Insured Success

In this podcast, Peter Hardy, Eleanor Ruiz and Claudia Gwinn provide an introduction to cryptocurrency insurance, including key issues such as crypto-related risk coverage (i.e., theft, hacking, fraud and operational mistakes), considerations in respect of valuation wording and notification requirements to the insurer in the event of loss.

Transcript:

Intro: Hello, and welcome to Insured Success, a podcast brought to you by Reed Smith's insurance recovery lawyers from around the globe. In this podcast series, we explore trends, issues, and topics of interest affecting commercial policyholders. If you have any questions about the topics discussed in this podcast, please contact our speakers at insuredsuccess@reedsmith.com. We'll be happy to assist. 

Claudia: Welcome back to Insured Success. My name is Claudia Gwinn and I'm a junior lawyer in Reed Smith's insurance recovery group and I'll be in conversation today with my colleagues in the London team, partner Peter Hardy and counsel Ellie Ruiz. Today we're going to be discussing the cryptocurrency insurance market and in particular the types of crypto policies available and the risks they seek to cover, insured considerations as to the policy wording and them respective disclosures. And finally, making a claim under a crypto policy. So to start off, what does the cryptocurrency insurance market look like currently? What kind of policies are available? And what are the risks currently attaching to cryptocurrency and digital assets?

Ellie: Hi, Claudia. So when we're talking about cryptocurrency insurance, there's probably two broad categories. There's coverage for assets that's available to consumers, For example, your individual, your corporate investor, and then there's insurance for the key stakeholders within the crypto industry, and that would include crypto custodians or exchanges. There's then various types of assets that crypto insurance might cover. There's a type of custodial insurance that might protect against sort of general loss as a result of hacking, theft, loss of funds. There's also the option to look under crime insurance policies. That's more directly relating to theft, potentially crime-related events, individual insider involvement. And then you can also look for some types of specific policies targeting risks that are directly related to being in this cryptocurrency environment. For example, a specific type of policy that addresses theft of an element of the software or hacking in particular based on the, relevant industry rather than a broader concept of crime or of general custodial insurance. The risks that we're looking at, those risks that are inherent when you're holding crypto assets, some of them are very new. It's a relatively new area and they're quite specific risks to this area that have to be considered. Those might include that this is an area where there's a lack of regulatory oversight. There's definitely market volatility that everyone is aware of that really affects the value of the cryptocurrency that might be being held. And there are also a whole different host of security concerns around encryption, how assets are held, and particularly on cryptocurrency platforms, that makes these systems vulnerable to a different type of attack than you might think about assets held in a bank account, particularly the collapse of FTX in November 2022. That made, I think, crypto asset holders and the public generally more aware of those risks and that there's a real need to protect these digital assets in as many ways as possible. And one of those ways is to look at taking out insurance. And it'll come as little surprise, I think, that one area that we've seen particular activity is that these crypto exchanges are a tempting target for hackers. There's the high value nature of the assets that are involved. And as I mentioned before, new potentially untested security. There might be new vulnerabilities that haven't yet been provided against. And that's all in the balance between an insured and their insurer trying to get ahead of any of those risks and make sure that an insured in this space is protected. Peter, is there anything else you thought you wanted to add there?

Peter: Thank you, Ellie. Just a couple of additional comments for me, perhaps. I think, as you've indicated, this is very much a new and still developing sector of the market. We've seen a lot of new wordings coming into the market. We've even seen new insurance capacity provided by insurers dedicated to this particular market sector. So we're all learning about how the market is developing and we're learning about how these policies might respond. I mean, the cryptocurrency cover that one might buy, I think, is increasingly likely to be found in bespoke, standalone, dedicated crypto policies. But it might also be found in more general business and liability covers, often perhaps by way of endorsing. So I think that the fact that the insurance options are continuing to evolve and the range of new wordings that are potentially available present both opportunity and challenge for insurers. It's very important for an insurer to fully understand what cover it's actually bought. I think often there is a temptation to think that because there is cover in the market it's cover you must have but what you really need to understand is what you have for and whether that is what you think you are looking for now that this loss has arisen because it might be the case that you bought perfectly appropriate cover but the loss that's arisen is excluded for one or other reason by the particular policy you brought It's taking time to understand, I think in particular in discussions with your brokers. What isn't available and what you bought is essential if you're going to be able to assess the nature of your insurance protection in the event that the loss arises. And it's also important to note, I think, that because this is a new market sector, these wordings, these policies are largely untested in terms of their claim systems. As Ellie mentioned, cryptocurrencies are particularly susceptible to fraudulent activity and market manipulation, in particular to schemes such as pump and dump schemes where the value of an asset is artificially inflated through misleading and false statements, only to find that the asset is then dumped at the inflated price. So I think the wildly fluctuating value of cryptocurrencies can create problems for the policyholder going forward. There's no doubt about that.

Claudia: So given this crypto asset price volatility, are there any particular considerations that the insured should keep in mind as to valuation provisions under the policy?

