Understanding the Risks
Global Risk in Crypto Asset Security
Local Risk in Crypto Asset Security
Flawed Key Generation
Theft by External Hackers
Responding to Loss
Challenges Facing the Industry
Blockchain technology, cryptocurrency, and digital assets are here to stay. The next decade will see a burgeoning number of new applications for this technology in the global financial system.
From Central Bank Digital Currencies (CBDC) already on trial in China and the Bahamas, to ownership and provenance of physical assets codified and recorded as Non-Fungible Tokens (NFTs) on the blockchain, more and more of the things we value are being managed by this revolutionary technology.
As such, the question of security becomes increasingly relevant. Institutions are presented with two main focal points, namely 1) preventing loss and 2) recovering from loss. The first is the realm of security, specifically cybersecurity and the effective management of private keys. Here there is a wealth of knowledge, expertise, technologies, policies and best practices that have been developed over the past three decades by the cybersecurity industry.
To be clear, there are new and unique challenges specific to the blockchain or cryptocurrencies in particular, but the industry has a well-established baseline to work from.
The other area is perhaps less clear, often raising more questions than answers, such as:
- How do we effectively insure these digital assets against loss?
- What does it mean to “lose” something that only ever exists in a digital form?
- How do we prove that a virtual asset is actually lost?
- What are the risks unique to such a medium?
- How can we mitigate these risks and what options are available when our defenses fail?
This article addresses these questions and highlights some of the options insurance underwriters are offering today.
Understanding the Risks
The principal difference between cryptocurrency security and standard data security is that in crypto’s case the data is the value. Think about a hacker who has stolen a credit card number versus one who has stolen crypto.
A credit card owner who notices an illicit charge on his credit card statement can simply call the credit card company and challenge the transaction, resulting in a chargeback.
However, when a hacker steals crypto, there is nobody to call for assistance. The value is bound up with the data and nobody can cancel, reverse or otherwise nullify the transaction. Of course this is a beautiful feature of the blockchain, though…not a bug!
Further, we can identify two broad categories of risk: Global and Local. Let’s look at both in more detail.
What is Global Risk in Crypto Asset Security?
Global risk refers to the risks inherent to the technology infrastructure itself. It can either stem from technology or market-related risks.
Global Risk: Technical Security Threats
Using Bitcoin as an example, these cybersecurity risks include:
- 51% attack- a scenario where 51% of the network’s computing power is under control of an attacker who is therefore able to alter any transactions
- Sybil attacks- where a blockchain node’s connection to the larger network is only through other nodes that are controlled by a malicious attacker who is intentionally feeding misinformation to the node
- Denial of Service (DoS) attacks -where a node is overwhelmed by spamming it with a large number of requests, crippling its ability to respond
While newer, smaller blockchain networks might be susceptible to some of these, the resilient decentralized Bitcoin network has effectively outgrown any realistic chance of being at risk of the above attacks.
Global Risk: Market Related Risks
In terms of trading and transacting with cryptocurrencies we can add market-related risks to the global risk category. These risks include:
- Volatility risk - any asset that exhibits a wide, highly erratic price range,
- Liquidity risk - the risk of not being able to enter or exit a position in the asset due to its unavailability on the market, and
- Regulatory risk - the chance that the government will hobble the practical use of cryptocurrency, or possibly even ban it altogether
These risks are being addressed by the nascent financial products that are developing across the industry. To start, financial derivatives such as futures and options aid in price discovery. Second, the blossoming of cryptocurrency exchanges and brokerages are improving liquidity. Finally, a host of crypto-related regulations are emerging, all serving to stabilize and mature the market.
What is Local Risk in Crypto Asset Security?
In terms of local risks, the challenges are perhaps tougher to deal with. When we say local, we mean local to the individual, organization and his/her/its wallet.
In this regard we have three main categories of risk:
- Flawed key-generation by the wallet provider,
- Theft of private keys (and consequently crypto funds) by external hackers, and,
- Malicious theft or negligent loss of funds by trusted insiders
3 Types of Local Risk
1. Flawed Key Generation
All blockchains use public key cryptography, also known as asymmetric cryptography. This model leverages a mathematical construct to generate a key-pair which is then used to transact with the blockchain. The key-pair consists of a public key and a private key. The public key (aka “wallet address” in the crypto world) is similar to a bank account number. The private key can be understood as the password to interact with the bank account.
