United Kingdom

Keeping Cryptocurrency Secure

More than $1.3bn has been stolen from cryptocurrency exchanges since the first Bitcoin block was mined in 2009, with an average of $2.7m of crypto assets stolen every day in 2018. While robust security is imperative for anyone wishing to hold digital assets, insurance is also helping to reduce the risk to investors.

It’s easy to see why cryptocurrency is an attractive target for criminals as it is relatively easy to misappropriate. In the case of cash, for example, one has to physically steal it and there are ultimately limitations on the amount that can be taken. Similarly, the electronic theft of fiat currency through the banking system leaves a detectable trail for investigators. With regard to crypto a thief only has to hack into the private key details and they can digitally transfer any available cryptocurrency to their own anonymous account. This is compounded by the fact that a company providing cryptocurrency storage and exchange services is likely to hold significant amounts of such currency. 

Unfortunately, as well as hacking into accounts, criminals have also resorted to more violent acts to obtain currency unlawfully. One particularly unpleasant instance took place in 2018, when armed robbers broke into the Oxfordshire home of bitcoin trader Danny Aston, holding him, his girlfriend and child at gunpoint and forcing him to transfer an undisclosed sum of Bitcoin to them.

Managing the risks

Given what is at stake, it is essential to understand and mitigate the risks associated with holding cryptocurrency. Although there is some physical risk, the main threat comes from online attacks, with most cryptocurrency stolen as a result of criminals hacking into systems that store private key data.

Whether holding cryptocurrency themselves or through a custodian, building robust risk mitigants that cover both physical and cyber security is essential to any cryptocurrency holder. “We have five different zones of security at our sites, including digital, physical and human security,” explains Miles Parry, Founder and CEO of Vo1t, a global custodian of digital assets. 

As well as secret locations around the world, Vo1t’s sites are patrolled by security guards with the servers held within underground bunkers that require eight factors of verification to open. The digital security is just as robust, deploying hardware security modules used by institutions such as the army and governments and with further reinforcement through a variety of fail-safes to prevent the theft of private key data.

Human risk is another key consideration. Whether a corrupt employee or one being blackmailed, people are prone to compromise. “Most of us have a dirty secret that could be used against us, or emotional attachments to past events that can be exploited”, says Sebastian Higgs, Director at Vo1t. “To ensure this risk is kept to a minimum we conduct rigorous screening on everyone we hire, only working with someone if they pass all of the checks.”

What’s more, even if a criminal were to compromise the different layers of security, this would be in vain. Rather than access the private key data, this would result in the destruction of the digital asset at that site, with clients reassured that, through Vo1t’s duplicative security procedures, it would be secure in another of the firm’s sites around the world.

Parry, himself a former independent security consultant to the Ministry of Defence, is so confident about Vo1t’s online security that he is putting $50,000 of his own Bitcoin up as a prize in a hackathon. This will be held at a central location in a replica system of that used by the company, to ensure that client funds are not at risk. “We’ll plug this into the internet and publish the IPs,” says Parry.

Quote 1

Insurance confidence

While firms in the cryptocurrency ecosystem can make bold claims about the security surrounding clients’ digital assets, insurance adds considerable weight to their assertions. We regard “insurance as an external seal of approval,” says Higgs. “Any firm can say its security is robust but having insurance in place also demonstrates that insurers are comfortable with the measures that have been taken.”

Obtaining insurance is no mean feat. As it’s an emerging area of insurance, insurers are understandably cautious and will seek reassurance that risks are well-managed and a robust level of security is in place.

Insurers will also consider a number of different risk factors when deciding whether they are comfortable offering insurance to a firm. These include the experience and expertise of the management team; the protocols for online and physical security; and the segregation of assets. They also look at more traditional financial crime concerns such as anti-money laundering and know your customer procedures.

Tom Davis, Client Director at Aon Risk Solutions, says that given the fledgling nature of the market, firms should be prepared for a very thorough examination. “Before approaching insurers, we have an extensive vetting process for crypto clients. This involves ensuring that they can clearly demonstrate how robust their systems, processes and procedures are,” he explains. “We do turn away a few firms whose proposals we do not believe would be insurable, but in over 80% of enquiries it is a case of us working with firms to assist them in either improving their model or better articulating it.”

Policy wordings

As well as being able to demonstrate that risk is well managed, firms must also consider the type of insurance they need. Because it is such a new area of risk, there is still some misunderstanding around the type of cover that is available.

Two types of cover are relevant for companies that provide cryptocurrency storage and exchange services – crime and specie. Although there is some crossover between the two types of cover, there are some key differences too.

Crime insurance, a product that has been available for ‘traditional’ financial firms for many years, offers the broader cover. “A crime policy covers the loss, damage, destruction or theft of digital assets in secure premises or in transit or transmission,” explains Jeff Hanson, Director in Commercial Risk Solutions at Aon. “It also covers internal and external fraud, including electronic theft, which would include hot wallet protection.”

Specie cover focuses on the theft or destruction of assets while stored in secured locations, which would cover insider theft or an employee accidentally destroying private key data. Importantly, it does not cover hacking. 

These differences have resulted in the belief that a specie policy is sufficient for cold storage, as this is offline. However, this can leave some risks without cover.

Quote 1

Market dynamics

Taking out a crime policy should give customers, assurance but market dynamics mean this is not always possible. Hanson estimates that while there is in excess of $500m of ‘traditional’ crime and $2bn in specie capacity in the market, there is only around $150m of crime and $500m of specie cover available for crypto risks. “Ideally we would like to build much larger programmes to keep with the ever-growing needs of our customers”

Insurance options are likely to evolve too, especially as insurers gain more confidence in the risks. Policies are currently written in fiat currency, but many firms would like to see the limits in a variety of cryptocurrencies. This would remove the risk of limits failing to keep up if there was a rally on the value of a cryptocurrency.

While this sort of development may yet be some years away, a much-needed increase in capacity is extremely likely in the meantime. “We’re constantly talking to insurers about the risks to help them feel more confident in writing the class of business,” says Hanson. “This is also helped by our vetting process, which ensures we only take risks to market that we consider have a very high likelihood of getting cover.”

Taking a measured approach to securing insurance for cryptocurrency firms is a must. By demonstrating to insurers that risks are well-managed and assets are subject to institutional grade security, it will give both insurers and investors the confidence that these digital assets are well protected, supporting their involvement but also the growth of the cryptocurrency market.