March 13, 2019 Articles

Blockchain Is Coming and So Are Insurance Coverage Challenges and Opportunities

As blockchain becomes more common in usage, risks and resulting losses will become more reality than theory, and demands for coverage of those risks and losses will rise.

by James S. Gkonos and Laurie A. Kamaiko

Blockchain is one of the new darlings of the insurance industry. Proponents of blockchain technology believe that it can affect nearly every aspect of the insurance industry: underwriting, distribution, administration, and claims. The industry is still somewhat unsure of the impact of the technology, but its usage is spreading and there is increasing acceptance that it will be part of the future operations of both insurers and companies they insure. A recent Deloitte study of 300 U.S. executives revealed that 28 percent had invested at least $5 million in blockchain technology, 10 percent had invested at least $10 million, but 39 percent had no understanding of the technology. 1 A PriceWaterhouseCoopers survey of the financial services industry, including the insurance industry, showed that over 50 percent of financial services executives believed blockchain was important, but were not sure how to use it, and 68 percent of insurance executives in 2018 expected to adopt blockchain as part of an in-production system.2

Regardless of how the insurance industry ultimately uses the technology, it definitely is coming. 3  As with many new technologies, its impact on the insurance industry is both in terms of how companies in the industry use it for their own operations and how it is used by the entities they insure. Among the issues it raises is whether, and if so how, blockchain may change the risk exposures that companies who use it in their operations face and in turn how it will affect existing insurance coverages and potentially require modification of current policy forms or the development of new ones. Thus, it provides both a challenge to the insurance industry, in terms of identifying and addressing exposures under existing insurance, and an opportunity for the creation of new coverages to embrace a growing demand by policyholders for insurance that affirmatively covers blockchain operations and exposures. This article explores some of those potential insurance coverage issues.

How Blockchain Works

Before a sensible discussion of coverage issues can occur, a basic understanding of blockchain and how it works is necessary. Blockchain is a form of distributive ledger technology. In simple terms, if one thinks of a standard accounting ledger with debits and credits forming separate columns of a ledger, blockchain is like a third column of the ledger that allows for other functions, such as tracking, verification, security, and implementation of contract terms through smart contracts. The technology is called “distributive” because the information on the “ledger” is distributed to each and every participant in the blockchain so that each participant has an independent full data set of the ledger. Each participant engages the blockchain through a “node,” i.e., a computer, which is continually updated as transactions are approved and added to the ledger. In theory, a blockchain is a “decentralized autonomous organization” in which no one entity is in control, and decentralization of input and access to information is a large factor in its operations. However, in practice, so far there does seem to be a need for a coordinating entity.

One of the unique capabilities of blockchain is that, in theory, its information is immutable and cannot be changed. Each transaction is tagged with a “hash” number of its own and the “hash” number of the transaction prior to it in the chain, making attempted alterations transparent. Blockchains can be “permissioned,” allowing only some authorized parties to participate, or “permissionless,” allowing any party to join the blockchain. Security is maintained in at least two ways. First, in permissioned blockchains, key cryptology is used. In order for transactions between parties to take place, each must approve the transaction using their private key. This prevents others from attempting to alter or even view those transactions. Second, in all blockchains, each transaction is subject to a requirement that it must be accepted by a majority of the nodes, each of which performs an algorithmic calculation to approve the transactions. Existing transactions can be amended but only by adding the amendments to the blockchain. 

Because of these security features, blockchains are very difficult to hack. Some supporters argue that it is impossible to hack a properly operating blockchain, while others are less complacent, particularly concerning the possibility of theft or unauthorized use of a private key or theft of cryptocurrencies based on blockchain technology as demonstrated by recent widely reported hacks of cryptocurrency exchanges.

Potential Benefits and Issues

There are numerous potential benefits to the use of blockchains. As discussed above, transactions on a blockchain are immutable and can’t be changed, except by amendment by the parties via additions to the blockchain. For the same reasons, transactions on the blockchain provide transparency and audit trails, now required by many cybersecurity statutes and regulations, particularly for entities in the financial sector. Because of the transparency and audit trail capabilities, blockchains are viewed as ideal for businesses that involve numerous agreements, such as insurance policies or surety bonds, as well as those in which tracking of ownership chains are especially important, such as real estate. A blockchain can also facilitate the “know your customer” counterparty requirements, as other investigations of customers can be made available across a company or company group, or other members of the blockchain. This capability could reduce the amount of time for such customer reviews and investigations. Finally, and perhaps of most interest to insurance companies, blockchains can support “smart contracts,” such as parametric insurance,5  which automatically verifies information and executes claims, and can be particularly useful on lines of insurance with high volume and objective triggers of coverage.

