Insurance’s Role in The Regulation of Web3 Through De-Risking

Government-initiated regulation alone will not necessarily be a cure-all to Web3’s problems, including the problem of consumer confidence. The availability of insurance should also have a part to play in improving overall confidence in the sector. Web3 is an interesting case study on the somewhat symbiotic relationship between regulation and insurance. In equal parts, the availability of insurance for Web3-associated entities helps with securing regulatory certainty by creating a ‘de-risked’ perception of the underlying assets and technology, whilst regulatory certainty is precisely what insurers are looking to see in the underwriting process before choosing to write a risk. Whilst insurers have generally treated Web3 as starkly different risks from the traditional financial institutions with whom they are familiar, the examples from insurers who have entered the Web3 market thus far make clear that this is not necessarily the case. The sheer value of the digital asset industry presents a welcome opportunity for insurers worldwide to at the very least explore, with a view to improving the overall perception of the industry and capitalising on the current notable lack of supply and capacity.

By Jessica Chapman^[1]

Cryptocurrency exchanges and other players in the Web3 ecosystem have largely been absent from the insurance market to date. Both regulators and insurers alike have been reticent to engage with this industry, which, despite the plague of regulatory uncertainty, has continued to grow and shift rapidly year on year. The recent public fallout of the downfall of entities like FTX has, however, unsurprisingly prompted calls for greater regulation of the sector to protect, primarily, consumers’ funds in the event of insolvency. However, government-initiated regulation alone will not necessarily be a cure-all to Web3’s problems and the availability of insurance should also have a part to play in improving confidence in the sector. Web3 is an interesting case study on the somewhat symbiotic relationship between regulation and insurance – that is, we appear to be facing a “chicken and egg” scenario whereby the availability of insurance for Web3-associated entities helps with securing regulatory certainty and confidence by de-risking the assets, whilst regulatory certainty is precisely what insurers are looking to see in the underwriting process before writing a risk.

Using cryptocurrencies as an exemplar for the insurance market’s treatment of the Web3 universe, on June 12, 2015, Lloyd’s of London released its seminal report on cryptocurrencies and insurance, Bitcoin: Risk Factors for Insurance, which made clear that cryptocurrencies are muddy waters into which insurers should not yet step.^[2] Lloyd’s of London then issued a directive to all its syndicates in July 2018 warning them to proceed with caution when approached by crypto-asset companies and to ensure any managing agents involved with such companies have relevant expertise to be able to properly assess the risk.^[3] That means the starting point for insurers has always been one of caution. Only a minute fraction of cryptocurrency losses is covered by insurance as things stand, with estimates sitting at approximately less than 1 percent.^[4] By contrast, the market for cryptocurrency insurance is suggested to be worth USD200 to 500 million in annual premium revenue if insurers are willing to step into this burgeoning market.^[5] Marsh has suggested a confluence of factors could increase the value of the insurance market for digital assets even further beyond this with regulatory clarity, adoption of digital assets, decentralized finance and Bitcoin value all on the rise.^[6]

In 2019, insurance coverage options began to become available for individual investors and holders of cryptocurrency, such as via BlockRe, an insurer which offered various policies to crypto-asset holders providing cover for loss or theft of private access keys and hacking, among other things. Specific insurance solutions for the entities involved, however, were few and far between. BlockRe rebranded to Evertas in 2020 and recently became the first specialist cryptoasset insurance provider to become a Lloyd’s cover holder, potentially signaling a broader sea change for the insurance market. Evertas now offers a much broader suite of products to companies and individuals alike which purport to be purpose-built for digital assets.

In the Asia Pacific region, there are wide disparities in whether and how cryptocurrencies and other digital assets are regulated, and initial coin offerings (“ICOs,” being the equivalent of an IPO except in the context of a launch of a cryptocurrency, usually designed for a particular purpose or payment use case) have been particularly controversial. In Australia, for example, the corporate regulator ASIC has issued guidance to the effect that, in most cases, a “crypto-asset” will be treated as a “financial product” for regulatory purposes, and cryptocurrency exchanges may then in turn be treated as “financial markets,” given they facilitate the sale and exchange of cryptocurrencies. If an exchange will be treated as a “financial market,” this means the operator will be required to hold an Australian market license and be subject to the applicable regulatory rules.^[7]

The shift towards more regulatory certainty around the operation of cryptocurrency exchanges and the treatment of cryptocurrencies more generally has been gradual but is ongoing. As recently as August 2022, the Monetary Authority of Singapore for example stepped up its licensing requirements for cryptoasset providers, requiring much more granular information from applicants and with such stringent restrictions that only around 10 of 200 applicants have been successful in receiving regulatory approval. Suffice it to say, the question of the scope of regulation of digital assets, and the extent to which they may be subject to ordinary or expanded rules, in most cases remains open.

