Cryptocurrency on corporate balance sheets: D&O and E&O underwriting and claims considerations
As of May 26, 2021, the estimated market capitalization of the cryptocurrency market exceeded USD 1.7 trillion despite recent market fluctuations. There is growing interest by a wide range of publicly traded companies in incorporating crypto into their business models given the ongoing market development. For example, NVIDIA is manufacturing specialized computer processors designed for mining cryptocurrency. Samsung has developed its own Samsung Blockchain Wallet to facilitate the management of crypto asset holdings on Samsung mobile devices.
Aside from developing crypto-related products, many companies are contemplating cryptocurrency for their balance sheets. Famously, Tesla purchased $1.5 billion in bitcoin earlier this year, and despite the mid-May 2021 pullback of prices across cryptocurrency markets, Elon Musk recently implied that the company will not sell its holdings. Further, Michael Saylor, CEO of publicly-traded Microstrategy Inc. which reportedly holds over 71,000 bitcoin, hosted a conference earlier this year for companies who are considering incorporating bitcoin into their corporate strategy. According to Mr. Saylor, the conference attracted around 8,000 firms, reportedly including JPMorgan, Goldman Sachs, and Amazon. It is possible some of these efforts may be temporarily dampened or reconsidered in view of recent volatility in the cryptocurrency market, but the use of such currencies appears to be gaining wider acceptance by the market at large, including use on corporate balance sheets.
In light of the above, financial lines underwriters, including for directors & officers and errors & omissions policies, may wish to become more keenly aware of certain risks and key considerations associated with cryptocurrency storage and transactions.
Generally, cryptocurrencies are stored in a wallet. For bitcoin, arguably the most well-known of all cryptocurrencies, a wallet typically contains a public address comprised of 26 random alphanumeric characters which are case-sensitive. Much like a bank account number, this public address serves as an identifier for sending or receiving crypto. One must exercise caution in sending or receiving bitcoin, as a simple typographical error could result in assets being irretrievably lost. With each public address there is also a private key, which for bitcoin usually consists of a unique combination of 12 to 24 words that serve as the means for the blockchain to ascertain the right to control the assets of the associated public address. From a practical standpoint, the individual or entity that has access to the wallet’s private key retains ultimate control of the associated funds.
Many cryptocurrency holders choose to manage their holdings through a cloud-based provider (using a Coinbase account, for example). This storage method, however, is widely considered to be among the least secure. Cloud-based storage providers generally store users’ private keys (without users ever having access to them) and are therefore reliant upon the general viability and/or security measures of the provider. As with the rest of the digital economy, cryptocurrency exchanges have been the targets of cyberattacks.
For increased security, a software wallet can be installed directly on a user’s computer or mobile phone. Typically these wallets generate and store private keys on the device itself, rather than a centralized server in the cloud. This method avoids certain risks associated with proverbial “honeypots” for hackers, but the risk of malware on individual devices remains. Further, this method relies on the individual user storing and maintaining private keys. In the event that a third party gains access to the device or private keys, funds may be permanently lost.
For further security, an individual or entity may employ “cold storage”. This generally refers to the use of hardware devices designed for storage of cryptoassets without ever directly connecting to the internet. Cold storage may take many forms, from a small portable hardware wallet (a Trezor for example) to a “vault” service offered by a third party. Risks with these methods include loss of the physical hardware wallet or the private keys, or reliance upon the security of the vault provider.
Cryptocurrency wallets may also employ a multisignature design for added security. Such “multisig” wallets require multiple distinct private keys in order to send funds. With multisig, an entity can chose the number of private keys necessary to access funds. For example, it might assign a private key to each of its 7 board members, and require that at least 5 approve of any transaction. A multisig framework serves to mitigate many of the risks associated with storage of cryptoassets, but remains susceptible to human error or malfeasance.
Accordingly, in preparing D&O and E&O policies, as well as crime/fidelity coverages, underwriters may seek to inquire not only whether insureds intend to hold cryptocurrency on their balance sheets, but also the precise storage methods being considered. For example, what type of wallet(s) will the insured be using? Will the insured rely on a third party to manage its cryptocurrency holdings? Will the insured utilize cold storage? Will the insured incorporate a multisig framework? If so, which individuals, including employees or contractors, will retain private keys and how many will be required to send crypto? What protocols are in place in the event of a loss of assets or improper transfer?
Failure to implement adequate measures to protect cryptocurrency holdings and respond to adverse events may lead to first party losses in the form of lost or stolen assets, as well as future shareholder claims of negligence or breach of fiduciary duties with respect to management of the corporate treasury and secure asset transfer protocols. To the extent not already doing so, underwriters may wish to consider such risks in the pricing of future policies.
From a claims perspective, there may be possible shareholder or derivative actions if adequate internal processes or controls are not utilized. This potential trend may become more pronounced if the size of the cryptocurrency market grows and use of such digital currencies gains more support for use on corporate balance sheets.
 See id.; see also https://markets.businessinsider.com/currencies/news/elon-musk-spacex-representatives-spotted-michael-saylor-conference-bitcoin-tesla-2021-2-1030061601
 See e.g. https://www.theverge.com/2019/7/12/20691700/bitpoint-hack-bitcoin-ripple-cryptocurrency-exchange-stolen-funds