Numerous issues surround the ultimate use and success of blockchains. Because of the decentralized nature of blockchains, significant questions arise regarding data privacy and cross-border data ownership issues. If an agreement on the blockchain contains protected personal information, who is liable if the information is leaked or hacked? Because all information on the blockchain, including protected intellectual property, is on every node, how is that information protected and who is liable if that information is inadvertently provided to third parties? Because nodes of a blockchain may be in different countries, what laws apply and how are conflicting laws to be dealt with? Will anti–money laundering laws of the United States and other countries apply and, if so, to whom? Moreover, while immutability may be a strength and limit the risks of fraud and unauthorized changes to information chains, it may also create a liability simply because it cannot be changed. The European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018, allows for a “right to be forgotten,” i.e., a right to have information removed from a company’s systems or websites,6  and some U.S. state laws are likely to follow that trend;7  if information is immutable, how can such information be deleted, and if it cannot be deleted, is that a violation of these requirements? Are there privacy issues or disclosure obligations based on the nature of blockchain as the transparent sharing of information that could include personal information of individuals?

Potential Liabilities and Existing Coverage

These issues may create the potential for liability, and they raise the question of whether such potential new liabilities will be covered by existing insurance. How insurers will respond to these issues is yet to be determined, but some insurance companies are already looking at these issues in terms of identifying whether they have new exposures and whether they want to limit or embrace them.

As companies adopting blockchain in their operations become the recipient of claims, or sustain losses as a result of their operations, they are likely to look to their existing insurance for coverage. New business enterprises based on blockchain technology and existing companies adopting its usage are also likely to start asking about coverage in advance of events as they review and renew their insurance portfolios. Blockchain service providers will likely be asked by their clients to have insurance in place that covers the claims that may arise. Insurers, in turn, are starting to ask themselves what coverages they provide—and want to provide—as they review and revise their policy forms. Technology errors and omissions insurance, for example, has always been subject to claims that software designers they insure have developed and sold software that is not satisfying customer requirements or not up to standard or not sufficiently secure. Thus, being subject to claims for problems arising from the design of software may not be new, but the standards that apply to the design of the software used in blockchain may be not only new but not yet fully developed.

The example of data breaches and network security incidents is illustrative of how the application of existing insurance to new or expanding risks can be the subject of debate and dispute. Data breaches and the growth of regulation requiring security and response to breaches involving personally identifiable information (PII) generated growth of a new insurance product, generically referred to as cyber insurance, that was specifically designed to apply to those incidents and many of the losses and claims resulting from data breaches and network security failures. However, the insurance industry is still often faced with claims under traditional lines of insurance not designed to apply, in what has been referred to as “silent cyber” coverage. And policyholders are still sometimes disappointed to learn that not all losses from an event involving digital data are always covered under a cyber policy (such as bodily injury or property damage, or the financial losses from business email compromises that result in fund transfer frauds).

Cyber insurance is an example of uncertainties in how an existing policy form would apply to blockchain-related risks. For example, if there were a data breach of PII (or “personal data” as protected under the GDPR) maintained on a blockchain, would a cyber insurance policy apply and, if so, whose policy? Cyber policies usually have definitions and limitations in scope as to whose “computer system” is covered, such as that of the named insured and those operating a computer system on behalf of the named insured (often with a requirement that be done so under a written contract). In a blockchain transaction, whose computer system is it that was breached or whose security failed? And which entity is the owner or holder of the PII that is responsible for its security and providing notice to regulators and individuals whose PII was accessed? If the breach involved the unauthorized usage of a private key that can be tracked, that may more readily result in the identification of an arguably responsible party, but the theft of the private key in issue may not be identified in the short time frame required for a response to a data breach and notification. If the issue is one of failure of the blockchain’s usage to comply with privacy laws or regulations, what jurisdiction’s regulatory requirements apply and which party or parties using the blockchain in issue for the transaction in issue is responsible for compliance? Is an entity responsible for the security of each blockchain on which it is a party to a transaction? Cyber insurance policies may be among those that are to be examined and modified to clarify their application to such exposures, by amending definitions and perhaps adding affirmative new coverages.

Some third-party complaints alleging negligence by an insured in its operations may be able to trigger coverage under existing errors and omissions coverage or even general liability coverage, although with likely issues as to whether the loss involved is one of “property” (and, if so, is it tangible or intangible) or only economic loss, and whether electronic data, professional services, or other exclusions apply even if not expressly directed at blockchain transactions.

Bitcoin and other “virtual currencies” that use blockchain technology were the impetus for the development of blockchain (often referred to as cryptocurrency). Exchanges on which a cryptocurrency is traded and enterprises that store cryptocurrency have been the subject of the most public breaches resulting in substantial losses.8  Thus, they are at the forefront of the discussion of how existing insurance may apply and whether they should be insured. One major issue has been whether cryptocurrency is in fact a currency as defined by current policies and regulations, whether it is a security, or whether it is property. This has already had an impact on whether a homeowner’s or crime policy covering loss or theft of money or securities would apply to loss or theft of virtual currency. Currently, whether it is argued to be money, property, or a security can often depend on the type of policy or regulation that is in issue, as the policyholder seeks to maximize insurance recovery and the regulator seeks to confirm that the transactions in issue are within its oversight. 

