Crypto Insurance: What Web3 Firms Must Know

Why Insurance Is Misunderstood in Web3

The crypto industry has lost over $10 billion to hacks, exploits, and custodial failures in the past five years. A significant proportion of those losses were uninsured, not because insurance was unavailable, but because firms had never pursued it seriously. Three misconceptions drive this gap.

The first is that crypto insurance does not exist at commercial scale. This has not been true since roughly 2019. Lloyd's of London syndicates, specialist brokers such as Aon, Marsh, and Lockton, and dedicated digital asset underwriters now write policies covering a meaningful range of crypto-specific risks. The market is smaller and more expensive than traditional cyber insurance, but it exists.

The second misconception is that insurance is too expensive to justify. Premiums are higher than legacy financial services, but they are not uniformly prohibitive. A firm with demonstrably strong security controls, clear custody procedures, and independent audit history can obtain coverage at substantially better rates than one that cannot evidence those controls. The cost of insurance, properly understood, is a function of the quality of your security programme.

The third, and most dangerous, misconception is that insurance is irrelevant because "we are secure." Security controls reduce the probability of a loss event. Insurance addresses the residual risk that remains after controls are in place. No security programme eliminates risk to zero. The firms that suffer the most catastrophic uninsured losses are those that confused high confidence in their security with a complete absence of residual risk.

The connection is direct: operational risk management frameworks treat insurance as a risk transfer mechanism, one of four standard risk responses alongside avoidance, reduction, and acceptance. Omitting it from the framework is not a conservative position; it is an incomplete one.

What Crypto Insurance Actually Covers

Crypto insurance is not a single product. It is a category of coverages, each addressing a different risk vector. Understanding which product addresses which exposure is the starting point for any procurement exercise.

Custodial Asset Coverage

Custodial asset coverage is the most commonly discussed form of crypto insurance. It covers the loss of digital assets held in custody due to theft by external parties, including cyber intrusion and physical theft of key material. This coverage is typically written separately for hot wallets and cold storage, with very different premium rates and conditions for each. Hot wallet coverage is significantly more expensive due to internet exposure, and most policies cap the proportion of total assets that may be held in hot wallets at any given time, often between 2% and 5%.

Cold storage coverage is generally cheaper but comes with stringent conditions around how keys are stored, whether hardware security modules are used, and how access to key material is governed. A failure to follow documented cold storage procedures at the time of a loss is one of the most common grounds for claim denial.

Crime Coverage

Crime coverage addresses losses arising from dishonest acts by employees or third parties. In the context of digital assets, this typically includes internal theft by staff, social engineering attacks that result in fraudulent transfers, and losses arising from impersonation of authorised personnel. The Lazarus Group's sustained focus on social engineering attacks against exchange and bridge operators illustrates exactly why this coverage is relevant: the technical attack often only succeeds after a human failure.

Crime policies frequently require firms to demonstrate that adequate segregation of duties was in place at the time of loss. If a single employee could initiate and approve a large transfer, the insurer may argue the firm failed to maintain conditions precedent to coverage.

Cyber Liability

Cyber liability insurance covers the costs arising from a security breach rather than the direct asset loss itself. This includes legal fees, regulatory notification costs, incident response expenses, and third-party liability where a breach exposes customer data or results in losses to counterparties. For Web3 firms that also handle personal data as part of KYC or onboarding processes, cyber liability is distinct from and complementary to custodial asset coverage.

Directors and Officers (D&O) Liability

Directors and officers liability coverage has become increasingly relevant as enforcement actions against crypto firm leadership have grown. D&O covers the personal liability of executives and board members for decisions made in their official capacity. A regulatory action following a security failure, or civil litigation from investors following an uninsured hack, could generate D&O claims independent of any asset recovery.

What Is Explicitly Excluded

Understanding exclusions is as important as understanding coverage. Standard crypto insurance policies typically exclude: losses arising from smart contract bugs or protocol-level exploits; losses due to market price movements; losses from rug pulls or protocol governance attacks; and losses attributable to the firm's own gross negligence where documented security procedures were not followed. The last exclusion is the one that operationally matters most, because it directly ties coverage to the quality of your security programme.

Insurance does not replace security controls. It prices them. A poor security programme does not become acceptable because a policy exists; the policy simply will not pay when it matters most.

What Underwriters Require From You

The underwriting process for crypto insurance has matured considerably. Modern digital asset underwriters conduct assessments that closely resemble enterprise security audits. Understanding what they look for allows you to prepare, and more importantly, to identify gaps in your security programme before an insurer does.

Independent Security Audits

Most underwriters require evidence of at least one recent independent security audit. For custodial businesses, this means a technical assessment of the custody infrastructure. For DeFi-adjacent firms, smart contract audit reports from reputable firms are expected, though smart contract risk itself is typically not covered under traditional policies. Audits must be conducted by genuinely independent third parties; internal reviews or assessments by affiliated entities are generally not accepted.