Peter: It's a good observation, Claudia. I think the fact that the value of the crypto asset, the value of crypto assets frequently fluctuating makes it important for there to be an accurate valuation methodology in the policy. And it might be provided in one or other ways. But it will hopefully be a valuation methodology that recognises the balance sheet value of the lost asset to the policyholder. There are several options. The market value option, which will base the coverage on the value of the asset at the time of the loss. There's the historic cost approach, where coverage will be based on the price of the assets when they were acquired, which might be some time prior. And there's the average value which will base coverage on the overall average value in the market over a specified period of, say, three or so years. But it is important to recognise that even when evaluation is fixed by reference to the date of loss, it may significantly be different to the value attributed to the lost asset on the balance sheet in current time. And this could have a real impact on insurers' rights and subrogation and recovery and on their perception of the value in those rights.

Claudia: Thank you, Peter. And speaking more generally, what kind of information or disclosures is a crypto asset business likely to have to provide to their insurers?

Ellie: I think I can take this one. This is something we're always talking to insured clients about because it's a way of getting ahead of any future problems down the line before you've got any claims. When the policy is being placed under the Insurance Act 2015, we always start with there's a very important duty of fair presentation that requires that the insured provides the insurer with a full and accurate disclosure of all material information to the risk which it knows or ought to know before entering into an insurance contract. In the context of cryptocurrency, that can be an extensive burden particularly when you're talking about an area. In which perhaps insurers are less au fait. You as the insured client might have a much better detailed understanding of the information you're handing across. The information can vary, the nature of the duty can vary, but some of the minimum areas that we've experienced and things we'd expect that an insurer of a crypto asset policy might be requiring include an explanation of the type of crypto assets that are being held. So that's whether it's the different type of coin, Ethereum, Bitcoin, Litecoin, what's being held, what's being traded, because different assets in this area have got different risk profiles. There's a question of the value of holdings, as Peter's just covered, that fluctuates, but the value at the time, the profile of that value as it's changed over time. And then from a security perspective, there's an issue around storage methods. Some elements of holding cryptocurrency involve some physical storage. Then there's also some online storage. There's offline storage. There are various different types of wallets in which information is kept. And all of that is information that your insurers will want to be right across because it directly impacts their assessment of the security measures. All the details of security measures are something that insurers are going to want to understand and there's usually an obligation that no significant changes would be made to those security measures that are in place over the life of the policy. That's all about preventing theft, preventing hacking, preventing unauthorized access. There might be specific types of measure that an insurer will want to see in place or request that are put in place. It's all about. Ideally, ensuring that these risks are minimized before any policy is actually put in place so that your insurer's got a better opportunity of calculating the risk that's being faced. And then there's a question of a claims or a loss history. As with any insurance policy, insurers in this space are going to find it relevant if there have been previous breaches of security, previous claims made on these types of policy. And interestingly previous claims made in this sphere but under other policies as Peter's pointed out this kind of coverage is evolving and it's not necessarily that you'll have held this specific type of cover for multiple years you may have held different types of cover under which you've already claimed for similar types of losses so it's worth looking across the picture there. I think it's I think it's fair to say that crypto custodians are likely going to be subject to more in-risk disclosure requirements than some types of investors, partly because of, people building up a knowledge about this area. Crypto asset holders in particular are holding large amounts of assets of particularly high value, so there's a lot of responsibility for safeguarding and significant total that might be at stake. Due to the scale of those operations, custodians might be required to evidence things like strong risk management. They'll want details of security protocols at inception and at renewal. And one other key point to keep in mind as any type of crypto policyholder is that you will need to communicate that information, be that verbally over meetings or be that in documents, in a particularly clear way. As I pointed out, there just might not be parity of understanding of crypto asset terminology in particular between insured and insurer. And we want insureds to feel comfortable and confident that they've been making accurate and clear disclosures should the issue arise down the line.

Claudia: Thank you, Ellie. So moving from the insured's disclosure obligations at inception to the insured's notification obligations when making a claim, what kind of information will the insurer expect to be provided with when an insured event takes place? When is the obligation to notify triggered?

Ellie: Thank you. That's obviously, it's one of those first questions people come to us with. Do I need to notify? That's almost always what Peter and I will get asked first. what constitutes a claim or a potential claim and those obligations about notification you should be able to find those clearly in the policy it's one worth checking when it's placed so that there's somebody in the business particularly in these crypto businesses that might be relatively new it's not necessarily the case there'll be somebody in that business who's got a direct responsibility for insurance as their whole job so allocating somebody the task of identifying when the insurance should be called upon and to understand those notification provisions is really important. Under a crypto insurance policy, the right to make a claim that might be triggered by the hacking event itself, theft or fraud of an asset or negligence identified by the custodian that proves a risk. For example, a security breach, even if there's not a potential loss identified right at the outset, it's one of those things that is likely to have to be notified to insurers. Following an event, if there's an insured event, it's important that those notification provisions are complied with really specifically. There's often a very specific time period in these kinds of policies when we're talking about crypto assets. That's partly because of the nature of the asset, as you'll be aware, they can move very rapidly. And the more time that has passed since the event, the more difficult it can be to get information, the more difficult it can be to trace. So, in most scenarios, the sooner the better to notify insurers and that way there's no delay which might have undermined insurers' ability to mitigate or investigate the incident. When you make a notification, as with most policies, you'll follow up with a proof of loss and the information provided to an insurer in the proof of loss document presentation that should be as detailed as it can possibly be and substantiated with as much documentation or forensic evidence if necessary at that stage it's a good point to bring in investigators or forensic accountants people who can produce a report that collates all of that information so that nothing gets lost given as i've said how quickly things can move on So things like date, time of incident, type of incident, assets compromised, and then all of the investigation carried out to date and the ongoing investigation that might proceed after that point. Is there anything else you had on that one, Peter?

