Protecting against crime and cyber liability
Cryptocurrency storage insurance – a new chapter in the recognition of crypto assets?
Gerald Fenech speaks with Dustin Hull, Director of Financial Planning & Analysis at SALT.
With cryptocurrency becoming a household name of late notwithstanding the crash in market prices, it does appear that there are substantial efforts on the horizon to make this asset safer and more reliable.
Some companies rely on a third-party custodian to store their customers’ assets. If the custodian has an insurance policy that extends to its clients, it’s important to understand the policy and what it means for your assets. Rather than offering a specific coverage limit to each client, the pool of clients shares a coverage limit. This means that while the policy holder is insured, your personal assets might not be.
The reality is that in this case, insurance coverage is contingent on two factors: the total value of the assets held on the platform and the client that makes the insurance claim first. A coverage limit shared by multiple clients of the policy holder likely does not equate to the total value of assets held on the platform to which the coverage limit applies. So, depending on how many assets are on the platform and how many clients share the coverage limit, maybe a percentage of your assets held on that platform would be covered in the event of theft or fraud, or maybe none of them would be.
Additionally, because the coverage limit applies to all of the assets held on the platform and is not per client, one client may experience loss or theft of their customers’ assets, make a claim to the insurance provider, and max out the insurance coverage, leaving the remaining clients under that policy with no coverage at all.
I spoke to Dustin Hull, Director of Financial Planning & Analysis at SALT. The company is currently offering two products in the crypto insurance space. These plans are designed to protect against Crime and Cyber Liability.
One aspect of the plans is what insurers term as ‘Cold Storage’ where cryptocurrencies are stored for the longer term.
“Cold Storage is a critical security component for cryptocurrency companies looking to insure large long-term stores of digital assets with crime insurance, which secures assets against theft. SALT qualified for crime insurance through the secure design of its proprietary cold storage system. As soon as a user deposits collateral for a loan on SALT’s platform, the funds never pass through a hot wallet, they are transferred directly into cold storage. This provides minimal attack surface for stealing funds because once the client’s keys are in cold storage, they are no longer online and can only be accessed physically”, Hull explained.
According to Hull, while other crypto companies may hold cyber liability insurance, few of them succeed in explaining what the policy actually covers. While the policy protects the policyholder from the majority of incidents the public would call “a hack”, it doesn’t actually cover digital assets. However, these two policies—crime insurance and cyber liability insurance—make up a complete and comprehensive insurance program, which is important for institutions and individuals to see and understand in order for the industry to gain greater confidence in safe keeping digital assets.
The industry needs to educate itself over the nuances of insurance requirements in order to establish safe practices and norms that take into account the totality of attack vectors while working closely with underwriters to ensure mutual understanding over the evolving security landscape and corresponding coverage, Hull added.
“SALT’s insurance covers 100% of members’ assets held in its cold storage. Because contracts only cover a 12-month period, coverage needs to be renewed each year. The key point to understand is that at anytime during that period, the policy holder can secure additional insurance coverage or “excess coverage.” This enables the policy holder to make sure that its coverage limit is always greater than or equal to the total value of assets held on its platform. In order to insure 100% coverage of customer assets, it’s important for the policy holder to maintain risk-management protocols, track customer assets, and apply for excess coverage at the appropriate time.”, Hull concluded.
What does the safekeeping process entail?
Cold Storage: holds all collateral assets in deep cold storage, which means the private keys are generated offline, stored offline, and transaction signing happens completely offline. The private keys for your SALT Wallet have never been and will never be exposed to a network connected device. The moment you move your assets onto our platform, they are immediately held in cold storage (they do not pass through a hot wallet) and are promptly insured by our policy.
Multi-Signature Process: SALT employs a multi-signature process, which means that multiple signers are required to authorise every transaction.
Bottom line: SALT’s deep cold storage drastically reduces risks related to cyber-attacks and eliminates the viability of internet-based threats. Also, unlike other companies that enable private keys to be maintained by a single person, our multi-signature process ensures they can never be mishandled or lost by any one individual, nor by five or six of them.
What are SALT’s insurance policies?
SALT has two new and improved insurance policies:
Cyber Liability Insurance is not directly related to coverage of your crypto assets, but rather protects SALT as a company in the event of third-party hacks or cyber threats.
Crime Insurance protects your digital assets held in cold storage on our platform in the event of theft or fraud.
Terms to Know:
Theft is defined as employee theft, including premises robbery/theft/damage, or during transit and in custody of authorised employee.
Fraud is identified in two key ways:
Computer fraud is defined as intentional taking of property (e.g. digital assets or private keys) through fraudulent accessing of computer systems, insertion of fraudulent data or instructions (e.g. virus), or fraudulent alteration of data, program or routines.
Funds transfer fraud is defined as fraudulent instructions made to debit account of digital assets on the Insured’s computer system