Insurers test Bitcoin business with heist policies

Read time 5min 20sec
Some insurers are not yet convinced the crypto-currency business is large enough for premiums to cover possible losses.
Some insurers are not yet convinced the crypto-currency business is large enough for premiums to cover possible losses.

Major global insurers are starting to offer protection against crypto-currency theft, willing to tackle daunting challenges it brings rather than miss out on this volatile and loosely regulated, but rapidly growing business.

So far, only a few insurers sell such insurance, including XL Catlin, Chubb and Mitsui Sumitomo Insurance. Yet several others told Reuters they are looking into theft coverage for companies that handle digital currencies like Bitcoin and Ether, which trade between anonymous parties.

Such efforts so far have garnered little attention, but the emergence of an insurance market marks an important step for the nascent industry's mainstream recognition.

The risks are clear: digital currency investors have already lost billions from dozens of crypto-currency hacks, technical errors and fraud. Many hacked exchanges later shuttered.

Tokyo-based exchange Coincheck became the latest casualty, reporting a loss of around $534 million worth of coins to hackers.

For insurers, the challenge is how to cover those risks for customers they know little about, who use technology few understand and represent a young industry that lacks troves of data insurers usually rely on in designing and pricing coverage.

Christopher Liu, who heads American International Group's North American cyber insurance practice for financial institutions, said the answer is to find an established business with a similar risk profile and try to adapt what works there.

"It's sort of akin to a digital armoured car service," he said about crypto-currency firms. "If there is a problem - like an accident or a robbery - that's going to be the accumulation of all these exposures."

Liu says AIG began researching crypto-currency theft coverage in 2014 and has written a few such policies, but remains in an "exploratory phase".

Greg Bangs, head of XL Catlin's North America crime coverage underwriting, recounts how the firm had to become its own expert on the new technology by talking to key players and potential clients before developing Bitcoin theft insurance.

"The first challenge for us was to figure out if there was a product here."

XL Catlin now offers annual crime coverage of up to $25 million per incident, Bangs said.

Shady companies

Knowing the customer also takes on special importance.

Jackie Quintal, who advises financial institutions for insurance broker Aon, said part of her job is to tell legitimate digital currency companies from shady ones, something that often gets cleared up even before an insurer gets involved.

"If someone is hesitant to provide information and they don't have answers to compliance questions, they tend to disappear on their own," she said.

Still, insurers spend more time than usual scrutinising everything from security and storage procedures, the scale of their operations, to the people involved ? a process that can take several months.

"Some Bitcoin exchanges and wallets weren't anticipating the level of underwriting and due diligence they undergo when they approach the market," said Matt Prevost, who heads Chubb's North American Cyber Product Line.

Insurers like Chubb are betting that crypto-currencies will gain wider recognition even if the new business now represents only a tiny sliver of the global $720 billion per year commercial insurance business.

Digital coin sales raised more than $5 billion across nearly 800 deals in 2017, according to venture capital data provider CB Insights. There are no estimates yet how much of that has been insured or of total premiums collected.

Cool on "hot storage"

Many insurers remain wary of the new business. Some, like Great American Insurance Group, an American financial group unit, offer protection from employee theft to companies that accept Bitcoin payments, but avoid outside risks, such as hacking. The company added the coverage to its standard employee theft policy in 2014.

Others will avoid coverage for coins kept online, or in "hot storage", because of the high risk of hacking and will only cover offline "cold storage", which is also generally preferred by crypto-currency companies.

Coinbase, a leading crypto-currency exchange available in 32 countries, says on its Web site it holds less than 2% of customer funds online and that those funds are insured.

Lloyd's of London, the world's largest insurance marketplace, was providing insurance to the exchange, according to a person familiar with the matter. Reuters could not determine the terms or the scope of the coverage and a Lloyd's spokesman declined to discuss Coinbase.

He said member companies have written a small number of policies for crypto-currencies in recent years and Lloyd's was requiring members to proceed with caution and use additional scrutiny of crypto-currency companies.

Some insurers are not yet convinced the crypto-currency business is large enough for premiums to cover possible losses.

"We're looking at it, but does it make sense to offer a market for that?" said Frank Scheckton, president of Great American's Fidelity Crime Division.

Right now, costs act as a deterrent for small firms and start-ups, said Ty Sagalow, chief executive of Innovation Insurance, which has been developing coverage for crypto-currency companies since 2013.

"It's an expensive product that many companies can't afford," he said.

Annual premiums for $10 million in theft coverage would typically run at about $200 000, or 2% of the limit, insurance experts say. That compares with about 1% or less for traditional financial clients, depending on the company, loss history and other factors.

Currency volatility is another concern. While coverage limits shield insurers from wild swings, the impact for clients can be dramatic. For example, a $10 million policy signed in January 2017 would cover 10 957 Bitcoins at the time, but only 923 if a hack happened a year later.

Login with