Hardware Security Modules and Key Management

Underwriters scrutinise key management practices closely. The use of hardware security modules for cryptographic operations is increasingly a standard requirement rather than a differentiator. Policies for firms not using HSMs are either unavailable or written with materially higher premiums and lower coverage limits. The insurer's concern is straightforward: if private keys can be extracted from software or commodity hardware, the attack surface is too broad to price predictably.

Multi-Signature Controls

Multi-signature wallet configurations, where multiple keyholders must approve a transaction before it executes, are a near-universal underwriting requirement for custodial asset coverage. Underwriters will ask for the specific quorum structure (e.g. 3-of-5), the geographical and organisational distribution of keyholders, and the process for key ceremony and key refresh. A multi-sig that nominally exists but is operated by co-located employees within the same reporting line provides limited risk reduction, and underwriters are sophisticated enough to identify this.

Access Controls and Privileged Access Management

Documented access control policies and evidence that they are actively enforced are standard requirements. This includes least-privilege access principles, regular access reviews, and the revocation of access for departing employees. Privileged access management for systems involved in key operations is specifically examined, because compromised privileged credentials represent the most direct path to a large-scale custodial loss.

Business Continuity and Incident Response

Underwriters also assess organisational resilience. A documented and tested incident response plan, aligned with a business continuity planning framework, signals that a firm has considered how it would respond to and contain a loss event. From the insurer's perspective, a firm that can contain and limit a breach is a better risk than one with no documented response capability.

Staff Training and Security Culture

Social engineering remains the most prevalent attack vector against crypto firms. Underwriters increasingly require evidence of regular staff security awareness training, phishing simulation programmes, and clear procedures governing communications channels used for authorising transactions. The absence of these controls is a material underwriting concern, particularly in the context of crime coverage.

Why Claims Fail: Operational Failures and Voided Coverage

The relationship between operational security failures and insurance claim denials is one of the most important and least understood aspects of crypto insurance. The assumption that a valid policy will always result in a paid claim if a loss occurs is incorrect. Policies contain conditions precedent, representations, and warranties that must be maintained throughout the policy period, not merely at inception.

Failure to Follow Documented Procedures

The most common grounds for claim denial is the insured's failure to follow its own documented security procedures at the time of loss. If a firm's policy documents a 3-of-5 multi-sig requirement for transfers above a certain threshold, but a loss occurred because that threshold was bypassed, the insurer has grounds to deny the claim on the basis that coverage conditions were not met. This is not a technicality: it is the insurer demonstrating that the risk they priced was not the risk that actually existed at the time of loss.

This dynamic appeared in several post-mortems following major exchange and bridge exploits. In multiple cases, documented procedures for transaction approval or access control had been informally relaxed over time, often to reduce operational friction, without any formal policy update or risk acceptance. The controls existed on paper but not in practice, and that gap was determinative.

Undisclosed Vulnerabilities

Insurance contracts require full disclosure of material facts. A firm that knows of a significant security vulnerability and fails to disclose it to its insurer before a loss related to that vulnerability is exposed to having the policy voided entirely. This is distinct from simply having unpatched vulnerabilities: it applies specifically to known, unmitigated material risks that a reasonable underwriter would consider relevant to pricing the policy.

Scope of Loss Outside Coverage

Many firms discover at claim time that the specific nature of their loss falls outside their coverage. A firm with custodial asset coverage that suffers a loss due to a smart contract exploit finds that the policy does not respond, because smart contract risk was excluded. A firm with cyber liability coverage that suffers a direct asset theft finds that the policy covers breach notification costs but not the stolen assets themselves. Clear-eyed analysis of coverage scope before a loss occurs, ideally with independent legal review of policy wording, is essential.

Insolvency of the Insurer or Syndicate

This risk applies disproportionately to smaller or newer entrants to the crypto insurance market. The Lloyd's of London market has a central fund backstop that provides a degree of protection; policies written by standalone insurers or captives without equivalent financial strength offer lower counterparty security. Due diligence on the financial stability of the insurer is part of the procurement process.

How to Procure Crypto Insurance

Crypto insurance procurement is not a commodity process. The market is specialist, and access to underwriters typically requires working through a broker with existing relationships in the digital asset insurance space.

The Lloyd's Market

Lloyd's of London is the single largest market for digital asset insurance. Multiple syndicates at Lloyd's write crypto-related coverage, and the market has grown materially since 2019. Access to Lloyd's syndicates is through Lloyd's-accredited brokers; retail brokers without Lloyd's market access cannot place business there. For a Web3 firm seeking custodial asset coverage at meaningful limits, Lloyd's is typically the primary market.

Specialist Brokers

The brokers with the most developed crypto insurance practices include Aon, Marsh, Lockton, and several boutique specialists that focus exclusively on digital assets. A specialist broker does more than place the policy: they help structure the submission, identify which syndicates and underwriters are most likely to write the risk, and negotiate terms on the firm's behalf. Approaching the market without a specialist broker almost always results in worse terms and narrower coverage than working through one.

The Submission Process

A standard insurance submission for a crypto firm includes: a description of the business and its activities; assets under custody or management; the technical architecture of the custody system; copies of recent security audit reports; documentation of key management procedures including HSM usage and multi-sig configuration; access control policies; incident response plans; and staff training records. Preparing a well-structured submission that clearly evidences security maturity significantly accelerates the underwriting process and typically improves terms.