Peter: Yeah, thank you, Ellie. Just again, a couple of comments. I think like all assets, the value of an insurance asset can go up or down depending on how well you look after it. And I think understanding the notification obligations under your policy and your requirements in that respect are key to preserving the value of your insurance asset. I would assume one of the most key features of doing that. I think it's very important as well to understand the importance of the broker's role in this regard and how much support you can get, will get from your brokers. If you report to them that you believe you've got a matter that needs reporting to insurers under the policy, they will understand the notification reporting requirements very clearly. They will work with you to make sure you comply with your obligations. I think the nature of a cryptocurrency loss means that there is quite often going to be other activity around the circumstances of the loss. Other investigations may well be ongoing, in particular criminal investigations may have resulted from the nature of the loss that you suffer, particularly if, as Ellie was describing earlier, we put a crime or a theft-related loss. So a policyholder should be aware that that parallel investigation might perfectly legitimately compromise your ability or one's ability as an insurer to investigate the nature of the circumstances behind the loss and report it to insurers. So I think a policyholder will need to explain to insurers very clearly what constraints they may be working under in order for insurers to retain confidence that the insurer is giving them a full explanation of what it knows about the circumstances of the loss. I think that's very important to protecting the relationship with insurers during the progress of pursuing this loss to a client. It's also, one may often have heard that the expression of a policyholder being required to act as a proven uninsured, which means effectively taking steps to protect insurers' position in the event that insurers ultimately pay a claim and taking steps to act as if it was uninsured in the way it investigates its claim and manages the options available to it at this point in time. So how does that manifest itself? Protecting assets to the extent that it's possible to do so, avoiding further losses and making clear that the circumstances of the loss have been recognised by the insurer in terms of removing assets from hot-cold storage and transferring to cold storage, freezing accounts, making sure that any apparent investigations can be continued, any quote-unquote bad actors can be identified and pursued and not released from liability because that's something that the insurers will be very keen to see is protected. The insurers will want to know that the insured is protecting the rights that they may have by way of subrogation or other recoveries to recover any amount that it in fact pays out under the policy. And very often acting as a prudent uninsured is doing just that. That is protecting the rights of the insured in the event that your claim that you submit to the policy is successful and is paid. And as Ellie has already mentioned, we're seeing increasingly now specialist forensic. Investigators and crypto investigators who are dedicated at types of very niche investigations that are likely to provide for the most success in both making the claim on the policy and recovering the value from the lost asset. Ellie, any further comments from you on those?

Ellie: No, I agree with all of that. It's definitely not an obligation that ceases when you make that notification, bearing in mind the idea of acting as a prudent, uninsured, and protecting the value in your insurance policy is something we really want to emphasize and make sure that people appreciate the value in an insurance policy in this sphere.

Peter: And although very often we are required to take issue with insurers, that should very much be the point of last resort. And you should be looking to work with your brokers, looking to protect the interests of insurers, making sure insurers know that you're looking after their interests because you believe you've got to pay to pay them policy. So I think, you know, until the point where it is absolutely clear that there has been are falling out there isn't one and you work together to recover the best for you as the insured under the policy protecting insurers interest going forward which will provide you with the quickest way of recovery.

Claudia: Well thank you Peter and Ellie you've identified some really excellent tips for policyholders of cryptocurrency insurance you know in particular ensuring that you understand the language and terminology attached to the crypto asset so you're able to make clear disclosures or claim notifications. And of course, as Peter pointed out, with the assistance of your broker, and also that you have as much detail or information as possible relating to the crypto asset at your disposal, keeping in mind that there may be investigation limitations in the event of criminal or regulatory investigations running in parallel. Well, thank you for listening today and Peter and Ellie for being in conversation with me. If you have any questions about the topics discussed in the podcast, please contact our speakers, Peter Hardy and Ellie Ruiz. Thank you.

Outro: Insured Success is a Reed Smith production. Our producer is Ali McCardell. This podcast is available on Spotify, Apple Podcasts, Google Podcasts, PodBean, and reedsmith.com. To learn more about Reed Smith's insurance recovery group, please contact insuredsuccess@reedsmith.com. 

Disclaimer: This podcast is provided for educational purposes. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest or establish standards of care applicable to particular lawyers in any given situation. Prior results do not guarantee a similar outcome. Any views, opinions, or comments made by any external guest speaker are not to be attributed to Reed Smith LLP or its individual lawyers. 

All rights reserved.

Transcript is auto-generated.