How insurance plays a role in cryptocurrency risks

PropertyCasualty360.com: What does the cryptocurrency insurance market look like in 2025?

Hardy: The insurance market for cryptocurrency insurance is still maturing. We are at a stage where the market is still looking to see how different coverages will operate and still exploring where this kind of cover should fit, be that into the policies a business might already have for other protections, or a new discrete kind of cover, specific to the risks that surround cryptocurrency and crypto-assets.

Insurance options are likely to continue evolving, as insurers and brokers gain more confidence in the asset class and the scope of the risks being presented.
As a result, insurers and policyholders want to make sure there is a common understanding at the outset as to how any insurance cover will operate to protect assets and the scope of the insurance.

PropertyCasualty360.com: What kind of policies are available?

Ruiz: Cryptocurrency cover may be provided in a new bespoke standalone policy tailored for a company’s particular risk profile, or through wordings adapted for the sector from general business and liability insurance (i.e. cyber liability insurance, or commercial crime insurance for digital assets).

There are various types of crypto asset cover, encompassing custodial insurance (which might protect crypto investors against loss as a result of hacking, theft, or loss of funds, due to the custodian’s failure), crypto crime insurance (covering businesses and individuals against loss arising from “employee” crime-related events, for example, insider fraud, or hacking), or theft and hacking insurance (which, unsurprisingly protects against the specific risk of loss of the crypto asset as a result of theft of the asset held in exchanges or “cold wallets”, i.e., stored offline).

PropertyCasualty360.com: What are the current risks with cryptocurrency and digital assets?

Hardy: It is the different class of risks inherent in holding crypto assets, which have given rise to the demand for new and different crypto insurance.

Cryptocurrency has typically been viewed as a high-risk investment for various reasons, including: (i) the lack of regulatory oversight of crypto exchanges; (ii) market volatility, which can significantly affect the value of cryptocurrency holdings; and (iii) security weaknesses (i.e., insufficient encryption) in cryptocurrency platforms, which makes systems vulnerable to attack.

The collapse of the FTX cryptocurrency exchange in November 2022 made crypto asset holders more aware of these risks and the need to protect their digital assets.

In particular, crypto exchanges are a tempting target for hackers (due to the high-value nature of the assets and security vulnerabilities of crypto accounts and platforms). The $1.5 billion ByBit hack (since converted to an estimated £232 of unrecoverable funds) in February 2025 is just one example of such high-value cyber-crime involving cryptocurrency.

The fluctuating value of cryptocurrencies also makes it susceptible to fraudulent activity. For example, crypto traders may take advantage of the volatility of the cryptocurrency market, by promising investors unusually high returns.

Cryptocurrencies are susceptible to market manipulation, such as “pump and dump” schemes, whereby traders will artificially inflate the value of a token to attract investors, then sell off their assets when the price is high, causing the other assets to rapidly lose value.

PropertyCasualty360.com: Given the crypto asset price volatility, are there are particular considerations that insured should keep in mind as to valuation provisions under the policy?

Ruiz: The fluctuating value of cryptocurrencies means that a claim under the insurance policy can have very different value to a policyholder, depending on exactly when a claim is made.

It is important to set out an accurate valuation methodology in the policy, which is adapted to the volatility of the crypto market; otherwise, the policyholder may find that they are paying excessive premiums, have insufficient coverage, or that it is difficult to recover the value from the policy.

Some existing crypto asset valuation methodologies include:

• Market value: Basing coverage on the market value of the crypto asset at the time of loss or damage. This approach reflects the true value of assets at the time of their loss.
• Historical cost: Basing coverage on the price at which the assets were acquired. This may result in lower indemnities if the value of the asset has significantly increased since the date of purchase.
• Average value: Basing coverage on the average market value over a specified period, i.e., three years.

When considering appropriate valuation methodologies for the crypto asset, further key points include (i) how frequently the value is updated (i.e., daily or hourly); (ii) identifying which exchange or crypto price feed will be used to measure the value of the asset (e.g., will the price be taken from one specific exchange, or will an average price be calculated across multiple exchanges).

PropertyCasualty360.com: More generally, what kind of information or disclosures is a crypto-asset business likely to have to provide to their insurers?

