Digital currencies
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
In November the Securities and Futures Commission set an insurance requirement as one of the terms and conditions to be imposed on licensed exchanges under its framework for virtual assets. Photo: Reuters

In Hong Kong, search for ‘cyber theft’ insurance stumps aspiring cryptocurrency exchanges

  • For cryptocurrency exchanges and custodians, complying with Hong Kong’s new rule on insurance is a costly challenge
  • Few speciality insurers willing to underwrite against theft and hacking due to high risks

Hong Kong cryptocurrency exchanges and custodians are seeking out insurance to cover the risks of hacking and theft, in an effort to comply with future regulation by the city’s securities watchdog to provide full protection for client assets.

However, finding an insurer that will underwrite the needed policies and provide the high level of proposed coverage set out by the Securities and Futures Commission (SFC) has proven to be a challenge for the emerging industry, according to industry players.

The high cost, as well as limits on the coverage provided, not to mention the reluctance of some insurance companies to underwrite against risks that are difficult to measure and anticipate, were among the hurdles in complying with the SFC’s proposed rules, industry players said.

Most cybersecurity insurance coverage is written by the speciality insurance market in London, although a number of companies in Asia are beginning to enter the niche market.

“The number of insurers and reinsurers that are willing to underwrite cryptocurrency cybersecurity risk is extremely narrow. The amount of available coverage capacity today is under US$1 billion per transaction,” said Murray Wood, Asia head of financial specialities at Aon.

He said the premium charged on cryptocurrency exchanges and custodians for insuring cryptocurrency assets is “significantly higher” than those charged on insuring cybersecurity risks that affect traditional banks and financial institutions.

In May, Aon helped broker policy coverage for blockchain trading technology company BC Group to insure its custody services against third-party hacks, making it one of the first companies in Asia to work with a group of international specialist insurers on this type of risk.

The rise and fall (and rise?) of the world’s biggest crypto miner

Globally, at least US$1.15 billion worth of cryptocurrency assets were lost through theft or hacking at exchanges since the start of 2018, according to calculations by the Post on reported events.

In November, the SFC set an insurance requirement as one of the terms and conditions to be imposed on licensed exchanges under its regulatory framework for virtual assets.

The securities watchdog said at the time it was setting out a “conceptual framework” to license and regulate virtual assets, adding that platform operators will need to be insured against theft and hacking risks related to the custody of virtual assets.

“The SFC generally expects that the insurance policy would provide full coverage for virtual assets held by a platform operator in hot storage and a substantial coverage for those held in cold storage (for instance, 95 per cent),” the SFC said in the document.

Cold storage refers a device for holding cryptocurrencies offline. Hot storage refers to an environment which has online access and is more vulnerable to hacking.

China proposes total ban on cryptocurrency mining

Some industry players said the SFC should lower the insurance coverage requirements in light of the high premium costs when it finalises its licensing regime.

In light of the short trading history of cryptocurrencies, insurers are scrutinising how well exchanges meet compliance protocols. These include practises such as know-your-client, anti-money-laundering and internal security protocols to guard against unauthorised activities, said Wood.

Ari Chester, a partner at Mckinsey’s global insurance practice, said most cyber insurance covers data breach, liability, business interruption, extortion, regulatory costs, and digital asset replacement.

“But in the case of cryptocurrency, the digital asset is not just data, but has direct monetary value. Hence it would be a highly niche, non-standard coverage. For this type of risk, the payout ceiling for the client would get priced on a case-by-case basis,” he said.

Stable coins sees big inflows amid cryptocurrency volatility

Chester said the typical coverage limit would range from US$5 million to US$25 million, although some insurance brokers can arrange bundled protection of up to US$700 million or more for large companies.

Most insurers will only underwrite risks from fraudulent activities, and third-party hacks.

The risks of company insiders disappearing with their clients’ assets, either by ill intent, or accident are not covered.

The risk of accidents that can disrupt a cryptocurrency exchange are underscored by the unexpected death in December of Gerald Cotten, co-founder of Canadian exchange Quadriga. Cotten was the only person with the private keys to the exchange’s cryptocurrency wallets. His death meant the company could no longer access nearly C$190 million (US$142.04 million) in cryptocurrencies

Quadriga filed for creditor protection in January saying it was not able to send funds to 115,000 customers that used its platform.

This article appeared in the South China Morning Post print edition as: Insurance challenge for crypto playersInsurance challenge for crypto players