The rise of the crypto machine and the future of digital asset insurance?
Updated: Jun 21
Rise of the crypto machine
The market capitalisation of global cryptocurrency has grown 22,000% over the past 5 years. That monumental rise is the largest of any asset class in history. In 2021 overall transaction
volume surpassed $15.8 trillion - up 567% on the year before.
The recent volatility has resulted in these figures taking a significant hit but Raoul Pal, former Goldman Sachs hedge fund manager and portfolio manager at one of the world's largest hedge fund firms, thinks there is a reasonable chance the market cap could hit $250 trillion by 2030.'
The world's largest hedge fund, Bridgewater associates has reportedly begun plans to start a crypto asset fund. Their founder and investment manager, Ray Dalio, who was once a sceptic of crypto assets, personally got into the mix taking a Bitcoin position.
Source: CoinsShares; digital asset fund flow, weekly report.
And, in case you’re wondering if the recent price significant drop in crypto is putting people off, we recently (9th May) saw the record weekly inflows from institutional investments into digital asset investments with record inflows for the year totalling £274m in a week. In fact,
the ‘total value locked’ in dollars in smart contracts, would represent the 31st largest US bank for total asset under management. The latest degree of price volatility is not unprecedented if you look back over the history of Bitcoin. For example, in 2018 BitCoin lost over 80% of its value from the previous high. It serves as a reminder that we are still in the advent of crypto.
However, even regulators are finally engaging. After years of kicking the can down the road the UK announced plans to recognise some cryptocurrencies as an official form of payment. According to a The White House statement over 100 countries are exploring or piloting a digital form of a country’s sovereign currency. President Joe Biden signed an executive order calling on federal agencies to examine the risks and benefits of cryptocurrencies and explore a U.S Central Bank Digital Currency.
The association with criminal activities is diminishing as the holding of crypto assets becomes more mainstream. Banks are also joining the party; Commonwealth bank announced its customers will be able to buy, sell and hold crypto assets directly through the bank’s app, sitting alongside customers’ savings and credit accounts.
With sophisticated investors now joining evangelists and enthusiasts in holding significant digital assets as they continue their emergence into the mainstream, a logical next question is if and how such assets can be insured. Over a series of interviews in researching this article I came across a similar message related to demand for digital asset insurance.
Freddie Palmer, the Head of Blockchain and Digital Asset Risk Transfer at Howdens explains;
"‘Five years ago I was brokering management liability insurance for the investment industry when I received my first inquiry looking for liability insurance for a bitcoin mining company. Since then interest has steadily grown and these days I get several inquiries per week looking for some sort of digital asset insurance’’.
Ben Davis, the Digital Asset Team Leader at Superscript tells a similar story;
"Anecdotally, we have never been as busy as we are now with insurers looking to get into the market and brokers and clients looking for cover with an increase in the number and complexity of insurance being sought to cover digital assets".
According to Chainanlysis’ crypto crime report for 2022, the biggest risk to the loss of crypto assets is now DeFi platforms. Ten attacks accounted for $1.81 billion stolen crypto assets in 2021 (of a total of $3 billion stolen). Seven of these targeted DeFi platforms. DeFi protocols can be traced back to errors in the smart contract code governing those protocols. Hackers are turning their attention to exploiting vulnerabilities in software underpinning decentralised networks and smart contract functionality.
Source: Chainanlysis: crypto crime report for 2022
Prior to 2021, cryptocurrency theft was primarily due to security breaches (when hackers gain access to victims’ private keys) and theft from centralised exchanges.
Clearly, this is still a major concern, however, theft from DeFi has grown 1,330% in 2021, equating to more than $2.3 billion in digital funds stolen from individuals and services. And, this is almost certainly an underestimation, and for the first time significantly more than the theft from centralised exchanges.
Importantly, over 50% of the total value stolen from DeFi protocols for 2022 was as a result of exploiting poor quality code. Even more worryingly, 30% of code exploits occurred on audited platforms.
