Tom Tenenbaum recently authored an article published in Law Week Colorado about the broad range of risks posed by cryptocurrencies. This follow-up article discusses how the insurance industry currently responds to those risks. The upshot is that the emerging cryptocurrency marketplace poses both a major opportunity and challenge for the insurance industry, and the currently available insurance coverage is spotty and pricey as insurers get their bearings in this relatively new world.
The Slow Insurance Response
There is a certain irony in discussing cryptocurrency and insurance together because there is a misperception that operators in the cryptocurrency world enjoy its Wild West image while insurance signals security and stability. However, many cryptocurrency businesses want to shed the Wild West image in favor of the stabilization of cryptocurrency pricing and greater acceptance of cryptocurrency in the financial marketplace. Thus, various participants in the cryptocurrency marketplace seek insurance coverage to provide a higher degree of security for themselves, investors and third parties.
The conservative insurance world is not responding quickly to the emerging cryptocurrency risk. Insurance actuaries rely upon mass quantities of historical data to develop risk models to assist them in setting appropriate premiums and determining the degree of risk their companies are willing to accept. More data over time yields a more reliable actuarial basis for pricing and loss reserving. That data is missing or insufficient for cryptocurrency risks because, although cryptocurrency has been around for a decade, it is just now becoming a popular means of exchange for financial transactions.
Further complicating and slowing the insurance industry’s response to the emerging cryptocurrency risk is the unsavory purposes to which cryptocurrency payments are sometimes put. Cryptocurrencies are used to pay for such illicit items as drugs, weapons, stolen merchandise, forged documents, sex workers, human trafficking, murder for hire and ransom for cyberattacks.
Various laws, and public policy, prohibit insurers from intentionally covering illegal activities. Moreover, most insurers do not want their reputations sullied by unintentionally insuring these activities. Indeed, last year, the venerable insurance exchange Lloyd’s of London warned its distribution agents to “have careful regard to the reputational risks to Lloyd’s associated with insuring illegitimate activities associated with [cryptocurrency] assets.”
The Lloyd’s bulletin is further instructive of the challenges facing the entire insurance industry in attempting to adapt to and serve the emerging cryptocurrency marketplace. Lloyd’s, generally seen as a maverick risk-taker in the conservative insurance world, cautions that the “novel nature and the absence of clear regulatory frameworks and precedents for cryptocurrencies” requires Lloyd’s agents to obtain cryptocurrency expertise and be cognizant of the applicable financial crime, counter-terrorism financing and “Know Your Client” laws.
The Lloyd’s bulletin references the U.S. Treasury’s Office of Foreign Assets Control warning that cryptocurrency is associated with individuals and entities on the List of Specially Designated Nationals and Blocked Persons and the OFAC regulations prohibiting financial institutions from dealing with parties on the SDN List.
Products Available and Risks Insured
Turning to the specific insurance products themselves and the risks they insure, they can be broken down into two broad categories: products designed specifically for the cryptocurrency marketplace and existing products that might respond to emerging cryptocurrency risks.
Currently, there are only a limited number of products fitting into the first category. These generally provide coverage for private key theft and other hacking or cyber risks. Thus, these products respond generally to the cybersecurity challenges Tenenbaum summarized in the first article. At this time, coverage is essentially available only to corporations engaged in the cryptocurrency field, not to individuals who might have private keys or otherwise are active in this area.
Moreover, there are limitations and challenges associated with these emerging products. For example, cryptocurrency property is generally insurable only for a small fraction of its total value. This may be because premiums are pricey, going as high as 5% of the requested coverage limit.
Relatedly, one aspect of cryptocurrency that thus far defies insurability is the volatility in its valuation. This is so because policies are written in discrete amounts of legal or “fiat” currency, whereas the value of the insured cryptocurrency asset can quickly grow or shrink exponentially. Further, the valuation provisions in insurance policies can be complex and create disputes when a loss occurs.
The second insurance product category, existing products that could be intentionally or unintentionally adapted to insure cryptocurrency risks, includes crime and fidelity insurance, directors and officers liability insurance, and professional liability/errors and omissions insurance.
