, understandably, nervousness surrounding risks associated with the cryptocurrency market. Cryptocurrencies remain in early stages of development and acceptance and have been publicly associated with criminal activities, receiving negative media attention.
Accordingly, the insurance market remains divided over the question of whether to insure cryptocurrency businesses, and, if so, on what precise terms.
It is first worth considering the level of coverage which might be available in the event of inadvertent loss of cryptocurrency, a mistake or a hacking incident.
To the extent cryptocurrencies are characterised as the equivalent of “money” or “securities” traditional forms of cover like Crime, Directors & Officers (D&O) and Cyber policies might respond to losses sustained by cryptocurrency owners. However, currently there are strong conflicting views as to how to characterise digital assets with the current school of thought swinging in favour of them being deemed a commodity. If this is correct, traditional policies may not respond in their current form. As highlighted above, the broad distinction between cryptocurrencies and cryptotokens is important and an understanding of the basis of each asset is required.
This uncertainty has led to an increased number of requests being made of London Market insurers for amendments to be made to traditional lines of cover in order to provide, or clarify, the extent of insurance available.
Businesses that are using/accepting cryptocurrency are typically seeking confirmation that existing policies will respond to claims involving cryptocurrencies, for example, by ensuring that the definition of “money” in a Crime policy covers cryptocurrencies. Also, due to the sophistication of cryptocurrency hacks (which often require assistance of an insider with details of private keys), businesses are keen to ensure that cover is provided for the dishonest acts of employees.
Whilst cover may be provided through specific endorsements, a handful of London Market insurers are also offering standalone cryptocurrency insurance policies.
However, the exact form of the cover being offered differs from insurer to insurer and will depend very much on the nature of the underlying business.
For example, crypto exchanges are seeking protection against heists, given the large amount of investors that use their platforms. Whilst some consider these businesses to be large enough to absorb such investor losses, others consider that insurance is only being sought in an attempt to legitimise the reputation of the industry.
There is also potential for insurance products to be offered to custodians regarding their storage capabilities and the cryptocurrency held in digital wallets and/or vaults. It seems that, again, the cover on offer varies considerably.
Some insurers are only covering “hot” wallets rather than “cold” wallets, as it is expected that the amount of cryptocurrency held in hot wallets will be lower in value than cold wallets, for obvious security reasons i.e. if a hack occurs, access to a connected hot wallet will be far easier. Others are sub-limiting the level of indemnity available.
One of the current issues within the blockchain and crypto world is that of governance of the platforms and networks. The protocols which govern many cryptocurrencies are akin to constitutions setting out how such currencies can be altered. As was seen in the DAO fork of the Ethereum network in 2016, this can often be to the detriment of some classes of holders of the coins which has implications for insurers providing cover. We have not seen these considerations reflected in any policy wordings. It may be difficult to ascertain what is a technological ‘malfunction’ and a legitimate correction of flaws in the code.
More crypto start-ups are also viewing insurance as essential to provide protection against cyber attacks and theft, as well as for legal actions against D&Os. Many start-ups are raising funds digitally via Initial Coin Offerings (ICOs) and are consequently looking for cover for ICO related risks.
ICOs bring with them their own risks. It is noteworthy that they do remain unregulated and there has been a marked increase in the number of securities filings in the USA, relating to ICOs, this year. There is a growing concern that some issuers are not using the funds as advertised.
Risk versus reward
For insurers entering the crypto space, the obvious challenge is how to cover these risks in circumstances where little is known about the investors, and where few fully understand the technology being used.
Due to its infancy, and in absence of clear regulatory framework, the insurance industry lacks critical historic data that underwriters would normally rely upon to price and assess risks, and form decisions concerning the scope of cover.
Nevertheless, despite these challenges, insurers choosing to offer protection in this emerging market are benefiting. For example, the annual premiums earned reportedly gulf those offered to other businesses for similar covers. Premiums for crypto policies have been reported as being between 2-5% of the limits of indemnity.
Despite the new opportunities that crypto assets present, insurers entering this market are advised to do so cautiously. Indeed, on 6 July 2018, Lloyd’s of London issued a warning to all its managing agents to “proceed with a level of caution”.
Underwriters should not underestimate the level of due diligence required, should they choose to explore this opportunity; the risks are, after all, experimental companies employing experimental technology.
It is likely that underwriters will need to heavily scrutinise the prospective insured’s security and storage procedures, the scale of their operations through to the integrity of people involved in the business. Underwriters will also need to consider the impact of wider issues and trends, such as the risks of hacking and financial crimes, and will need a clear understanding of the underlying technologies and the implications of developments and changes to such technologies as they mature.
Additionally, any policies issued must, of course, be compliant with any applicable laws and regulations, which are quickly evolving worldwide.
In order to limit insurers’ exposure, it is advisable that any policy issued should be for a specified term, with fixed limits of indemnity (or sub-limits where appropriate), in legal tender. They should contain a clearly defined method of valuation clause to calculate loss of cryptocurrency.
The crypto space is clearly maturing and is certainly one to watch with interest. Cryptocurrencies and blockchain undoubtedly represent potential areas of growth for the insurance industry. However, it remains to be seen whether the insurance demands increase and whether, as the industry and regulation becomes more stable, insurers’ appetites to write such risks also expand. What should be clear is that detailed knowledge and a full understanding of the relevant asset or platform is required rather than a one size fits all approach.