Joseph Ziolkowski, co-founder of Relm, an insurer dedicated to providing international (re)insurance solutions for digital asset/cryptocurrency, is seeing this first hand.
"Coverage for smart contract failure is in demand and is something we have started covering. Right now there is more than $100b worth of crypto assets locked in (held in a smart contract) Defi. When those contracts work as intended, it’s an amazing thing, providing frictionless transactions that allow users to lend and borrow in a really efficient way. But if the underlying code can be exploited or is of poor quality the consequence could be catastrophic".
Freddie echoes this message;
"Hackers are managing to manipulate smart contracts. Better security protocols will evolve with DeFi as it did for exchanges but it is a central concern right now and many insurers are nervous’.
Insuring these digital assets is complicated; it combines multiple perils. These include the theft of wallet keys, scams, ransomware, malware, fraud, code deficiency, security breaches, phishing, key logging, social engineering… the list goes on. Devising insurance policies to cover all of them is not realistic… or is it?
What’s the future of insurance covering digital assets?
On the face of it, the areas that appear prominent in addressing this problem would include:
verifiable internal policies and processes in place to ensure effective wallet management (e.g. multi signatory authority between arms-length independent people) and asset access
effective policies in place regarding the proportion and limits of assets stored on specific wallets with effective distribution of assets and access to the assets.
the proportion of assets held in ‘hot’, ‘warm’ and ‘cold’ storage
effective cyber security
blockchain code and protocol integrity
Central to the problem is the very nature and benefit of blockchain; it’s a decentralised distributed network.
“Once a protocol becomes fully decentralised, when something goes wrong it’s hard to find the throat to choke”
CEO and Co-Founder
"It’s still early days and we are working with insurers to better trying to understand the clients needs and how to manuscript the policies. Insurance of crypto assets doesn’t easily fit into one box as it spans multiple business lines".
Head of Blockchain & Digital Asset Risk Transfers
‘Full industry wide coverage will never be one insurer, it will be a pool of insurers each covering their specialist area of risk’
Team Leader - Digital Assets
Solutions I have found researching potential mechanisms to insure digital assets seem to fall into 4 general categories (see below). Several innovative ‘early provider’ companies have created insurance products to provide some form of protection for crypto assets.
Five years ago the first submissions started to flow for Crypto miners looking for D&O and property insurance. Companies such as Superscript have worked to develop specialist E&O and Cyber products with crypto assets central to liabilities covered.
In an effort to navigate the complexities associated with digital asset insurance one evolving solution has been to provide cover via official registered custodians of crypto assets (e.g. centralised exchanges, digital asset bank etc). By indemnifying registered custodians against the loss of digital assets from client accounts not only does the custodian have insurance protection but importantly, the custodian is subject to rigorous risk management and technical scrutiny to be covered in the first place reassuring the ultimate asset owner.
This means that the insurance company can complete security audits, ensure remediation measures are in place for any identified vulnerabilities, and ensure appropriate processes are in place for wallet management. For example policies for multi signatory authorisation, distribution of assets across an appropriate number of wallets, management of access to wallet keys, storage of an appropriate proportion of assets in cold storage etc.
However, there are limitations to this. For example, how do you ensure custodians always follow the processes set out for the secure safe transfer and management of assets?
According to Joe at Relm, relevant audits, security measures and processes are becoming ‘must-haves’ to provide reference points in positioning yourself as a trusted third party custodian. Centralised custodians with whom Relm work tend to be commercial enterprises within regulated jurisdictions, having completed regular security audits (e.g. Soc 2) complying with established industry standards around information security complying with established cybersecurity frameworks for mitigating risk (e.g. NIST).
"Ultimately, the custody process has to be reviewed holistically to determine the risk associated with centralised exposure" says Joe.
Given theft from DeFi due to poor quality code is now the predominant risk it has become a major focus. By taking a parametric approach, Relm is offering protection by insuring the integrity of the smart contract itself, providing protection against trigger events that compromise security of the smart contract, rather than insuring underlying digital assets. It’s a clever approach, akin to getting home contents insurance not by insuring the contents themselves but if the security of the house was breached. As Joe explains it shifts the focus and enables a different way for investors to get coverage of their digital assets.
