In the mid to late 1990s, the insurance industry was struggling with “the Y2k crisis”, not only in connection with its own systems, but more importantly, with the systems of all their policyholders. As the Chief Underwriting Officer of one of the largest subsidiaries of one of the largest insurance companies in the world, AIG, it was my task to determine our potential exposure if the computer systems of our policyholders failed. My conclusion: hundreds of millions dollars of potential liability payouts. This was the insurance industry’s first introduction to the hazards of insuring technology. To reduce that exposure, we had to figure out a way to motivate our corporate policyholders to take reasonable steps to manage their Y2k problem. Since one of the central purposes of an insurance policy is to motivate specific risk reducing behavior, such as wearing a seat beat, the question became how to apply that rule to motivate risk reduction behavior in connection with the impending “date configuration” problem. So we created “Y2k insurance”, and made it available only to those companies who took the right steps to reduce their exposure.
Well, the Y2k crisis came and went and the insurance industry was relatively unscathed. Whether the introduction of a new insurance product helped, we will never know. What we do know, is that the Y2k experience inspired the insurance industry to contemplate other technology risks we might insure. This being the year 2000, the answer to this question was immediately clear: The Internet. Many of us realized that the Internet presented a permanent change in the sociological and economic system; that life would never be the same. But how does one insure a new technology and a completely new way of conducting business?
It was a scary thing to contemplate. Fundamental to the insurance business is an analysis of historical actuarial information about frequency and severity of loss. We have decades of data on automobile accidents, broken down in every way imaginable. But how do you determine the right premium for a risk that has never before existed?
For most carriers, the answer was “you don’t”. But for a very special few, a different response emerged. A response that arose from a different culture—a risk taking culture. A culture of innovation. “Cyber Insurance” was thus born.
“There are over 100,000 bitcoin transactions happening every day. Today, over 80,000 of companies accept bitcoins as a form of payment for their goods and services”
It took a while, but eventually we became comfortable with underwriting the frequency and severity of potential cyber attacks against our policy holders’ computer systems. Today, 15 years later, cyber insurance is a robust $1.3 billion industry with over 45 carriers providing some type of cyber insurance. And, despite the almost daily reports of cyber attacks, the industry is somehow making enough money to stick around.
Once again the insurance industry is faced with a new risk in the technology space. Once again the global economy is being transformed with a new way of conducting transactions. And, once again, the insurance industry is faced with a dilemma: Do we ignore this new risk or face it head on? There are over 8 million bitcoin “wallets” in existence today, and this is expected increase to 12 million by the end of year. The total value of bitcoins worldwide, expressed in terms of US dollars is around 4 billion dollars. There are over 100,000 bitcoin transactions happening every day. Over 80,000 companies, from Microsoft to Dell to Expedia.com accept bitcoins as a form of payment for their goods and services. But how do you insure bitcoins? More specifically, how do you insure the theft of the electronic private keys that are used to access bitcoins? A smart insurer realizes that such a task is an exercise in both the familiar and the foreign. A private key is, after all, an electronic file. In many ways, the policies and procedures used in the network security space to protect any computer system holding any file are the same as those used to protect an electronic private key file. Equally true is the fact that a good portion of private keys are stored in “cold storage”, meaning that they are not held it a computer which has access to the Internet. Some are actually stored in a bank vault. Storing valuables in a bank vault is also a well-understood risk and insurable. Finally, many companies who would be interested in purchasing Bitcoin Theft Insurance are themselves technology providers. Insurance for technology companies has existed for some time.
However that’s where the analogy ends and things begin to become difficult. First, the “cyber” insurance policies provided today actually do not insure the intrinsic value of the electronic file stolen. The policies do not cover the “value” of a social security number, for example. Furthermore, best practices in the securing of private keys in “hot storage” (computers connected to the Internet), rely upon the multisig, or multiple signature, technology, something with which insurance underwriters are generally unfamiliar.
At best, underwriting the theft of bitcoins requires coordination of multiple underwriting departments within an insurance company. More likely, it means creating new underwriting techniques and protocols. Will the insurance industry be able to respond to the call? The insurance industry historically has not been known for innovation. So, how will we respond when it is faced with a new and potentially important risk, for which there is no historical actuarial data? Do we run away or do we embrace a new need and a new opportunity as we did 15 years ago?
Only time will tell. However, in February 2015 one company successfully designed the first true Bitcoin Theft Insurance policy along with a global “A” rated insurance carrier for the benefit of BitGo, Inc., a leader of multi-sig technology. Will this policy be the first and only of its kind? So, like cyber insurance of 15 years ago, will we be only the first of hundreds of thousands of “Bitcoin theft” policies. Only time will tell.