Hardy: Crypto custodians can expect to be subject to more onerous disclosure requirements than investors, because custodians hold large amounts of crypto assets on behalf of institutional investors, businesses and individual asset-holders, and are consequently responsible for safeguarding potentially billions of pounds worth of assets.

One key point to keep in mind as any type of digital asset policyholder, is that you have communicated any disclosures in a clear way, as there may not yet be a shared understanding of the crypto-asset terminology between the insured and insurer. Therefore, an insured under a crypto policy should aim to feel confident that they have made accurate and clear disclosures, and that both parties are sharing the same understanding.

At a minimum, it is likely that the insured under a digital asset policy would be required to provide the following information on the proposal form:

• Type of crypto-assets: The insurer will want to know which cryptocurrencies (i.e., Litecoin, Ethereum, etc.) are being held or traded, because different assets hold different risk profiles.
• Total value of holdings: The value and quantity of the assets held, in terms of actual value and market value. The fact that the value of crypto assets frequently fluctuates certainly makes it more challenging for an insured (in particular, for example, an exchange) to provide full and accurate disclosures in respect of the value of the assets they hold.
• Storage methods: The insurer will want to know whether the assets are held in cold wallets (offline), hot wallets (i.e., connected to the internet), exchanges, or through custodial services. The risks associated with each storage method can differ.
• Security measures: Details regarding the security measures in place to prevent theft, hacks or unauthorized access of the assets (i.e., encryption, or two-factor authentication) and the extent to which key information resides with only a very limited number of people, thereby giving wide control of events to a very limited few. The insurer may also want to understand the incident response procedures in place, in the event of a fraud incident, or cyberattack.
• Claims/loss history: The insurer will want to know whether the insured has been subject to past breaches, loss of assets or fraud, and will need to provide further details of such losses.

PropertyCasualty360.com: Moving from the insured’s disclosure obligations at inception, to the insured’s notification obligations when making a claim – what kind of information will the insurer expect to be provided with when an insured event takes place and when is the obligation to notify triggered?

Ruiz: What constitutes a “claim” or “potential claim” should be clearly defined in the policy, so that the policyholder fully understands its notification obligations to the insurer.

Under a crypto insurance policy, the right to make a “claim” might be triggered by the hacking of the exchange platforms, theft or fraud of the asset, or negligence by the custodian, for example. The right to notify circumstances which have not yet developed into a claim should be fully understood.

Following an insured event, it is very important that the notification provisions set out in the insurance policy are complied with. It is usually a condition to the insurer’s liability that the notification of the claim is made either within a specified time after the event, or “as soon as reasonably practicable” or “as soon as possible”.

If the policyholder fails to provide timely notice of a claim, then such delay may undermine the insurer’s ability to mitigate damages / investigate the incident, which might result in the potential denial of coverage.

The information provided to the insurer in the case of a cryptocurrency loss would typically include the following:

• The date and time of the incident, as well as mitigating actions taken following the incident;
• The type of incident (i.e., fraud, hacking, system failure);
• The details of assets compromised; and
• Any ongoing investigation (whether by the exchange, or law enforcement, if applicable).

PropertyCasualty360.com: More broadly, what is different about making a claim under a policy for a cryptocurrency loss?

Hardy: The nature of a cryptocurrency loss means that there is often likely to be other ongoing investigation, potentially criminal investigation. A policyholder should be aware that parallel investigations might compromise its own ability to investigate for the purpose of the insurance claim.

A policyholder will need to explain to insurers what, if any constraints, they are subject to in respect of other investigations. In the event of loss, the prudent uninsured should immediately take steps to mitigate further loss, i.e., reporting the potential hack, removing crypto-assets from hot storage and transferring to cold storage, and freezing any accounts.

During the investigation phase, the policyholder is under an obligation to act as a “prudent uninsured”, i.e., taking steps to minimize loss, and avoiding careless or reckless courses of action. In the context of a crypto insurance policyholder, acting as a “prudent uninsured” might look like:

• Opting to store assets safely and limiting the amount of crypto assets stored on exchanges/in hot storage.
• Taking appropriate security measures (i.e., multi-signature schemes, encryption etc.).
• Ongoing monitoring for signs of unusual activity, security breaches or unauthorized access.

See also:

• These states are the most crypto-curious
• Which states see the largest losses from online fraud?
• Court: Commercial general liability policy doesn't cover cyber loss