"By focusing on protecting against the failure of the code rather than the asset itself it helps us identify good smart contract risk from bad smart contract risk".
Relm have been completing root cause analysis of smart contracts failures for more than 12 months now to understand triggers that are potentially insurable thus building out underwriting guidelines for new products they have developed.
Lloyd’s and Coincover appear to have taken a similar approach of categorising trigger events but related to wallet access against which the insured is covered, without the dependency on registered custodians or specifics of smart contract risk. Lloyd’s recently announced a new product in conjunction with Coincover to protect against losses arising from the theft of cryptocurrency held in online hot wallets. Interestingly, it directly insures the crypto assets with a dynamic limit adjusting to the price changes of crypto assets. Critically, the product does not cover ‘failure, breakdown or disruption of a cryptocurrency blockchain’ which accounted for 70% of theft in 2021.
Further, Lloyds and Coincover appear to be taking the approach of using technology to support companies’ selling their software for securing wallet access and management. Their software enables transaction authorization settings and uses behavioural analysis to reduce the risk from malicious access to wallets. The solution can be deployed by the insured across their technology infrastructure to improve cyber security monitoring for and preventing transaction anomalies from unauthorised access. Notably, their product only covers against the loss of funds from unauthorised third party access (via malware, phishing, hacking etc) indemnifying loss against events ‘our tech is designed to prevent’. Crucially it explicitly excludes the ‘wilful sending of digital currency by you or someone authorised by you’. This potentially creates a huge grey area as these techniques are often used to scam individuals into ultimately sending the assets by their own volition ultimately, it would seem negating the insurance coverage. Scams were the largest form of cryptocurrency-based crime by transaction volume in 2021, with over $7.7 billion worth of cryptocurrency taken from victims worldwide.
Further, the insurance industry has to find capacity in an emerging industry in the infancy of any regulatory structure that has an estimated compounded annual growth rate of over 58.4%.
Freddie points to a key problem; policy structure and capacity.
“I think there is huge potential. The insurance market is still small - we’re only right at the beginning. But capacity is difficult given the complications. For example, we can find cover for registered custodians of digital assets indemnifying them against the loss of digital assets for £750m or £1b say, but that’s a drop in the ocean even now. There are trillions of assets stored out there”
To Freddie’s point, Binance, the world's largest exchange, averages $76 billion in trading every 24 hours, has 90 million registered users and requires $billions to be immediately accessible online to facilitate trades. If they are significantly compromised what are the chances of any policy Binance does hold indemnifying the average holder on the exchange?
However, Ben Davis, the Digital Asset Team Leader at Superscript makes a very interesting point;
‘It’s true, there is not enough insurance capacity in place and for some custodians they will only be able to cover a portion of their holdings. However, in some circumstances larger custodians may not need to and it would be too expensive anyway. The chances of a major custodian losing all their holdings with all the correct procedures in place (wallet segmentation, multi signatory accounts, physical securities etc) is very very small and the cost of cover outweighs the risk. Further, major registered custodians will pay for any losses themselves out of their own pocket to avoid the negative PR backlash.’
However, it seems to be unanimously agreed that access to capacity to cover these risks is a major issue. Capacity needs to be raised not only via reinsurance but via capital markets. Critically, the insurance structure needs to be put in place to facilitate it.
In an effort to tackle this Freddie at Howdens is pursuing a strategy whereby they develop ring fenced policies that sit on top of the custodian policy against which capacity can be raised to cover specific assets for a set limit for a defined number of specific clients.
Relm is turning to alternative non-traditional solutions to find capacity. This includes the recent launch of a fully regulated multi-currency collateralized reinsurance facility accepting collateral in fiat or crypto, thus aligning investment and capital.
