The cryptocurrency industry was recently shaken by a sophisticated attack on ByBit, resulting in a $1.5 billion loss in ETH. The attack, attributed to North Korea's sanctioned Lazarus Group, has sparked extensive discussion within the security community. Rather than providing another technical analysis, this article examines the incident through an insurance lens, using Harry Donnelly's comprehensive technical write-up as our foundation.

Before diving into the coverage analysis, it's worth commending ByBit's response to the incident. Their swift action and transparency have been crucial for the industry's collective learning, Ben Zhou (ByBit’s CEO) even posted his heartrate on X, spoiler alert- it was low.

As Nassim Nicholas Taleb discusses in "Anti-Fragile", systems can grow stronger through chaos and trauma. The crypto industry exemplifies this concept, demonstrating resilience by rallying together without requiring external bailouts. ByBit's ability to secure nearly $1.5 billion through loans, deposits, and other arrangements to make their traders whole showcases the community's strength in crisis.

The Hack: Key Points

According to the various analyses, the attack involved two potential vectors:

1. A compromise of Safe Wallet's infrastructure/backend
2. A compromise of ByBit signer's laptop or signing device

While we’re still waiting for confirmation of what exactly happened, we’ll be examining how insurance would apply to both scenarios.

Insurance Coverage Analysis

When examining potential insurance coverage for such an incident, two primary policy types come into play: specie and crime policies. It's important to note that neither policy would cover the first attack vector (Safe Wallet's infrastructure compromise), as these policies focus on first-party rather than third-party technology failures. Also, there would be no way for underwriters to feasibly underwrite every technology that custodians interact with in order to understand the third-party tech risk.

On this basis, we are examining the policy language only for coverage for the second attack vector. The analysis of both the specie and crime policies have been taken from market standard wordings, it’s also important to note that I do not have any knowledge of the insurance program of ByBit and have used a few assumptions to base my analysis upon.

Specie Policy Analysis

Standard specie policies typically cover:

• Collusion or theft by designated employees
• Physical damage to storage media (private keys on a hardware device)
• Natural disasters and physical damage scenarios

In this case, since the ByBit compromise didn't involve designated custodians colluding or stealing private keys, a specie policy would not provide coverage. This is an important finding as the majority of custodians who have a specie policy should discuss whether or not their coverage is fit for purpose. If they did want to protect themselves from a similar attack vector, then discussing with their insurance broker would be the first step in understanding what their options are.

Crime Policy Analysis

A standard crime policy proves more promising, particularly under two potential coverage areas:

1. Computer Fraud Coverage (Insuring Agreement 5)

The compromise of a signer's laptop could qualify as a "network security breach" under this coverage, which includes "change to data elements or program logic of your computer system." This interpretation would likely trigger coverage without running afoul of standard exclusions.

2. Funds Transfer Fraud Coverage (Insuring Agreement 6)

While traditionally intended for social engineering attacks, the broad definition of "fraudulent instruction" could encompass the unauthorized transaction requests in this case. This is a very unique finding as the attackers sent a fraudulent transaction request to the signers which ultimately drained the wallets.

There were no notable exclusions in the Crime policy that would have excluded this claim.

Practical Considerations

Despite potential coverage under a crime policy, several practical limitations exist:

Maximum available market coverage typically caps at $100 million

• With a $1.5 billion loss, this leaves a $1.4 billion gap
• At market rates of approximately 2%, a $100 million policy would cost around $2 million in premium
• Standard deductibles hover around $250,000

The Return on Investment Question

While saving $98 million (after premium costs and not including a deductible) on a $1.5 billion loss is significant, it highlights the challenge of insuring against massive crypto losses. The maximum available coverage represents less than 7% of ByBit's total loss.

So what do we do?

Looking Forward

It’s certain that insurance alone doesn’t solve this issue, but a united offering would. By creating a comprehensive risk management package that includes insurance with proactive risk mitigation as well as enhanced infrastructure segregation, the industry would be in a better position to defend and indemnify itself should this happen again.

Another area that will be explored in the boardroom is the efficacy of specie policies in a new world of custody. The current specie wording leaves quite a bit uncovered which is why normal specie policies are able to insure hundreds of millions more than crime placements. However, with no notable claims being paid under a specie policy, I think clients will start demanding broader coverage to align with current security infrastructure setups. This broader coverage that takes into consideration the vagaries and differences between hot and cold storage is very much needed and is something that companies in this space have been talking about for years. Essentially, we need to do away with ‘cold and hot’ and align ourselves to how our clients discuss their private key infrastructure rather than forcing them into outdated processes.

One thing I will say in defence of insurers is the process of understanding the risk of custodians. The rigorous due diligence required by insurers often frustrates crypto companies seeking coverage. However, the ByBit incident underscores why insurers need a deep understanding of custody infrastructure before committing to potential nine-figure payouts. Just as venture capitalists conduct extensive due diligence before large investments, insurers must thoroughly evaluate the infrastructure they're protecting. Yes, it’s tiring going through the underwriting process, but in the case of ByBit, should they have bought a crime policy then insurers would most certainly have had a large claim on their hands.

This incident serves as a reminder that while insurance plays a vital role in risk management, the crypto industry must continue developing robust security measures and maintaining strong community support networks to handle large-scale attacks effectively.