Underwriter Claims Crypto Custodian BitGo Exaggerated Insurance Coverage

An underwriter of BitGo’s $100 million crypto insurance policy says the custodian described it in a misleading way.

AccessTimeIconMar 5, 2019 at 8:10 a.m. UTC
Updated May 9, 2023 at 3:03 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

One of the underwriters behind BitGo’s $100 million cryptocurrency insurance policy has accused the custodian of exaggerating the scope of its coverage by using “ambiguous language” in public statements.

The controversy boils down to three words. In its February 20 press release, BitGo listed “third-party hacks” among the risks covered by a group of 10 Lloyd’s of London underwriters.

  • Could Chainlink Be the Driver for DeFi’s Growth? Bank of America Thinks So
    05:07
    Could Chainlink Be the Driver for DeFi’s Growth? Bank of America Thinks So
  • Should Government Be in the Business of Issuing Stablecoin Insurance?
    07:12
    Should Government Be in the Business of Issuing Stablecoin Insurance?
  • You Can Soon Pay for Car Insurance With Bitcoin
    07:57
    You Can Soon Pay for Car Insurance With Bitcoin
  • That was misleading, according to one of the group’s 10 members, since it implies the policy covered hacks of “hot,” or online wallets. In fact, the policy strictly covers theft or loss of assets kept in “cold storage,” meaning the cryptographic keys are kept offline.

    In an email to insurance brokers obtained by CoinDesk, this underwriter said,

    “ ... the BitGo Specie policy absolutely does NOT provide any cover for remote ‘third party hacks.’ [...] Cover is only provided for ‘storage media’ in secure storage. In other words, there is no cover for any loss of sensitive information (private keys) resulting from the generation, transportation or transaction phases of the private keys’ life cycle.”

    As such, the coverage is limited to “hacks” of “offline private keys,” requiring the third party to obtain direct physical access to them, noted the underwriter, whose email was shared with CoinDesk on the condition that his company not be identified.

    The official went on to describe the language in the announcement as “ambiguous,” but added that since his firm did not lead this policy, it had “no say over the language used in the press release.”

    When contacted by CoinDesk, BitGo argued it had used clear and specific wording, noting that right before the line about “third-party hacks,” the press release stated the insurance “covers digital assets where the offline private keys are held 100% by” the custodian (emphasis added here). The company also said Lloyd’s had reviewed and approved this wording.

    BitGo told CoinDesk in a statement,

    “Working with our insurance underwriters, it is understood that a hack in the cold storage context includes unauthorized access or theft of private keys. This refers not only to the hardware but more specifically to the cryptographic series of alphanumeric characters generated, which permits the release of cryptocurrency from a Public Address.”

    Due to the nature of digital assets, the inherent threat is the use of a computer, USB device, frequency reader, etc. to hack or breach cold wallet hardware, software, or processes, said BitGo.

    “Cold storage involves devices and cryptographic keys that are not exposed to online networks removing the threat vector of remote network access, but there are other attack vectors that would involve technology,” it said.

    More than semantic

    It might be tempting to dismiss the underwriter's complaints as sour grapes or pedantry. But it’s understandable why an underwriter would be worried about its risks being misconstrued.

    Stepping back, specialist insurance policies such as those for crypto are handled by groups of underwriters, known in industry parlance as “towers.” The lead underwriter, which understands the risk deeply, will offer the first $10 million of losses, say, and then the rest of the capital gets filled out by the other syndicates further up the tower, which will demand a smaller premium.

    All this is negotiated at the Lloyd's of London market, which sets rules for conduct among participants.

    In the case of the BitGo policy, AMTrust was the lead underwriter and the only one that the company identified when it announced the coverage. The underwriter who wrote the email was one of the syndicates taking on a smaller exposure. (Both Lloyd’s and AMTrust declined to comment.)

    It’s also important to remember that crypto insurance is thin on the ground and a large amount of cover for hot wallets, which are typically the target of third-party hacks, is especially hard to come by.

    Some large exchanges simply hold disaster funds of bitcoin to cover these losses themselves. According to insurance industry sources, there is a stark disparity in premiums depending on whether the crypto being insured is in a hot or cold wallet – the hot ones carrying the more expensive price tag.

    Hence, if anyone who read BitGo’s announcement had incorrectly inferred that “third-party hacks” meant hot wallet coverage, as the underwriter feared, they might draw unrealistic conclusions about the market.

    "As a public relations event, the press release may have been a success, but there is certainly nothing newsworthy with respect to the scope of the cover," said Jerry Pluard, the president of Safe Deposit Box Insurance Coverage, an insurance broker in the Chicago area who arranges crypto policies for custodians.

    The underwriter said in his email he would meet with Lloyd’s “in an attempt to obtain some consistency in their approach to media communications going forward,” concluding:

    “At the end of the day a responsible and clear press release would benefit not only the crypto industry but Lloyd’s as well.”

    BitGo CEO Mike Belshe image via CoinDesk archives

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.