Cryptocurrency has a fundamental impact on the insurance industry given its increasing usage in ransom payments - a trend which is likely to accelerate.
The genesis of cryptocurrency began in 2008, the year in which Bitcoin, a peer-to-peer decentralized electronic cash system, was first unveiled. By 2011, Bitcoin became synonymous with illicit activity, particularly across online black markets. However, since then, crypto as a whole has also emerged as an asset with potential use cases, such as storing financial value. As such, cryptocurrencies have increasingly played a role in much of the cyber crime we see today.
In recent years, a noticeable portion of cyber incidents relied on crypto as the prominent financial tool to collect payments from victims of ransomware attacks. Companies of all sizes and across industries have collectively lost billions of dollars due to ransomware attacks. According to Chainalysis, from 2020 through 2021, more than $1 billion (USD) worth of crypto was paid in ransom. The average ransomware payment in 2021 was nearly $120,000, significantly higher than $25,000 just two-years prior. This is something that will continue to persist and insurers will have to increasingly account for.
The unique qualities of crypto and regulatory standards
Understanding the nuances between cryptocurrencies requested as ransom payment is essential for (re)insurers. For example, Bitcoin’s public ledger makes tracing crypto transactions across wallets feasible. On the other hand, transactions using Monero, a privacy coin, hide the amount of crypto requested and the identity of the users.
In the first half of 2021, the Financial Crimes Enforcement Network (FinCEN) reported an increase in ransom requesting Monero. Monero is a cheaper alternative to paying in Bitcoin. Criminals often charge an additional premium when Bitcoin is used. The “Bitcoin fee” has ranged between 10% to 25%. This is largely driven by added costs criminals incur to access tools, such as “mixers,” that make it more difficult to track Bitcoin.
(Re)insurers also need to be aware of crypto-related policy and regulatory changes and limitations, which can create added complexity and potential legal liabilities for insurers.
In March, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Companies providing or operating critical infrastructure will be required to report ransom payments within 24-hours of the transaction. The law provides liability protections for companies that submit reports, but noncompliance may result in a civil lawsuit.
In the United States, existing programs that provide reassurance to the insurance industry do not extend to crypto. For example, the Banking Act of 1933 established the Federal Deposit Insurance Corporation (FDIC), which functions as an emergency measure to protect against bank runs or when customers simultaneously withdraw deposits due to concerns of insolvency.
By providing insurance through the FDIC, regulators increased confidence in the legacy financial system, and reduced the risk of moral hazard that insurers faced when deciding whether to provide coverage to banks. Today, the FDIC serves as an insurance backstop that covers dollar-for-dollar, up to $250,000, of depositors’ accounts at insured banks.
However, similar protection does not apply to the cryptocurrencies that companies manage for their customers. Without regulatory clarity or consumer protection programs, the space will continue to face added cyber risks.
Risks from cryptocurrency price volatility
The price volatility in crypto amplifies the difficulties in managing and insuring related cyber risk. For example, a company can fall victim to ransomware when Bitcoin’s price is at $15,000. By the time a victim decides to pay the ransom, Bitcoin may be worth $20,000, and by the time an insurance claim is filed it may have reached $25,000. The (re)insurance industry needs to price risks accordingly to take into account crypto price volatility.
Volatility has been a concern for the industry. In 2019, Lloyd’s of London collaborated with the syndicate Atrium and Coincover, a crypto insurance platform, to offer a liability insurance policy. The policy aimed to provide coverage for cryptocurrency that is stolen from crypto wallets that are connected to the Internet. A unique feature of the policy is that it offered a limit that changes in tandem with the fluctuations in the price of cryptocurrencies.
In addition to ransomware, there has also been an increase in attacks that rely on cryptojacking malware. This type of attack involves cybercriminals seizing control of company assets, such as computers, and deploying cryptomining code. By using a target’s resources, criminals can subsidize the high energy costs of mining crypto often without victims noticing. As a result, companies infected with cryptojacking malware may experience a slower network and an increased churn rate for their devices.
Cryptojacking is relatively less technically demanding than other malware, thus having lower barriers to launch. Throughout 2021, SonicWall detected a record 97.1 million attacks involving cryptojacking. A cryptojacking attack can also serve as an entry vector to launch other malware types with more damaging financial impact. Cyber insurance may cover financial losses from cryptojacking, though, claim triggers and loss definitions may vary from policy to policy.
As the cryptocurrency ecosystem develops, the associated risks will also continue to change. It is important that insurers take note of how these changes may potentially impact them.
Insurers should expect ransomware attacks to increasingly demand privacy-oriented crypto. As such, the cost-benefit analysis to decide whether to pay ransom will vary based on the type of crypto requested and the ease to track and recover it. Insurers will need to account for potential differing losses associated with the technological nuances across cryptocurrencies.
As crypto continues to evolve, so will the threat landscape and the cybersecurity implications for companies with exposure to digital assets. Insurers must make sure they continue to stay abreast of new risks that may have a potential impact on existing portfolios.