It is OK for anyone to know the public key, as it’s used as a destination address for funds. However, only the wallet owner should know the private key, since it’s used to authorize outgoing transactions. If there is any flaw in the key generation algorithm, there is a chance that the encryption protocol is too weak, and under certain conditions, an outside attacker could guess or extract the private key.
While this has happened in the past, it is generally not a major concern if you are dealing with reputable wallet providers who provide tested and certified infrastructure.
2. Theft by External Hackers
This risk is probably the most concerning and certainly the most obvious for cryptocurrency investors. We have already witnessed the theft of billions of dollars worth of cryptocurrencies, primarily from crypto exchanges. Starting with the 2010 hack of Mt Gox back and again in 2014, all the way through to the alleged hack (at the time of writing) of South African exchange Africrypt, resulting in the possible loss of $3.6 billion in June of 2021.
This kind of cryptocurrency theft is generally the result of attackers compromising an exchange’s wallet infrastructure and gaining access to their private keys. Once the keys are in hand, it’s simply a matter of transferring the funds to a third party address.
The benefit of the blockchain is that all transactions are recorded on a permanent, immutable ledger, so the funds’ movement can be tracked. However many of the addresses are anonymous and there exist a number of services - called coin mixers - which help mix up the stolen funds with other funds to make it very difficult to track.
Fortunately, a number of robust wallet management solutions have been developed by cybersecurity experts, like the CYBAVO VAULT, to help mitigate the risk of theft through the combination of cutting-edge technology with tried and tested policy management.
3. Insider Risk
Of course, people also pose a substantial risk.
The risk from insiders is twofold:
Firstly, the ability to effectively deal with private and public keys is not trivial. Secondly, some level of technical proficiency is required. There exist countless stories of well-meaning individuals who have lost their private keys through misplacing hardware, forgetting or losing passwords, being tricked by scammers into giving out the private keys, having private keys stolen by malware, having public key addresses changed by malware (so that funds are sent to the attackers address instead of the intended address), dying, or disappearing without first sharing the private keys and so on.
This is not limited to lay people. In June of 2021 crypto staking firm Stakehound accused crypto custodian Fireblocks of allegedly mishandling backups of its private keys. In the lawsuit, Stakehound alleges that the mishandling has led to the loss of over $75 million worth of ETH. These funds are forever locked on the corresponding public address with no way to access them.
Crypto monitoring firm Chainalysis estimated that in early 2021, nearly 20% of all Bitcoin was locked up due to lost private keys. That represented a staggering $140 billion worth of value at the time. Adding to this is a disturbing number of stories where employees have been given control over private keys and simply walked off with them, along with the funds they’re used to access. The most infamous of these is the case of Gerald Cotten, QuadriagaCX founder, who “died” in India under suspicious circumstances, taking the private keys to over $200m in crypto with him in the process.
Responding to Loss
In response to these threats, a small but growing number of insurance firms have begun to underwrite the risks and help insure the industry against loss. Available insurance options typically fall into four categories:
- Crime Insurance: As the name implies, this type of insurance covers situations where theft, fraud, and/or hacking has occurred. It is typically applied to situations where “hot wallets” (internet connected wallets) have been compromised either by external hackers or nefarious insiders, and funds effectively stolen. This type of insurance is congruent with the type of insurance available for cash-in-transit armored cars, cash in ATMs, etc. The key concept is that funds have been stolen.
- Specie Insurance: This type of insurance covers physical damage or loss of private keys in cold wallets (wallets disconnected from the internet.) Typically this will also include misuse or theft by employees. Specie insurance traditionally insures works of art, precious metals and similar items when they are on display in a museum or locked in a vault. Therefore, it is most associated with insider theft or destruction of the property due to natural disasters, fire and so on. Importantly, it typically does not cover hacking incidents.
- Business Insurance: This includes professional indemnity insurance (PI Insurance) and directors and officers liability (D&O Liability insurance.) PI Insurance covers legal costs and expenses incurred in your defence if you are alleged to provide inadequate services that end up causing your clients to lose money. D&O insurance protects the personal assets of corporate directors and officers & their spouses in the event they are sued by employees, customers, vendors, competitors, etc. This type of insurance is increasingly difficult for crypto-related organizations to get, given the frequency of incidents.
