One of the underwriters behind BitGoâs $100 million cryptocurrency insurance policy has accused the custodian of exaggerating the scope of its coverage by using âambiguous languageâ in public statements.
The controversy boils down to three words. In its February 20 press release, BitGo listed âthird-party hacksâ among the risks covered by a group of 10 Lloydâs of London underwriters.
That was misleading, according to one of the groupâs 10 members, since it implies the policy covered hacks of âhot,â or online wallets. In fact, the policy strictly covers theft or loss of assets kept in âcold storage,â meaning the cryptographic keys are kept offline.
In an email to insurance brokers obtained by CoinDesk, this underwriter said,
â ⦠the BitGo Specie policy absolutely does NOT provide any cover for remote âthird party hacks.â [â¦] Cover is only provided for âstorage mediaâ in secure storage. In other words, there is no cover for any loss of sensitive information (private keys) resulting from the generation, transportation or transaction phases of the private keysâ life cycle.â
As such, the coverage is limited to âhacksâ of âoffline private keys,â requiring the third party to obtain direct physical access to them, noted the underwriter, whose email was shared with CoinDesk on the condition that his company not be identified.
The official went on to describe the language in the announcement as âambiguous,â but added that since his firm did not lead this policy, it had âno say over the language used in the press release.â
When contacted by CoinDesk, BitGo argued it had used clear and specific wording, noting that right before the line about âthird-party hacks,â the press release stated the insurance âcovers digital assets where the offline private keys are held 100% byâ the custodian (emphasis added here). The company also said Lloydâs had reviewed and approved this wording.
BitGo told CoinDesk in a statement,
âWorking with our insurance underwriters, it is understood that a hack in the cold storage context includes unauthorized access or theft of private keys. This refers not only to the hardware but more specifically to the cryptographic series of alphanumeric characters generated, which permits the release of cryptocurrency from a Public Address.â
Due to the nature of digital assets, the inherent threat is the use of a computer, USB device, frequency reader, etc. to hack or breach cold wallet hardware, software, or processes, said BitGo.
âCold storage involves devices and cryptographic keys that are not exposed to online networks removing the threat vector of remote network access, but there are other attack vectors that would involve technology,â it said.
It might be tempting to dismiss the underwriterâs complaints as sour grapes or pedantry. But itâs understandable why an underwriter would be worried about its risks being misconstrued.
Stepping back, specialist insurance policies such as those for crypto are handled by groups of underwriters, known in industry parlance as âtowers.â The lead underwriter, which understands the risk deeply, will offer the first $10 million of losses, say, and then the rest of the capital gets filled out by the other syndicates further up the tower, which will demand a smaller premium.
All this is negotiated at the Lloydâs of London market, which sets rules for conduct among participants.
In the case of the BitGo policy, AMTrust was the lead underwriter and the only one that the company identified when it announced the coverage. The underwriter who wrote the email was one of the syndicates taking on a smaller exposure. (Both Lloydâs and AMTrust declined to comment.)
Itâs also important to remember that crypto insurance is thin on the ground and a large amount of cover for hot wallets, which are typically the target of third-party hacks, is especially hard to come by.
Some large exchanges simply hold disaster funds of bitcoin to cover these losses themselves. According to insurance industry sources, there is a stark disparity in premiums depending on whether the crypto being insured is in a hot or cold wallet â the hot ones carrying the more expensive price tag.
Hence, if anyone who read BitGoâs announcement had incorrectly inferred that âthird-party hacksâ meant hot wallet coverage, as the underwriter feared, they might draw unrealistic conclusions about the market.
âAs a public relations event, the press release may have been a success, but there is certainly nothing newsworthy with respect to the scope of the cover,â said Jerry Pluard, the president of Safe Deposit Box Insurance Coverage, an insurance broker in the Chicago area who arranges crypto policies for custodians.
The underwriter said in his email he would meet with Lloydâs âin an attempt to obtain some consistency in their approach to media communications going forward,â concluding:
âAt the end of the day a responsible and clear press release would benefit not only the crypto industry but Lloydâs as well.â
BitGo CEO Mike Belshe image via CoinDesk archives