That regulatory uncertainty remains despite significant cumulative losses for consumers in the years since cryptocurrency entered popular consciousness. In early 2014, for example, Mt Gox was the largest cryptocurrency exchange in the world, responsible for over 70 percent of all global transactions of Bitcoin. However, by the end of February 2014, it was subject to a large-scale hacking attack and was left bankrupt, with its customers also left without assets or any remedy. The hack was so extensive it affected 740 000 Bitcoins or six per cent of all Bitcoins in existence at the time.^[8] It has been argued by a Canadian academic that this means Mt Gox’s customers were “essentially forced to be an insurance plan for one another, losing property that they owned because someone else’s property was stolen.”^[9] Several years later in January 2018, Tokyo’s Coincheck cryptocurrency exchange reported a cyber theft of about USD534 million worth of coins. A Coincheck representative at the time said, “[i]n a worst-case scenario, we may not be able to return clients’ assets.”^[10] At the time, this was the highest reported loss of cryptocurrencies since their introduction.

It is not surprising in these circumstances that insurers, which are traditionally perceived to be conservative-leaning and risk-averse, have been reticent to enter the market for digital assets. The risks are large and publicized and the entities and underlying technologies themselves widely misunderstood. In the absence of insurance, other cryptocurrency exchanges which have been subject to significant hacks have dealt with the aftermath very differently with a view to protecting consumers independently. For example, Binance, one of the largest global exchanges, suffered a USD40 million theft in early 2019 and did not hold any external insurance policy. Instead, Binance reimbursed customers through its “Secure Asset Fund for Users” (“SAFU”) which it had announced on July 3, 2018. The Asset Fund is funded by diverting 10 per cent of all trading fees into it and operates essentially as self-insurance.^[11] Such significant funds could instead have been diverted to a willing insurer in the form of annual premiums.

By way of a further example, following a large-scale hack, BitFinex replaced 36 per cent of the cryptocurrency held in each customer account, which could not be recovered, with a “token” which could be used to redeem the value at a later date.^[12] Thanks to the rapid surge in the value of Bitcoin, BitFinex was able to repay its customers within a year, however if this had not taken place, customers would have been effectively left in an indefinite lurch awaiting the redemption of their tokens. The risk was placed on customers rather than the exchange itself in order to preserve the existence of the exchange in the short term. Without either regulatory measures or insurance coverage in place to protect consumers, the exchanges were able to respectively develop purpose-built solutions to the problem of a large-scale hack and theft of digital currency. The mere availability of an appropriate insurance product, however, would have minimized the need for these efforts in each case. At the same time, insurance cover also operates as a more traditional risk mitigation measure to improve confidence from regulators and consumers alike.

Since the examples explored above, there have been some recent examples of insurers globally beginning to enter the cryptocurrency insurance market specifically, while other areas of Web3 remain largely untapped. As at early 2018, XL Catlin, Chubb and Mitsui Sumitomo Insurance were reported as providing cover for companies which held cryptocurrencies, but details on what the scope of cover was were thin.^[13] Representatives from AIG have also noted their interest in cryptocurrency theft coverage since as early as 2015, however few policies appear to have been written.^[14]

The first purpose-built insurance solution for crypto-asset providers appears to be Evertas, which was able to raise $5.8M in seed funding in 2021 to grow its portfolio. Frontier Global Underwriting has also entered the Asia Pacific market for Web3 risks, beginning to offer its directors’ and officers’ liability and professional liability products to the Web3 ecosystem, including fund managers, exchanges, custodians and trading platforms. The product is being backed by Relm Insurance.

Whilst insurers have generally treated Web3 as starkly different risks from the traditional financial institutions with whom they are familiar, the examples in the market thus far make clear that this is not necessarily the case. Cover is beginning to be provided for what are traditional risks, such as wrongful acts in providing professional services, third party claims, claims against directors for breach of duty of care. The primary difference is the underwriting process required and the context of the policy terms, including relevant exclusions, rather than the broader product itself. That is, it is largely a matter of underwriters properly understanding their risk appetite and how Web3-associated entities operate in the context of that risk appetite, rather than the strict policy terms themselves.

