Author: Vanessa Leemans, Chief Broking Officer, Aon’s Cyber Solutions EMEA
A digital artwork from Beeple recently sold at Christie’s auction for a staggering USD 69M and was paid for with cryptocurrency in addition to standard forms of payment. Rather than receiving a physical piece of art, the winning bidder received a non-fungible token, or NFT, that proves he owns the original work. Ambitious and innovative artists are flocking to unchartered digital platforms to showcase their work, and buyers are rushing to bid on and purchase these “virtual” collectibles. Across art categories — celebrity, traditional, gaming, sports, and music – NFTs are gaining traction.
So, what are NFTs? NFTs are digital assets whose authenticity can be verified through blockchain technology. They can be bought and sold like any other piece of art but have no tangible form of their own. Buyers collect and trade NFTs, and even showcase their collections online. Because of the security benefits of blockchain, the ownership records presumably cannot be forged. But even so, crypto assets and non-fungible tokens do not come without risk.
The stakes are high
Storing and protecting these valuable digital assets cannot be accomplished via traditional physical security systems or vaults. NFTs are stored on the blockchain, and the reality is that most people store their private ownership keys in their “personal wallets” on their computer, just like any other file. Once a key is stolen, there’s little chance of getting it back. Another risk lies in the nature of digital asset trading. Deposits are often made into “hot wallets,” similar to virtual savings accounts, that are connected to external servers. Unlike “cold wallets” that aren’t connected to the external world, these “hot” deposit accounts are not as hacker-proof as the actual blocks within the blockchain. The breach of Coincheck Inc., one of Japan’s largest digital currency exchanges, revealed this risk when USD 534M worth of digital assets were stolen.
Third-party vigilance is also essential. Only 21% of organisations report having baseline measures to oversee critical suppliers and vendors, as reported in Aon’s 2021 Cyber Security Risk Report. Within the digital assets marketplace, there are numerous players such as payment processors, smart contract / technology service providers, and blockchain payment platforms. These vendors often have comparatively weak security on their own apps and websites, which can leave the door open to hacking. A practical example of this is the social engineering attack on GoDaddy, a major domain registrar and web hosting organisation, where hackers convinced employees to give them access to targeted cryptocurrency websites.
Finally, an organisation needs to consider regulatory mandates, as some information maintained on these exchanges can lead back to an individual’s identity. Even if cryptographically secured, personal data processed through a blockchain is to be considered subject to the EU General Data Protection Regulation (GDPR). In the case of a personal data breach, GDPR requires you to notify supervisory authorities within 72 hours. Violation of GDPR is costly, with fines of up to EUR 20 million or, if higher, 4% of an organisation’s annual global turnover.
Proactive approach to digital asset risk management
NFTs are a part of digital evolution, and as such present new risks and associated liability issues. There are several steps you can take to help protect these digital assets, one step to consider is starting with a risk assessment anchored by a scenario analysis to better understand your exposures. Penetration testing, or a simulated cyber attack of cryptocurrency wallets and custody solutions, is another proactive step to check for potential exploitable vulnerabilities.
After a risk assessment, a recommended next step is to quantify the loss exposure through actuarial modelling and to then conduct an insurance coverage gap analysis. This will help to understand existing insurance coverages in cyber and other insurance policies. A review of the terms and conditions is essential, as policies may have been drafted before digital assets existed. For example, a custodian of digital assets will need a tailored crime insurance policy providing coverage for theft of funds, which traditionally only covers a currency backed by a government. Coverage for digital assets will need to be tailored in a crime insurance to address certain nuances unique to cryptocurrencies, such as public and private keys and the distinction of cryptocurrency held in “hot storage” versus “cold storage”. The specie or fine art insurance market can also provide coverage for theft of funds from cold storage, but does not cover theft from hot storage.
Tailored insurance policies are a priority for all participants to consider in this new digital asset world, most specifically banks; trust companies and exchanges; broker/dealers; cryptocurrency miners; investment managers and advisors; and emerging blockchain technology organisations. Take investment management companies as an example. A close study of professional liability & cyber insurance policies is vital. While cyber liability insurance typically provides coverage for claims from unauthorised access to the computer network which results in loss of information, the policy’s definition of “computer network” must be considered. Does it include a decentralized peer-to-peer network? Has the digital assets exclusion been deleted?
The current insurance marketplace is challenging even for “vanilla” risks. Supply is not keeping up with demand and the market has seen a significant increase in premiums due to the increased frequency and severity of cyber security incidents, as reported in Aon’s 2021 Cyber Insurance Snapshot EMEA. Cyber insurers are looking to see that an organisation has the appropriate controls in place. Cryptocurrencies, NFTs, and rapid digital evolution make risk management ever more complex and vital as this evolution also leads to great innovations.