Policy Review and Legal Counsel

Policy wording in the crypto insurance market is not yet standardised, unlike many mature insurance lines. Exclusions, conditions precedent, and definitions vary materially between insurers. Independent legal review of policy wording before binding coverage is not optional for any firm holding significant assets in custody. The cost of review is trivial relative to the potential impact of discovering a critical exclusion at claim time.

On-Chain Insurance Protocols vs Traditional Products

The emergence of on-chain insurance protocols has created an alternative risk transfer market that operates entirely outside traditional insurance structures. The two most established are Nexus Mutual and Sherlock; both focus primarily on smart contract risk, which is the coverage category most consistently excluded from traditional policies.

Nexus Mutual

Nexus Mutual is a discretionary mutual, governed by its members, that provides cover against smart contract failures and, to a limited degree, custodial exchange hacks. Claims are assessed by a decentralised governance process involving NXM token holders. Coverage is purchased in ETH and is available for specific protocol addresses. The discretionary nature of the claims process means payouts are not guaranteed by contract in the way traditional insurance policies are; they depend on member governance decisions. Nexus Mutual has paid out material claims, including following the Yearn Finance v1 exploit and several other DeFi losses, which provides some evidence of the mechanism functioning as intended.

Sherlock

Sherlock combines smart contract audit services with coverage backed by a staking pool of capital. Protocols that use Sherlock's audit service can purchase parametric coverage tied to the audit scope. Payouts are determined by a Watsons claims process and are backed by the staking pool rather than a mutual governance vote. The model is distinct from traditional insurance and from Nexus Mutual in that it directly links the quality of the audit to the terms and availability of coverage.

Complementary, Not Interchangeable

Traditional insurance and on-chain protocols cover fundamentally different risk categories. Traditional insurance addresses custodial, crime, cyber, and D&O risks. On-chain protocols address smart contract failure risk. A comprehensive risk transfer strategy for a Web3 firm with both custody operations and on-chain protocol exposure will typically require elements of both. Treating them as alternatives rather than complements leaves gaps in coverage.

The PPT Framework and Where Insurance Fits

The People, Process, Technology (PPT) framework provides a useful structure for understanding the correct role of insurance in an operational security programme. Each dimension contributes to reducing the probability and impact of a security failure. Insurance operates at the intersection of all three, but it is not a substitute for any of them.

People

Human factors drive the majority of security failures in crypto organisations, through social engineering, insider threat, and procedural non-compliance. Insurance addresses some of the financial consequence of these failures through crime coverage, but it does not reduce their probability. Investment in staff training, security culture, background verification, and insider threat programmes reduces the frequency of loss events that insurance would otherwise have to absorb.

Process

Documented and enforced security processes are simultaneously the primary mechanism for preventing losses and the primary basis on which insurance claims are assessed. An insurer examining a claim will reconstruct what procedures existed and whether they were followed. Robust processes serve the dual purpose of reducing losses and preserving the firm's right to recover from insurance when a loss does occur despite those processes. Process failure is the single most common reason a valid insurance policy fails to respond to a real loss.

Technology

Technical controls, including HSM usage, multi-sig wallet architecture, network segmentation, and monitoring systems, provide the evidence base that underwriters use to assess the quality of a firm's risk profile. A firm with strong technical controls can demonstrate to underwriters, concretely and verifiably, that its risk profile is lower than a comparable firm without them. This translates directly into better coverage terms and lower premiums.

Insurance sits outside the PPT framework as a financial instrument that transfers residual risk to a third party after all available risk reduction measures have been applied. Its correct position in an operational risk management framework is as the last line of financial defence, not the first.

Governance as the Enabling Layer

None of the PPT elements deliver their intended risk reduction without governance to mandate, monitor, and enforce them. The same is true of insurance: policy conditions require that controls remain in place throughout the policy period. A governance framework that includes regular review of insurance conditions, updates to coverage as the business evolves, and clear ownership of the insurance relationship within the security and finance functions is essential to maintaining coverage that will actually respond when needed.

Practical Recommendations

For any Web3 firm holding digital assets in custody or operating a protocol with meaningful total value locked, the practical path forward has several clear steps. First, engage a specialist insurance broker to understand what coverage is currently available for your specific risk profile. Second, conduct a gap analysis between your current security posture and the baseline requirements underwriters will impose. Third, use that gap analysis to prioritise security investments, because improving your security posture and improving your insurability are the same exercise. Fourth, treat policy wording review as a legal matter requiring independent counsel. Fifth, establish internal governance to maintain coverage conditions on an ongoing basis rather than treating insurance as a one-time procurement event.

Insurance is not a magic backstop that makes security investment optional. It is a financial instrument that works correctly only when the security programme it is designed to complement is functioning as documented. The firms that procure crypto insurance and then suffer an uninsured loss are not victims of bad luck: they are the result of treating insurance and security as separate concerns rather than an integrated system.