Evidenced by its $1.29 trillion market cap, (CoinMarketCap, May 17, 2022) interest in cryptocurrency has skyrocketed in recent years (Haar, 2022). Indeed, as of April 2, 2022, the cryptocurrency market was larger than Italy’s GDP, the eighth largest in the world (Adams and Walker, 2022).
Of course, with more interest and value comes more risk, such as theft of digital assets, cyber security concerns, and regulatory impacts. With respect to the evolving crypto markets, this increase in risk is widespread and readily apparent. Indeed, President Biden signed an executive order on March 9, 2022 requiring the government to assess the risks and benefits of creating a central bank digital dollar, as well as other cryptocurrency issues (Johnson and Shalal, 2022; White House, 2022).
Who is at risk?
If you or your company trade cryptocurrencies on your own behalf or on behalf of clients, make or receive payments in cryptocurrency, store the keys and digital wallets that secure cryptocurrencies and other digital assets like NFTs, develop blockchain technologies, or advise whether cryptocurrencies are a sound investment, then you or your company may be exposed to crypto-related losses.
As an example, companies and their directors and officers could face shareholder or derivative actions alleging gross negligence or breach of fiduciary duties based on allegedly unsound advice relating to the investment in, use of, or management of cryptocurrencies or other digital assets. Public companies may also be subject to regulatory investigations involving cryptocurrencies.
Cryptocurrency is also a popular target for ransomware hackers. Since the first bitcoin block was mined in 2009, more than $1.3 billion has been stolen from cryptocurrency exchanges (Kenneth, 2021).
Will insurance cover crypto-related losses?
Given that cryptocurrency is in its infancy, most insurance policy forms do not expressly address crypto-related losses or risks. That said, specific coverage for such losses may be available, particularly under D&O (directors’ and officers’ liability or management liability) coverage or cyber (network security/privacy liability) coverage. Depending on the text of the policy and the nature of the loss at issue, coverage may lie under existing E&O, crime, and property policies as well.
D&O insurance protects the personal assets of and provides armor for a company’s board and management. More specifically, it insures (1) claims made against the directors and officers when the company cannot indemnify them (“Side A” coverage); (2) the company itself when the company is required to indemnify its insured directors and officers for claims made against them (“Side B” coverage); and (3) the company against its own liability in a securities claim or (in the case of private companies) any non-excluded claim made against the company as an insured entity (“Side C” coverage).
The policy’s definitions of “Claim” and “Loss” are a good place to start to determine whether D&O coverage may be triggered for crypto-related losses. The term “Claim” should be broad enough to include civil lawsuits, criminal proceedings, administrative proceedings, and investigations against directors and officers, and sometimes include demands to enter into a tolling agreement or requests for interviews or to produce documents made to directors and officers. The term “Loss” should include defense costs, damages, settlements, judgments, and pre- and post-judgment interest, and also should include certain fines and penalties, punitive, exemplary, and multiplied damages (when insurable under applicable law), and awards of plaintiff’s attorney’s fees, among other items.
The definition of “Securities Claim” may also be critical. Definitions of the term vary depending on the policy form. As an example, one definition of “Securities Claim” in a D&O Policy is “a claim made against an insured . . . alleging a violation of any federal, state, local or foreign regulation, rule, or statute regulating securities …which is . . . brought by any person or entity alleging, arising out of, based upon or attributable to the purchase or sale of or offer or solicitation of an offer to purchase or sell any securities of an Organization [.]”
Depending on the policy language and the outcome of the Securities and Exchange Commission v. Ripple Labs, Inc. case (No. 20-cv-10832 (S.D.N.Y. 2020))—which will address the issue of whether cryptocurrency constitutes a “security”—D&O coverage may also protect a company from crypto-related liability as a “Securities Claim.”
As always, coverage is subject to any applicable exclusions. D&O policies, for example, can include exclusions for criminal or fraudulent conduct. Such an exclusion, however, should be severable such that it will not apply to other insureds who have not been subject to a final, non-appealable adjudication that certain criminal or fraudulent conduct was committed.
Cyber insurance is designed to provide first-party and third-party coverage arising out of security or privacy breaches, such as cyber extortion and ransomware attacks. Although this coverage has been available for some time, cyber insurance forms vary widely and are continuously evolving. Coverage may include, among other things, indemnity for fees, costs, and expenses incurred by the insured to (1) investigate, respond to, or terminating an actual or suspected security or privacy breach, including the fees and costs of counsel retained to determine notification and compliance obligations; (2) ransom payments; (3) data recovery and restoration; (4) crisis management firms to help contain the fallout from public disclosure of a cyberattack; (5) business interruption losses; and/or (6) liability arising from an alleged failure to prevent a security or privacy breach or the disclosure of protected confidential information, including the costs of defending against claims by affected parties.
Though coverage may seem apparent for crypto-related security or privacy breaches or cyber extortion, it is important to carefully review each policy and take account of any applicable policy exclusions or other limitations.
For instance, cyber policies may not include coverage for loss in the form of “money” or “securities.” Courts have already noted similarities between money and Bitcoin for federal tax purposes, see United States v. Ologeanu, No. 5:18-CR-81-REW-MAS, 2020 WL 1676802, at *23 n.31 (E.D. Ky. Apr. 4, 2020) (quoting SEC v. Trendon T. Shavers & Bitcoin Sav. & Tr., No. 4:13-CV-416, 2014 U.S. Dist. LEXIS 194382, at *19 (E.D. Tex. Aug. 26, 2014)), and, as noted above, whether cryptocurrency constitutes a security is currently being litigated in Securities and Exchange Commission v. Ripple Labs, Inc., No. 20-cv-10832 (S.D.N.Y. 2020). The loss of money and securities may be covered under some commercial crime policies, and a small number of cyber policies may include limited crime coverage in addition to the more standard first- and third-party cyber coverage. But cyber policies may still cover the cost of responding to a security or privacy breach and the defense and liability of a claim for damages.
- Companies and individuals entering the cryptocurrency industry may be exposed to theft of digital assets, security concerns, and regulatory risk.
- Although your current D&O and/or cyber insurance policies may not expressly address crypto-related losses or risks due to the relatively new nature of the cryptocurrency industry, coverage for such loss may still exist. Coverage may also lie under existing E&O, crime, and property policies.
- In addition to evaluating your policy language, it is important to keep track of developments in crypto-related litigation and how this relatively new asset class is defined and categorized in the case law, statutes, regulations, and administrative decisions.
- Experienced insurance coverage counsel can help navigate terms of your policies and advise on other potentially applicable coverage.