One example of an area where careful underwriting of these risks is required is the distinction between cover for digital currency held in “hot storage,” which are more vulnerable to hacking, and digital currency held in “cold storage.” Some insurers which have entered the Web3 space have specifically excluded digital currency held in “hot storage” for this reason. Cold storage includes, for example, the secure storage solution created by Custodian Vaults and Decentralised Capital, which essentially is a specialized vault with strong physical security. The companies have successfully obtained an insurance policy for the cryptocurrency held within the vault.^[15] The crypto-assets themselves of course continue to exist on the ephemeral blockchain, but the vault can comprehensively protect the relevant access keys. By contrast, it has been reported that Coinbase, one of the largest current cryptocurrency exchanges, has been able to successfully obtain insurance coverage for all the coins it stores in hot storage, which amounts to two per cent of its overall holdings.^[16]

Independent Reserve became Australia’s first insured cryptocurrency exchange in 2019, underwritten by Lloyd’s of London, which was a significant step forward in the Australian market specifically. The policy is said to cover loss or theft of cryptocurrency from Independent Reserve’s trading accounts only, and not arising from individual customers’ accounts being hacked. Any loss of value resulting from the volatility of cryptocurrency is also explicitly excluded.^[17] However the policy would appear to operate in the same way as a traditional crime policy, with which insurers are already very familiar.

Developments like this may push other insurers to consider how to delve into this market further and what specific aspects of Web3 may fall within their respective risk appetites. Suzanne Barlyn has suggested that annual premiums for a standard USD10 million in theft coverage would typically be around USD200 000. This is essentially double the approximately one per cent premium which would ordinarily be typical for traditional financial institution insureds.^[18] In this context, despite potential increased risks, there is equally the potential for much profit to be made, treading carefully.

The fact that there is only a short list of cryptocurrency-related companies which have successfully obtained insurance coverage for their cryptocurrency holdings indicates that this is just the tip of the iceberg of opportunities available for insurers, and there remains a bustling market of companies looking for insurance. I consider the benefit of insurance in the context of Web3 specifically is two-fold, with both benefits of equal importance for the long-term health of the Web3 ecosystem: to bolster their risk management practices as well as their attractiveness to regulators. This can be seen on the scale of individual entities and more broadly. As insurance becomes more commonplace for such entities, overall stability and confidence for consumers and regulators alike will improve.

Like all other insurance products, insurers must ensure they are across all these risks – and what questions to ask – when assessing the appropriateness of the measures taken by the prospective insured. Premiums offered by insurers can fluctuate based upon the security measures adopted by the prospective insured. This approach has already been seen in insurers charging far more for coverage for hot wallet exposures as opposed to coverage for cold storage alone.

Quite apart from security issues and insurers undertaking extensive due diligence prior to extending cover to an insured cryptocurrency exchange, there are also issues arising from the valuation of cryptocurrencies given their volatility. For example, it has been argued by customers that the Mt Gox CEO, Mark Karpeles, continues to own a significant number of Bitcoins which he ought to repay to creditors. However, he is only required to repay them at the Bitcoin price as at 2014, which suffice it to say was much lower than it is now. This means Mr. Karpeles may ultimately receive an unfair benefit from the bankruptcy proceedings. Insurers will also face the question of how to quantify claims and what cryptocurrency valuation ought to apply to any payments made to insureds.^[19] Coinbase, which holds an insurance policy underwritten by Lloyd’s of London, has argued that this issue would be ameliorated by insurers holding crypto-assets themselves and offering policy limits denominated at first instance in cryptocurrency.^[20]

The sheer value of the digital asset industry presents a welcome opportunity for insurers worldwide to at the very least explore. I argue that, in doing so, insurers will contribute to the overall stability of the Web3 ecosystem and assist in moving these entities as assets towards greater regulatory certainty. Although there are inevitable risks associated with providing cover to cryptocurrency exchanges and other related companies holding cryptocurrencies or other digital assets, these can be mitigated in several ways. Insurers considering entering this burgeoning industry should consider holding their own crypto-assets and accordingly writing policy limits in cryptocurrency as opposed to fiat currency. In addition, insurers must be willing to undertake in-depth due diligence on prospective insureds’ approaches to cybersecurity, governance and storage, with the assistance of underwriters with specialist technical expertise. The large amounts of cover required for the key players in Web3 worldwide will likely require the participation of multiple international insurers to ensure the risk is appropriately diversified and the industry remains profitable despite the significant risks associated with it.

The industry to date has otherwise been characterized by huge demand, but a notable lack of supply and capacity, coupled with an utter lack of regulatory certainty, including across different jurisdictions around the world. The movement of insurers and regulators together in the coming years can only benefit the participants in Web3, whether that be innovative FinTech or RegTech entities, cryptocurrency exchanges, NFT issuers, individual investors or consumers or otherwise, and result in an overall “de-risking” of the various pieces forming part of Web3.