The existing products are generally called upon to respond to lawsuits connected to regulatory risks, investment issues, certain criminal activity and professional liability risks summarized in the first article.
Investigations or enforcement actions by the Securities and Exchange Commission, and claims by shareholders or other investors, might trigger D&O and E&O policies in particular. For example, the SEC’s public statements, reports and enforcement actions clearly demonstrate that it views federal securities laws as applying to cryptocurrencies even though the “security” is called a “coin” or “token” rather than a “stock” or “bond.” If the SEC initiates an investigation into a company’s cryptocurrency initial coin offering, that investigation may trigger at least the defense provisions of the company’s E&O policy.
The investigation may also trigger defense coverage under D&O policies, although that is more questionable. It depends on such issues as whether the investigation names a company’s individual directors and officers in addition to the company, whether the D&O policy defines “claims” or “securities claims” in a way that includes securities issued “by” the insured or just securities “of” the insured, and whether the ICO activity fits into the policy’s professional services exclusion.
The last item is particularly problematic, as many D&O policies broadly exclude claims “arising out of” professional services and insurers have aggressively sought to enforce these broad exclusions, with much success in the courts lately.
Regardless of whether an insurer is seeking to introduce bespoke policies specifically designed for cryptocurrency risks, or to adapt its existing policies to respond, the aforementioned Lloyd’s bulletin urges its syndicates to consider issues such as the security of private keys and whether coverage is provided for “hot” (Internet accessible) storage or “cold” storage; the integrity of the computer code behind the insured risk; cyber-crime, hacking, and related network issues; the insured’s identity and the scope of coverage involving decentralized and/or anonymous actors; the impact of the aforementioned rapidly evolving financial services laws on the insurability of risks and assets; and exchange rate volatility and exposure to valuation fluctuations in the underlying crypto asset.
Thus, any insured seeking to procure insurance coverage for its cryptocurrency activities should be prepared to provide prospective insurers with more information than in the usual insurance transaction.
Such transparency runs somewhat counter to the anonymity that many players find attractive in the cryptocurrency world.
Insurance Coverage for Lawyers Involved in Cryptocurrency
I would be remiss if I didn’t at least touch upon the possible cryptocurrency-related coverage issues in lawyer professional liability policies. The risk faced by lawyers whose practices involve or even connect to cryptocurrency is nontrivial. As most cryptocurrency lawyers should know, SEC chairman Jay Clayton has specifically and repeatedly stated that he and his agency view cryptocurrency transactional lawyers and law firms as potentially culpable “gatekeepers” if they fail to prevent their clients from engaging in securities law violations. His public statements further demonstrate that the SEC takes a dim view of lawyers who advise clients that cryptocurrencies aren’t securities, or who are equivocal about whether they are securities.
Notably, not all cryptocurrency-related claims that could trigger LPL policies are malpractice claims by paying clients. SEC enforcement actions or investigations, and claims by nonclients, could trigger LPL coverage.
However, LPL policies commonly contain several exclusions and limitations that could preclude coverage for a cryptocurrency-related malpractice or other LPL claim. For example, exclusions for cyber liability, directorship services, intellectual property, loss of funds, attorney-owned entities and criminal activity could limit or bar coverage for a cryptocurrency-related claim against a lawyer. Lawyers who accept cryptocurrency as payment of fees for services rendered or who accept ownership in a cryptocurrency client’s business as compensation will face particular scrutiny from their LPL carriers. Thus, lawyers who currently practice or intend to practice in the cryptocurrency area should closely review their LPL policies, and confer with their LPL insurance broker and insurance coverage counsel, to determine the extent of coverage available.
Just as the risks of cryptocurrency activities generally, and ICOs in particular, are quickly emerging and evolving, so too is the insurance coverage that responds to them. Lawyers practicing in this area need to understand that insurance coverage for their clients and themselves is limited and provides questionable protection for all involved.
—Damian Arguello is the founder of Colorado Insurance Law Center