The loss from the hack is just tip of the iceberg as there are many other cost exposures.
by Philip Lee Abdullah
Is insurance a vital ingredient for crypto companies?
This is an important question when it comes to risks mitigating factor. The undeniable fact is that, the mentality of most people (well, most decision making “management” people) are as follows: “Nope, it won’t happen to my company” or “Our security is impenetrable” or “blockchain is un-hackable” or “who is going to bear the costs of procuring the insurance?”.
Well, I would just like to point out that those thoughts are not mitigating factors. It is more like self-reassuring mantras, not a selling point, not a solution. So, when a hack happens – and it will happen – denial of liability and responsibility by the crypto companies or its management usually kick in.
Companies have to understand that assessing potential cyber-attacks is in fact quite a challenge. Hackers are not going to drop you an email to forewarn: “Hi, we are going to hack you. Therefore, you better be ready”. Hacks have been pervasive and dynamic. Hackers’ methods are ever changing. With sufficient merits and good incentives, the question then would be, “why not hack?”. You can check out the list of hacks here.
Therefore, I opined that having insurance coverage is indeed an important ingredient for crypto companies. Conventionally, there are 2 ways of getting insurance coverage. Firstly, by purchasing an insurance programme from licensed insurer and reinsurer (through broker’s arrangement) AND secondly, crypto companies can have huge amounts of cash set aside (this is known as “self-insured”), but the questions would then be “Will this be enough though?” or “What if we need the cash flow?”. This will be the topic discussion for the next post.
To put weight on the importance of having an insurance, either through approved insurer and re-insurer companies and/or self-insurance method, companies will first need to understand what are the exposures they will be facing. This boils down to firstly, how companies assess their exposures, what are their mitigating plan(s) and how well this plan may be executed.
How do crypto companies assess their risk exposures?
Most companies assess their exposures qualitatively, and I do not think most crypto companies would be any different, however I stand to be corrected. Therefore, it is important to note that generalized qualitative risk assessments do not necessarily yield meaningful insight of the potential financial cost of being hacked nor provide any profound guidance for decisions about risk mitigation. Why? Because their number is not up yet. I have observed that only those who were hacked would understand and place sufficient precaution. However, not all companies are graced with a second chance, i.e. Mount Gox.
[Chart by Chainanalysis]
Mitigating plans and how well they can be executed?
Crypto companies will most probably sweet talk their clients / users by showing falsified trades data, such as showing papers / digital profits; placing a few hurdles during withdrawal, such as customer-due-diligence processes in order to delay the withdrawal; launching new products and auto-convert “the profits” to be reinvested into the new product; falsifying server down time / maintenance; and blaming nodes syncing delays. All these mitigating plans are designed to delay, and meanwhile pull investments from other sources to repatriate to the client who is withdrawing.
The plan above may work if the crypto loss was insignificant where internally it can be replaced. If it is a significant amount, no crypto companies will be able to pull it off, the crypto companies then will have to come clean and make proper announcements.
Most companies assessed their exposures wrongly. This is because most companies are busy looking forward into the big wind screen that they have forgotten to look at their side mirrors. In another words, they are always looking forward to expansion, more users, more trades, more cryptos parked with them and more profit. They have forgotten to look into how to secure the interests of the investors / users and ultimately the interests of the company. Let’s examine what are the possible exposures that crypto companies would be facing IF they were hacked.
What are the probable cost exposures lying in store?
Amount of crypto in accounts and wallets are usually the main concern. This is what mostly crypto companies are looking at for their ‘exposures’ or so they thought. However, is that all? What about the cost for computer forensics investigation? This is costly. Based on a quick search, these experts are clocking at USD200 – USD300 per hour. How many hours do you think they will need to trace hundreds, thousands and hundred of thousands of accounts / wallets and transactions? These experts are hired to figure out what happened, when it exactly happened, how it happened and most importantly who was involved, retrace all the data breach and losses. Their tasks also involve reserving, protecting and imaging the evidences (for future use in court, yes, in court. If not, how do you think you could recover the cryptos that you have lost?).
Next, the cost of recovery, bringing in an army of lawyers into different jurisdictions. Crypto companies cater to international users; well, sad to say, hackers too are international. Also, costs are involved in providing a proper and comprehensive accounts and audit to officials as well as allowing / assisting these officials to investigate.
Costs for Public Relation officers and liaison – Putting up articles, informing customers, handling the whole PR situation and sending / taking notes to and from the government, financial intelligence unit, central bank etc; and mitigating furious investors / users. These guys are really fighting an uphill battle for you, and it will not be cheap.
Costs for hiring lawyers to defend your company – Well, earlier we talked about hiring lawyers to recover the cryptos you lost. Now, you will need to hire lawyers to defend as well. If you have clients from the US and/or Canada, your legal fees will rise exponentially.
Employees and the operational costs of the company – You can’t possibly forget them. These people are the backbone of the company’s success (and failure). Company still ought to pay their salary and/or severance package. And, what if the source of hacking originates internally due to act of revenge and/or infidelity? Won’t this be considered as an additional cost and/or another type of exposure as well? Also, the rental of the beautiful office, its facilities, infrastructures and upkeep. Can’t possibly dissolve everything over-night, and this too, would involve the operational and running cost.
What about the cost of putting back the whole system online? After going through a hack (or multiple hacks), you do not possibly think that it will be like patching up a wheel after hitting a nail. Your system may have to go through a major revamp / upgrade. This will be costly, especially on the part for development, upgrade and improvement.
Last, but not least, the cost of losing your daily profits which directly affects your promises of return of investments to the board members and/or stakeholders and/or creditors / venture capitalists. These bunch supported you financially, and they will be expecting what was promised.
The above are the writers’ two cents worth on exposures crypto companies are facing. The experts in the insurance industry ie. underwriters and/or risks analysts would be able to provide a more comprehensive list of possible exposure.
In the next post, we will identify possible crypto companies that are actively seeking for coverage, and which insurer / re-insurer is providing such coverage. Also, for crypto companies that truthfully could not afford coverage, what would be their next best option.
Click here for Part 2.