What happens to customer funds after cryptocurrency services are hacked?
The answer to that question is unclear even after a wave of hacks have compromised crypto’s message of secure money. Few recourses exist for customers at such services. Not much has changed since the days of Mt. Gox, when customers lost their holdings after the exchange crashed. Some crypto services, like Binance, have proactively set aside funds for affected customers. But is that a sustainable long-term solution?
Executives from the insurance industry gathered for a panel discussion at the DAS Markets conference in New York last week to provide answers. The industry has taken a cautious approach to cryptocurrencies with many carriers “taking a small bite, just putting their foot in,” said Jennifer Hustwitt, senior vice president at Marsh & McLennan Companies.
According to the panelists, the main problem for crypto-insurance lies in evaluating risks in a continually evolving ecosystem. In other words, the matrix of risks applicable to crypto is still unknown.
While hacks at crypto services have generated headlines, blockchain—the technology underlying cryptocurrencies—still remains impervious to tampering. Cases, such as the one at Canadian exchange QuadrigaCX, in which the founder died without revealing private keys used to access its funds, have further complicated matters.
What are the problems with cryptocurrency insurance?
“[Identifying risks] has less to do with technology and more to do with policy and processes,” said Christopher Liu, head cyber specialist for financial institutions at AIG. He said there should be a “high degree of comfort” that the event which catalyzes insurance claims is rare. But the current frequency of hacks at exchanges suggests the opposite dynamic (i.e., breaches are the norm rather than the exception).
If and when such events do occur, it should be relatively easy to document and process them. But that is easier said than done.
Abstracting blockchain’s technical complexity is a difficult task. “How far do you go and how technical do you make those [insurance] policies?” asked Hustwitt.
As an example, she said Bitcoin is defined as a social construct and would need to be translated into a technical concept in insurance documents. But the cryptocurrency is not discretely produced. Rather it is a self-propagating chain of data. As such, it can be difficult to ascertain and define the provenance and amount of insurance claims, Hustwitt explained.
An acceptable and common definition for the broader concept of digital assets also does not exist in the insurance industry. Private keys, which are used to access cryptocurrency, sow further confusion because they are proxies for customer holdings. Then there are forks, always a complicating factor in cryptocurrency assessments. Taken together, the definitions of these concepts have a bearing on risks and premium amounts for theft or loss of digital assets.
Another deterrent for crypto insurance are the high premiums associated with such products. Established companies reportedly charge upwards of five times more as compared to other products to cover cryptoassets. This is partly related to the dynamics of the market for crypto insurance.
“It is not a deep market,” said Liu from AIG. “When you think about how many buyers there are in the market, there is a reason why prices are high.” Arranging for insurance comes at an especially steep cost for startups straight out of the gate. “If you are a seed round company, then you represent high risk and it is appropriate to have high premiums,” explained Jacob Decker, vice president at Woodruff Sawyer, a San Francisco-based insurance company.
A crypto insurance case study
Itay Malinger, co-founder of cloud-based crypto wallet service Curv, said the costs to insure their service were “expensive.” Their insurance with Munich Re covers a cyber breach to Curv systems resulting in loss of assets or the possibility of a Curv employee colluding with a customer to siphon off customer wallet funds. However, the insurance does not extend to breach on the customer’s systems. Because they were dealing with a single provider, the process of acquiring insurance was a relatively simple one and lasted nine months, said Malinger.
Curv has passed on some of its insurance prices to customers, charging a percentage of the total value of assets maintained in their wallet. “It adds costs but also pressures [crypto] vendors to build a more secure and robust product,” he said. The flipside to this strategy has been an increase in the number of customers using their opt-in insurance service, instead of hunting down a provider on their own.
“That [getting insurance for crypto funds] is the most painful thing,” said Malinger. “It is time-consuming and you don’t know how you are going to end up.” He takes the long view and says insurance costs will decline as custody services and tech products (related to crypto) become better.
For that to happen, however, a market with more heft and liquidity is required and the crypto community will need to step up. “It takes a community to build a market and a portfolio,” said Chris Liu from AIG.