[1] Senior Associate at Wotton + Kearney, Sydney.

[2] Lloyd’s of London, “Emerging Risk Report – Bitcoin: Risk Factors for Insurance” (Report, 2015).

[3] Ian Allison, “Lloyd’s of London Makes Quiet Entrance into Crypto Insurance Market” (August 28, 2018) CoinDesk https://www.coindesk.com/lloyds-of-london-makes-quiet-entrance-into-crypto-insurance-market.

[4] Ian Allison, “The Crypto Insurance Market MayTotal $6 Billion. That’s Nowhere Near Enough,” CoinDesk, November 21, 2018, http://www.coindesk.com/markets/2018/11/21/the-crypto-insurance-market-may-total-6-billion-thats-nowhere-near-enough/.

[5] Ana Alexandre, “Crypto Insurance Market to Grow, Lloyd’s of London and Aon to Lead” (September 5, 2019) CoinTelegraph https://cointelegraph.com/news/crypto-insurance-market-to-grow-lloyds-of-london-and-aon-to-lead; Jeff Kauflin, “Lloyd’s of London, Aon and Others Poised to Profit from Cryptocurrency Hacker Insurance” (September 5, 2019) Forbes https://www.forbes.com/sites/jeffkauflin/2019/09/05/lloyds-of-london-aon-and-others-poised-to-profit-from-cryptocurrency-hacker-insurance/#698ba67732aa.

[6] Marsh McLennan, “Will Web3 Reinvent Insurance?” (2021) https://www.marshmclennan.com/content/dam/mmc-web/insights/publications/2022/october/ow-web3insurance.pdf.

[7] “Initial Coin Offerings and Crypto-Assets” (May 2019) ASIC https://asic.gov.au/regulatory-resources/digital-transformation/initial-coin-offerings-and-crypto-assets/#part-d.

[8] Andrew Norry, “The History of the Mt Gox Hack: Bitcoin’s Biggest Heist” (June 7, 2019) Blockonomi https://blockonomi.com/mt-gox-hack/.

[9] MaryGrace Johnstone, “Catch Me If You Can: Resolving Bitcoin Disputes with Class Actions” (2019) 15(1) The Canadian Class Action Review 45, 58.

[10] “Coincheck: World’s Biggest Ever Digital Currency ‘Theft’” (January 27, 2018) BBC https://www.bbc.com/news/world-asia-42845505.

[11] “Secure Asset Fund for Users (SAFU),” Binance https://www.binance.vision/glossary/secure-asset-fund-for-users.

[12] Clare Baldwin, “Bitfinex exchange customers to get 36 percent haircut, debt token” (August 7, 2016) Reuters https://www.reuters.com/article/us-bitfinex-hacked-hongkong-idUSKCN10I06H.

[13] Suzanne Barlyn, “Insurers Begin to Offer Cryptocurrency Theft Cover, Tackling Risks of Growing Sector” (February 1, 2018) Insurance Journal https://www.insurancejournal.com/news/international/2018/02/01/479202.htm.

[14] Suzanne Barlyn, “Insurers Begin to Offer Cryptocurrency Theft Cover, Tackling Risks of Growing Sector” (February 1, 2018) Insurance Journal https://www.insurancejournal.com/news/international/2018/02/01/479202.htm.

[15] Andrew Munro, “Meet Australia’s First Insured High Security Cryptocurrency Vault” (July 16, 2018) Finder https://www.finder.com.au/meet-australias-first-insured-high-security-cryptocurrency-vault.

[16] Suzanne Barlyn, “Insurers Begin to Offer Cryptocurrency Theft Cover, Tackling Risks of Growing Sector” (February 1, 2018) Insurance Journal https://www.insurancejournal.com/news/international/2018/02/01/479202.htm.

[17] Andrew Munro, “Independent Reserve is now Australia’s first insured cryptocurrency exchange” (February 5, 2019) Finder https://www.finder.com.au/independent-reserve-is-now-australias-first-insured-cryptocurrency-exchange.

[18] Suzanne Barlyn, “Insurers Begin to Offer Cryptocurrency Theft Cover, Tackling Risks of Growing Sector” (February 1, 2018) Insurance Journal https://www.insurancejournal.com/news/international/2018/02/01/479202.htm.

[19] MaryGrace Johnstone, “Catch Me If You Can: Resolving Bitcoin Disputes with Class Actions” (2019) 15(1) The Canadian Class Action Review 45, 57.

[20] Philip Martin, “On Insurance and Cryptocurrency” (April 3, 2019) Coinbase https://blog.coinbase.com/on-insurance-and-cryptocurrency-d6db86ba40bd.