On Tuesday (April 2), Philip Martin, Chief Information Security Officer (CISO) at Coinbase, talked about his firm's crypto insurance policy, the current state of crypto insurance market, and his thoughts on the future of this market.
In a post on the Coinbase blog, Martin started by talking about the insurance policy it has had since November 2013 for its hot wallets. The reason for buying this insurance policy was to protect its customers against loss of their crypto funds. It did not need to worry about the loss of customers' fiat deposits since these are held in U.S. bank accounts, which are covered by Federal Deposit Insurance Corporation (FDIC).
Martin correctly recognizes that "the most likely consumer loss scenario for any cryptocurrency company" is " hot wallet loss due to hacking" (the most recent example of which was the attack on Singapore-based crypto exchange DragonEx on March 24th). Coinbase's hot wallet policy has "a $255 million limit placed by Lloyd’s registered broker Aon" and is "sourced from a global group of US and UK insurance companies, including certain Lloyd’s of London syndicates."
Next, Martin points out that "the two main insurance classes involved in cryptocurrency insurance today are the Crime and Specie marketplaces" and explains the difference between them:
"In general, Specie policies available in the market today focus on physical damage or loss of private keys (including employee misuse or theft) in cold storage. The Specie market generally insures fine art, precious metals and the like when in a vault or on display. Generally the way I think about this market is insuring value at rest. They do not generally cover hacking in the traditional sense of the word, nor would they likely cover any kind of blockchain-specific failure. Importantly, that means that a Specie policy would not be responsive to a loss of funds that occurred due to an on-blockchain failure (e.g. a vulnerable smart contract multisig implementation). The best use of Specie policies is as a hedge against major natural or regional disasters, or insider theft/destruction of private key material."
"Crime policies are focused on hot wallet losses and include coverage for losses due to hacking, insider theft, fraudulent transfer, etc. including fiat and crypto currency, in addition to the physical damage or theft of private key data in cold storage. This marketplace also insures risks like cash in armored cars, cash in ATMs, etc. Generically, the way I think of this market is insuring value in transit. Crime policies would not generally cover the costs of incident response, PR costs, etc. Crime policies also don’t generally cover failures of the underlying currency (e.g. 51% attacks). Coverage for hot wallet exposures are also significantly more expensive than cover for cold storage alone."
Martin goes on to say that unfortunately there is a lot of misinformation spread around crypto insurance, and says that crypto companies should try to follow the following guidelines:
- "Companies should focus on insurance for value in flight. This means that exchanges and wallets should have sufficient Crime coverage to fully cover their hot wallets (including enough buffer to handle asset price spikes). Custodians should have enough Crime insurance to cover normal outbound customer transaction sizes or enough to cover whatever assets are programmatically accessible if they’re not using cold storage."
- "Companies should NOT promise preferential status to specific customers on policies that are meant to cover all customers. This is commonly known as First Loss Payee status on a specific policy and it means that a specific customer gets preference for payouts under the policy."
- "Companies may insure cold assets, but it should be on a per-customer basis."
He advises both individuals and institutions to find out what kind of crypto insurance their service provider offers:
"If you are using a consumer-oriented service, hopefully your service provider is publicly transparent about the type and limit of coverage they offer. Coinbase does this at coinbase.com/security. If you are a larger institution working on a bespoke contract with a service provider, you can request a Certificate of Insurance. That certificate will specify the type of insurance, Crime or Specie generally, the program limit and who provides the insurance."
Although the cryto insurance market has developed significantly since 2013, there are still several areas in which Coinbase would like to see improvements:
- "There is not enough risk transfer capacity in the market. The number of insurers who have invested their time in understanding cryptocurrency risks has increased dramatically over the past few years. Still, the demand for cryptocurrency insurance has increased even faster. We need more participants in this market."
- "Policies are denominated in fiat but the assets are in crypto. This means that in bull markets it can be challenging for companies looking to grow insurance policy limits at the same pace as asset prices are moving. Insurers need to hold digital assets in order to offer policy limits denominated in cryptocurrency to avoid differences in valuation."
- "Policies are generally written to exchanges or custodians, not directly to the owners of cryptocurrency. We need a world where the ultimate owners of cryptocurrency are able to directly insure their assets stored with trustworthy, well-reviewed, transparent service providers."
Featured Image Courtesy of Coinbase