Courts faced with the issue have a dearth of precedent to rely on, and thus any decision or regulatory position can have an outsized effect, at least for now. Thus, a lower court in Ohio found that Bitcoin, despite being a “virtual currency,” was property, not money, in the context of a claim (apparently under a homeowner’s policy) for coverage of $16,000 worth of stolen Bitcoin under a policy that had a sublimit for stolen “money,” based on an Internal Revenue Service (IRS) notice issued in 2014 that stated that “[f]or federal tax purposes, virtual currency is treated as property.”9  Some crime insurers are reportedly modifying the definition of covered property not only to specify “money and securities” but also to expressly include virtual currency; express exclusions are also available, and use of either will avoid coverage disputes on the issue. 

Risks and Regulation

Complicating the issue of whether existing coverages designed for money or property loss or for securities transactions will apply is that new and potentially inconsistent laws and regulations on both state and federal levels are already developing. Wyoming passed comprehensive blockchain legislation in March 2018 that, among other things, provides an exemption for virtual currency used within Wyoming from money transmitter laws and regulations, subject to certain conditions; specifies that virtual currency is not subject to taxation as “property” in Wyoming; and provides some exemptions from Wyoming state securities and money transmission laws.10  However, the Securities and Exchange Commission (SEC) may not take the same approach and has already asserted the view that digital currency trading such as initial coin offerings can, at least in some circumstances, be considered securities offerings and within its monitoring and enforcement bailiwick.11

Of concern to many insurers is that the ease of use and lack of a central record-keeping body for virtual currencies and transactions using them potentially present a greater risk of theft than for traditional government-backed currency. There has been a reluctance by many insurers to insure entities whose businesses involve or service cryptocurrency exchanges or other usage of virtual currencies, although it appears that several have recently embraced at least some aspects of the risk as a new opportunity for a new insurance product generating new and substantial premiums. Some insurers are reportedly now offering theft coverage for those handling digital currencies, with insurance now reportedly available at least for individual investors involved in virtual currency transactions.12  There are still concerns, though, about insuring the exchanges on which cryptocurrencies are traded and the entities offering custodial services such as electronic storage sites (“wallets”) in which cryptocurrencies are stored. 

While the entities and the technology involved in blockchain may be new, many of the criteria for evaluating the risk involved are familiar: security of operations, development of protocols and procedures to minimize risk, evaluation of the people and business partners involved, storage procedures, and compliance efforts and culture. Considerations for evaluating and measuring exposure include factors such as designating the point in time at which the value of the loss is to be measured, taking into account the difference between gross loss and net profit, and designating a dispute process. However, still evolving and thus less ascertainable are all the regulations that will govern transactions involving blockchain, particularly cryptocurrency transactions and exchanges. 

Indeed, for all entities and transactions using blockchain, there will likely be evolving regulatory requirements to address blockchain that may expand, or limit, compliance exposures. That in itself renders it difficult to predict whether existing policies will be found to apply to future claims. Lines of insurance such as directors’ and officers’ policies are likely already presented with questions as to whether they provide coverage for regulatory investigations and proceedings against the entities or individuals they insure, which may turn not only on the specific wordings of the policy but also on what the regulatory body in issue considers to be a securities claim. Many insurers may think their forms have exclusions that apply, but ones designed for excluding breaches involving electronic data may not be as broad as thought. Others may find that courts consider their affirmative coverage to be broad enough, or at last ambiguous enough, to encompass risks never contemplated when the policy form was first issued.

Conclusion

As blockchain becomes more common in usage, risks and resulting losses will become more reality than theory, and demands for coverage of those risks and losses will rise. Insurers may not want to wait until they are faced with that reality. They can undertake now to identify categories of policyholders using blockchain and providing blockchain services that they want to embrace or avoid in underwriting. They can also identify potential claim scenarios and how they would be addressed under the existing policy forms they issue. They can reduce the likelihood of costly disputes with policyholders by considering now whether they want to affirmatively cover or expressly exclude the identifiable risks presented by usage of blockchain discussed above. Insurers can start preparing themselves now for the likely increase in demand for insurance products that provide coverage for the exposures that may arise. In other words, insurers can start now to address the challenges and opportunities presented by use of blockchain in their own operations and that of their insureds. 

James S. Gkonos and Laurie A. Kamaiko are with Saul Ewing Arnstein & Lehr, LLP.

 


Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).

James S. Gkonos

James S. Gkonos is counsel  at Saul Ewing Arnstein & Lehr, LLP, Philadelphia, PA. He is a member of both the firm’s Insurance Practice Group and Cybersecurity & Privacy Practice Group.

Laurie A. Kamaiko

Laurie A. Kamaiko is a partner at Saul Ewing Arnstein & Lehr, LLP, New York City. She is a member of both the firm’s Insurance Practice Group and Cybersecurity & Privacy Practice Group.