It would seem a key nut to crack will be enabling key capacity providers to quantify the associated risks and it’s still early days.
‘I received the first enquiry five years ago and we’ve spent these years educating ourselves, brokers and the market to underwrite these risks’ says Freddie.
After years of kicking the Crypto can down the road waiting to see how the market evolves, Governments are slowly addressing the need to face the issue. The UK and US governments have recently made some cautious announcements related to crypto asset regulation.
Regulators are typically reactive to such emerging issues. They require use cases to establish precedent to determine the problems to which regulation will eventually be applied. As explained by Crane, law is yet to be established because the ethical values related to blockchain are not yet understood and they are the driving force behind the very creation of laws or regulations.
Regulation is likely to be applied differently in different countries and regulatory jurisdictions.
Regulators face an additional difficult problem; blockchain is decentralised by definition so
fundamentally shifts how regulation will need to be applied i.e. the central control
through which it currently relies (e.g. financial institutions) are the exact entities by-passed.
So how do we bridge the gap?
Freddie believes "Evangelists and enthusiasts will always want it to be truly decentralised. I think what we will see is a half-way-house of centralised permissible blockchains to bridge the gap to regulations. We won’t get the golden ticket of true decentralisation, regulation and insurance cover. The industry needs regulation, especially when we are insuring those in the financial/investment side , where there needs to be consumer protection"
And this, maybe brings us to ‘the future of digital asset insurance’, because companies like Nexus Mutual are trying exactly this. Nexus Mutual are proposing solutions using blockchain technology to create alternative risk sharing solutions using mutual models to distribute risk across members executed by smart contracts. By using the same mutual ethos that founded the advent of insurance their solution involved pooling members' assets to protect individual members. If an unfortunate event occurs a ‘claim’ can be submitted that is then assessed by community members. Once a requisite number of community members approve the claim, it is executed automatically via smart contract indemnifying against the loss.
So where does this leave us?
Assuming the drive of crypto adoption continues, especially if demand for national crypto currencies results in national and company digital currencies, insurance for crypto assets will be as necessary as home contents insurance.
Cyber security is already a hugely complicated insurance space that struggles to meet its capacity requirements. This is compounded when finding solutions for digital asset insurance. The crypto asset insurance market has a long way to evolve. Even more fundamentally, the blockchain technology still has a long way to evolve. However, Ben Davis nicely links the two;
‘When I look at this space, this is the resurgence of when Cyber established itself’
Ultimately, not only do digital asset policies need to mature, critically risk needs to be presented in a quantifiable way that can attract capacity from capital markets if more traditional insurance policies are to provide the solution to satisfy the market need. Certainly, in the near term, ‘proxy’ insurance will continue to be the focus of digital asset insurance products available on the market.
However, if we let our imaginations run wild for a moment, the ultimate product would indemnify asset holders against the loss of crypto assets in the following scenarios:
Security breaches resulting in theft via access to victims’ private keys and subsequent unauthorised third party access
Exploitation of vulnerabilities in Defi and smart contract code
Provide recompense cover in the denomination of the crypto asset itself
Insurance coverage without the dependency on registered custodians
And, maybe this is where companies like Nexus Mutual can bridge the gap between the ‘evangelists’ and the insurance industry, by providing cover using the very technology that gave us digital assets in the first place. Smart contract based insurance policies seem to be a natural extension of the benefits blockchain technology can provide.
As summarised by PwC’s report into insurance 2025 and beyond, the impacts of technology on our lives and our insurable risks from developments including crypto are arriving at a fast and furious pace. As digital innovation and adoption continue to fundamentally reshape the risk landscape, they also create new opportunities for those insurers that can innovate at pace.
Maybe Ben from Superscript summarises it best;
"We are at the forefront of the most important technology of the last 30 years. This is an incredible opportunity. We are waiting for the ball to drop within the insurance community where they understand the technology and the market. This is the best opportunity we will see in our lifetime for a whole new asset class. The companies who take the time to educate themselves, understand the data and learn are the ones that are going to win".