- Decentralized Finance (DeFi) Insurance: DeFi insurance is an interesting and exciting development of insurance solutions built on the blockchain itself. Etherisc is leveraging the Ethereum blockchain to develop a platform for decentralized insurance applications with the aim of disintermediating insurance and allowing it to return to its roots as society’s safety net. The platform allows participants to build insurance products using smart contracts. These smart contracts bring together investors who back products designed by designers, oracles and license providers to cover insured parties. Insurance available on the platform include flight delay insurance, hurricane protection, crypto wallet insurance, and crop insurance.
Nexus Mutual and Bridge Mutual are two other decentralized applications that provide coverage for smart contract failures or hacks, and for individuals storing their crypto on exchanges or other custodians who may get hacked. Nayms and UnoRe are reinsurance platforms that leverage smart-contracts to generate marketplaces for industry participants such as brokers, insurers, asset managers and capital providers to easily access, issue and trade risk. One great advantage of these solutions is that they’ll be able to provide insurance cover in-kind insuring on a token-for-token basis, removing the volatility risk of traditional coverage denominated in fiat currencies.
Challenges Facing the Industry
As alluded to above, one of the major challenges insuring cryptocurrencies is the price volatility. As contracts are mostly still denominated in fiat currencies, rapid price spikes leave insured parties scrambling to increase their coverage in bull markets, and reduce it in bear markets.
Another challenge is the difficult technical underpinning. The technology is not trivial and the risks are not understood very well, though this is changing as more insurers enter the market. Getting insured is no easy task and insurers do consider a number of risk factors before deciding to offer insurance. These include the experience and expertise of the management team, the security protocols and operational procedures in place, not only ensuring security of the private keys, but also in mitigating financial fraud, money laundering and regulatory compliance.
As a result, insurance premiums for crypto are generally quite high, with startups paying as much as 5% of their coverage limits, making insurance a very expensive luxury in a highly competitive industry.
For individuals, current policies are typically written to the exchanges or custodians, not to the individual owners, though this is changing through projects like Bridge Mutual and Nexus Mutual. Many exchanges are also building their own insurance programs, allowing individual customers to purchase insurance for their own funds. Coinbase provides supplementary insurance backed by Nexus Mutual for customers who lose more than 10% of their assets.
Finally, regulatory uncertainty presents perhaps one of the biggest challenges to a more robust presence from the insurance industry. Hopefully this will change in the near term.
Regardless of the challenges, there is definitely a positive movement toward more coverage and involvement from the insurance industry. As the crypto market matures, the risks will be more easily mitigated, premiums will come down and a more stable, nurturing environment will develop.
The reality of crypto-related insurance is that it is generally provided in various stages and levels, through a number of reinsurers, each taking on responsibility for a portion of the overall risk. Therefore, custodians or exchanges indicating insurance coverage will have likely engaged multiple insurers via their insurance brokers and gone through a series of technical due-diligence reviews to ensure the technology, protocols and practices are as secure as can be. As more insurers participate in the market, we can expect higher levels of coverage.
In the past few years we have seen insurance offered by companies like MunichRE (Germany), Lloyd’s of London (UK), Aon (UK), Great American Insurance Group (USA), Evertas (USA), Coalition (USA), Kase Insurance (Canada) and others. The emergence of DeFi in 2020 provided the perfect opportunity for the blockchain to devise its own decentralized insurance solutions and we watch that space with great interest going forward. Etherisc, Nexus, Bridge, Nayms and UnoRe are surely just the tip of the iceberg in this regard.
As CYBAVO customers may know, we’ve been covered since June 2020 by an S&P AA-rated international insurance company to provide us with a comprehensive digital asset loss insurance coverage to enhance our security and lower our risk for institutional wallet customers.
The insurer performed a deep technical assessment to evaluate CYBAVO VAULT’s security and risk management protocols, which are the security model, private key management, architecture, infrastructure and overall system security. As such, CYBAVO is confident in our ability to protect our customers’ funds and provide the necessary insurance cover under all conditions.