When the Vietnam-based outfit behind the crypto game Axie Infinity was hacked last month -- hackers stole upward of $625 million in Ethereum from its blockchain, with the FBI now pointing fingers at a North Korean state-sponsored group as the culprit -- questions quickly arose around who, exactly, would make the company's customers whole.
The outfit later said it would use its own balance sheet funds, along with an injection of $150 million in capital led by Binance, to make up the difference. But the episode, along with a newer lawsuit lodged earlier this month against three venture investors in the crypto token exchange Uniswap, has raised questions about who is protected against what in a more decentralized world where web3 startup companies are building atop blockchains like Ethereum and Solana.
Turns out, there aren't a lot of answers -- or products -- right now. (Sorry, everyone.)
In some ways, protecting stakeholders wouldn't require a complete reinvention of what's available today. Venture firms, and individual VCs have long used insurance products to protect themselves from lawsuits that could be filed against them by an unhappy portfolio company or its unhappy customers; colleagues who might sue for harassment or discrimination or wrongful termination; and even from their own limited partners, who may sour on the firm.
The good news for these investors, say insurance experts, is that modern-day coverage is substantial enough in most cases that it should protect them no matter what they are funding.
Meanwhile, startups -- which also shell out for plenty of coverage, including to protect their directors and officers and to bolster them against wire fraud and cybercrime -- are in a much tougher spot. "I do think more of the unique needs around coverage are going to fall to the portfolio companies," says John Wallace, the chief insurance officer of the venture-backed startup Vouch and a veteran of traditional firms like Travelers and Zurich Insurance Group.
Wallace points, as an example, to current crime policies that cover startups for the theft of money and securities and that were largely designed to protect companies against embezzlement and cyber fraud, including a third-party actor trying to steal from the company (as in the case of Axie Infinity).
The problem, he explains, is that the policies "very specifically do not include digital assets, meaning if the hackers had gotten in and stolen cash [from Axie], it would have been squarely covered by a crime policy." Since they didn't, it wasn't.
The challenge for insurers largely ties to the lack of protections that digital assets currently receive from banking regulators. As Wallace explains it, "Some [insurance] markets are open to making some modifications, but I wouldn't say it's mainstream at this point" largely because there is no kind of equivalent to the FDIC or the Securities Investor Protection Corporation (SIPC), which partly protect financial institutions in the event that money deposited in a bank or with a broker-dealer is stolen. "That concept does not yet exist in digital," Wallace says, adding that it's "probably the most common point of interest of web3 companies."
Insurers hoping for protections to emerge could be waiting a while, given the way things are trending. Consider that earlier this month, the FDIC issued a "financial institution letter" (or FIL) that suggests the agency is still evaluating -- and concerned by -- the risk posed by crypto assets and that it wants more information about how the institutions it covers can conduct crypto-related activities in a safe and sound manner.
In the meantime, it's not all bad news for web3 startups, says Chad Nitschke, president of a specialty unit within Vouch. He notes that there are crypto native products that protect crypto assets in the event of theft, even if these are focused on cold wallet storage — meaning cryptocurrency wallets that aren't connected to the internet -- where hacking attempts have been "minimal" compared with so-called warm or hot wallet storage, which are vulnerable to online attacks.
There are also a lot of products that can be strung together to reinforce the coverage that web3 startups already have, says Nitschke. (Naturally, Vouch says it can "custom tailor" solutions for startups.)
As for the very big opportunity to tackle this brave new world, insurers see it, even while they are taking baby steps toward it.
"A whole kind of industry is definitely emerging as it relates to crime that's specific to digital assets," Nitschke says. "The broader insurance industry is pretty slow to move. The incumbents that haven't really developed products for this space. But some of the new entrants are starting to build products. There's more and more going on."