The limits of crypto asset insurability
Over the last 18 months, digital assets worth more than US$ 3bn were stolen by hackers by means of private key theft, spoofing, and compromised credentials. Recently, Binance, the largest cryptocurrency exchange in the world lost $40 Million in bitcoin due to an insecure hot wallet and compromised API credentials.
This high frequency of successful attacks documents the high exposure on digital assets and leads to an increased demand for insurance solutions. The Munich Re Group has set up an expert group of highly skilled Cryptographic Experts, Cyber Security Auditors, Business Development Managers and experienced Senior Underwriters to address the question of insurability.
One of the biggest concerns in this area is the lack of experience and digital maturity of the many start-ups that enter the field of digital assets. Given the exposure and high number incidents, cryptocurrency exchange points remain very difficult to insure. In most cases, a risk-appropriate premium would eliminate the profitability of the business model.
On the other hand, the significant risk associated with the digital assets has brought about the development of new and impressive security solutions concepts to secure the most critical piece: the private key of the digital wallets.
There are two core problems associated with managing the private key when it comes to generating and saving it: 1) The key can be stolen; 2) It can be forgotten. However, the solutions to deal with forgetting keys (e.g. a backup) create additional attack vectors for cyber criminals. Solutions to make the key more secure against hacking (e.g. a key split) increase the risk of losing the asset by losing the key (or a part of the key). The latest research estimate is that between 17% to 23% of existing bitcoins are unavailable because the private key was lost. Theoretically this is worth around US$ 25bn.
Nowadays there are a few start-ups and security companies that have fully understood the risks of digital asset storage and developed strong cryptographic mechanisms, such as multi-party computation (MPC), to tackle known problems. Those start-ups that also have the right level of maturity, state-of-the-art cyber security technology, a world-class general information security management system (ISMS) and a trusted anchor for their business model are about to reach the insurability threshold.
Munich Re worked for almost two years together with Curv Ltd., which is a start-up based in New York City with offices in Tel Aviv. Curv Ltd. was incorporated in 2018 and belongs to the Portfolio of the cyber security VC Team8. After two intensive years of cooperation and security audits, Curv has become the first insured in the field of of the world’s biggest reinsurer.
Digital assets will remain a complex risk and require the highest level of technical expertise and underwriting. But while the number of cryptocurrencies are increasing, some elements are slowly becoming insurable.