Cryptoassets and insurance

Answer

The cryptoasset market capitalisation stands at $1.2 trillion. With the epidemic of crypto fraud on the rise with more than 40% increase in the past year to £306 million, there’s a growing demand for crypto insurance as traditional financial institutions are offering crypto products and services, and companies are beginning to accept cryptocurrency as a form of payment. This rise of crypto has led to an uplift in claims against directors and officers of crypto companies and has also seen crypto companies seek cover under their cyber policies. Liability in the crypto space arises in losses from cybercrime, scams, malicious hacks, thefts and breaches by directors and officers of crypto companies. Crypto insurance can help to mitigate these losses.

Regulatory and legislative position

The regulatory uncertainty of the crypto market has made insurers reluctant to underwrite directors’ and officers’ (D&O) and cyber policies. Despite the regulatory uncertainty, on 23 May 2023, the international securities watchdog, the International Organization of Securities Commissions (IOSCO) (which includes the US Securities and Exchange Commission, Japan’s Financial Services Agency, Britain’s Financial Conduct Authority, Germany’s BaFin and more) unveiled the first global approach to regulating cryptoasset and digital markets. As regulation improves, there’ll be a great opportunity here for those that want to provide cover for crypto and other digital assets to improve the financial infrastructure of the future.

The UK Parliament also recently voted on the amendment to the Financial Services and Markets Act 2000 to include stablecoins and cryptoassets within its scope. The Financial Services and Markets Bill (which contains the proposed amendments) is awaiting Royal Assent and the Bill will come into force as a law. The UK’s HM Treasury has planned a phased approach to regulating cryptoassets, which involves:

• stablecoins and cryptoassets used for payments; and
• a regime to regulate broader cryptoasset activities including the trading of cryptoassets.

These are among some of the examples of the proactive steps being taken in the UK to ensure the compliance and security of cryptoassets.

Crypto-based insurance cover

A limited number of insurers currently provide cover for crypto-based risks, but most don’t expressly address such risks. Cryptoasset-related losses may be covered under cyber indemnity insurance or D&O liability insurance policies D&O policies provide coverage for shareholder and third-party claims against directors and officers, and their companies and organisations for alleged wrongdoing. In this instance, coverage would be provided for directors and officers of crypto companies and organisations where their duty has been breached. However, cover doesn’t always respond to cases of crypto fraud and criminal acts. Policies and its definitions of ‘claim’ and ‘loss’ would need to be assessed to determine cover, along with the wider wording of the policy and nature of the loss. Limited coverage may also be provided for regulatory investigations of the individual D&Os brought by regulatory bodies such as the US’ Securities and Exchange Commission, UK’s Financial Conduct Authority and the Dubai Financial Services Authority.

Crypto-related cyber indemnity insurance provides first-party and third-party cover policies against cybersecurity breaches and its associated losses involving blockchain technology. This is a separate insurance cover for instances of hacking, security breaches and theft of crypto wallets. For example, ransomware threats and phishing attacks on crypto can occur. Cryptocurrency wallets typically contain a public address on the blockchain network and a private key with access to the wallet that can be managed through cloud storage providers such as Binance and Coinbase or cold storage wallets (ie, offline storage). Cyber policies for crypto also provide cover for claims arising from the unauthorised use, access to wallets and loss of electronic data from the provider’s network including crypto custodians.

Despite cryptoassets being protected by a private key, claims can also arise from phishing attacks as cryptoassets can be irreversibly moved and difficult to trace. Cyber insurance policies can therefore provide cover for data recovery, crisis management and business interruption in instances where cryptoassets and its data have been moved. However, the professional lines, commercial crime and property policies may also be available to cover for hacks and thefts.

Risks and underwriting challenges

Typically, it’s difficult to provide cover for crypto and other digital assets where little is known about how decentralised technology works, the identity of hackers, the price volatility of cryptoassets and the high risks associated with crypto. Lack of data for cryptocurrency trading, and historical claims data makes it necessary for insurance underwriters take a careful approach to assess and price risk. Due to the perceived risks and a lack of historical data on cryptocurrency losses, coupled with the lack of regulation, the rates for crypto-related D&O policies are already high and the FTX collapse is likely to lead to even higher premium rates. Consequently, underwriters may tighten their underwriting in view of anything cryptoasset related. However, the demand for crypto-based insurance will continue to increase as crypto companies and organisations expand their offering of crypto products and services.

As a result, the underwriters in the Lloyds of London insurance market are likely to require more transparency from crypto companies and crypto-related businesses, as well as ensuring that they report on their exposure to collapsed cryptocurrency companies. Underwriters will use this information to potentially deny or limit coverage. This could potentially leave digital currency traders and exchanges uninsured from cybercrimes, thefts or claims, especially as the recovery of cryptoassets is difficult. But it may also encourage crypto companies and organisations to seek cyber insurance policies that may cover such risks. Crypto businesses that use or accept cryptocurrency will need to seek confirmation that their existing policies will respond to claims involving cryptocurrencies.

With the heightened regulation following the collapse of various crypto companies, cryptoasset services will likely need to demonstrate that they have risk prevention controls in place such as corporate security controls and governance. More importantly, they’ll likely need to demonstrate coverage should they fail to adhere to regulations. Where policies are available these tend to be limited by strict policy wordings and conditions. Depending on the D&O and cyber covers, policies will likely need to expressly state the scope and limitations of cover for risks involving digital assets. Insurers and lawyers in this space will need to review policies as further issues in the crypto market such as price volatility are highlighted to ensure that unintended covers are excluded.

Looking forward at the future of crypto insurance

While there’s coverage available for cryptoassets standalone policies or commercial crime cover against thefts of crypto assets, the fall of FTX has amplified concerns for insurers. Insurers are likely to be more cautious about underwriting risks in the crypto market, especially without the existence of more comprehensive regulation. The lack of regulation and legislation for cryptoassets is an evolving area that’ll see the cryptoasset ecosystem be given more certainty and protection. There’s no doubt that with a significant number of crypto companies and investors, insurers will be exploring the crypto-insurance products market. It’s clear that the regulatory environment for cryptoassets will likely be on insurers’ watch lists.

Neide Lemos is a trainee solicitor at Clyde & Co LLP.