In the mid- to late 1990s, the insurance industry was struggling with “the Y2K crisis,” not only in connection with its own systems but, more importantly, with the systems of all its policyholders. As the chief underwriting officer of one of the largest subsidiaries of one of the largest insurance companies in the world, AIG, I had to determine our potential exposure if the computer systems of our policyholders failed. My conclusion: hundreds of millions of dollars of potential liability payouts.
Y2K — a problem that threatened to confuse computers about chronology beginning on Jan. 1, 2000, because years had historically been represented in software with just two digits, meaning that the year 2000 (represented as “00”) was indistinguishable from 1900 (also “00”) — was the insurance industry’s introduction to the hazards of insuring technology. To reduce that exposure, we had to figure out a way to motivate our corporate policyholders to take reasonable steps to manage their Y2K problem. Because one of the central purposes of an insurance policy is to motivate specific risk-reducing behavior, such as wearing a seat beat, the question became how to motivate risk reduction in connection with the impending problem.
So we created “Y2K insurance” and made it available only to those companies that took the right steps.
Well, the Y2K crisis came and went, and the insurance industry was relatively unscathed. Whether the introduction of a new insurance product helped, we will never know. What we do know is that the Y2K experience inspired the insurance industry to contemplate other technology risks we might insure. In the year 2000, the answer was immediately clear: yhe Internet. Many of us realized that the Internet presented a permanent change in the sociological and economic system; that life would never be the same. But how does one insure a new technology and a completely new way of conducting business? It was scary thing to contemplate.
Fundamental to the insurance business is an analysis of historical actuarial information about frequency and severity of loss. We have decades of data on automobile accidents, broken down in every way imaginable. But how do you determine the right premium for a risk that has never existed?
For most carriers, the answer was, “You don’t.” But for a few, a different response emerged. A response that arose from a different culture—a risk-taking culture. A culture of innovation. “Cyber insurance” was born.
It took a while, but eventually we became comfortable with underwriting the frequency and severity of potential cyber attacks against our policyholders’ computer systems. Today, 15 years later, cyber insurance is a robust $1.3 billion industry, with more than 45 carriers providing some type of cyber insurance. And, despite the almost daily reports of cyber attacks, the industry is somehow making enough money to stick around.
Once again, the insurance industry is faced with a new risk in the technology space. Once again, the global economy is being transformed with a new way of conducting transactions. Once again, the insurance industry is faced with a dilemma: Do we ignore this new risk or face it head on?
There are more than 8 million Bitcoin “wallets” in existence today, and this is expected increase to 12 million by the end of the year. The total value of Bitcoins worldwide is around $4 billion. There are more than 100,000 Bitcoin transactions happening every day. More than 80,000 companies, from Microsoft to Dell to Expedia.com, accept Bitcoins as payment.
But how do you insure Bitcoins? More specifically, how do you insure the theft of the electronic private keys that are used to access Bitcoins? A smart insurer realizes that such a task is an exercise in both the familiar and the foreign. A private key is, after all, an electronic file. In many ways, the policies and procedures used in the network security space to protect any computer system holding any file are the same as those used to protect an electronic private key file. Equally true is that a good portion of private keys are stored in “cold storage,” meaning that they are not held in a computer that has access to the Internet. Some are actually stored in a bank vault. Storing valuables in a bank vault is also a well-understood risk and insurable. Finally, many companies that would be interested in purchasing Bitcoin theft insurance are themselves technology providers. Insurance for technology companies has existed for some time.
However, that’s where the analogy ends, and things begin to become difficult. First, the “cyber” insurance policies provided today actually do not insure the intrinsic value of the electronic file stolen. The policies do not cover the “value” of a Social Security number, for example. Furthermore, best practices in the securing of private keys in “hot storage” (computers connected to the Internet) rely upon the multisig, or multiple signature, technology, something with which insurance underwriters are generally unfamiliar. At best, underwriting the theft of Bitcoins requires coordination of multiple underwriting departments within an insurance company. More likely, it means creating new underwriting techniques and protocols.
Will the insurance industry be able to respond to the call? The insurance industry historically has not been known for innovation. So, how will we respond when we are faced with a new and potentially important risk, for which there is no historical actuarial data? Do we run away, or do we embrace a new need and a new opportunity as we did 15 years ago?
In February 2015, one company successfully designed the first true Bitcoin theft insurance policy along with a global “A”-rated insurance carrier for the benefit of BitGo, a leader of multi-sig technology. Will this policy be the only of its kind? Or, as with cyber insurance 15 years ago, will that be only the first of hundreds of thousands of “Bitcoin theft” policies.
Only time will tell.