Virtual Coin

Dell Inc. and TigerDirect.ca are among the reported 63,000 merchants who allow customers to use bitcoin to pay for goods. The payment system exists despite a lack of regulation and the feeling, at least for some, that insurers may be reluctant to cover some risks associated with bitcoin.

Questions arise around risks related to malware attacks on computer systems that store bitcoins and the need for financial institutions to develop and/or update risk governance and internal controls to account for the payment system. Coupled with those challenges, though, is the potential opportunity for insurers who are considering offering coverage related to offline storage of bitcoins.

“Underwriters should be interested in knowing whether clients are involved in bitcoin, and should certainly be posing such questions to any clients who transact business over the Internet,” suggests Terri Mason, head of professional indemnity for Allianz Global Corporate & Specialty (AGCS) in Canada.

Crime, technology and cyber policies “which contain hacker theft, e-theft or similar coverages would likely pick up” some risks associated with bitcoin – if those risks are not “otherwise specifically excluded,” Mason explains.

“This is something which underwriters, brokers and insurance buyers should all be aware of and looking to clarify in such policies,” she adds.

“Bitcoin is not officially recognized by the Canadian government as a currency, stock or any type of good that has value,” Canadian Virtual Exchange (CAVIRTEX), a bitcoin exchange, notes on its website.

Bitcoin exchanges allow users to buy and sell bitcoins using fiat currencies, Zilvinas Bareisis, a senior analyst with Celent’s banking group in London, notes in the report, The Disruptive Potential of Bitcoin: Why Everyone in Financial Services Should Care. As of August, about 63,000 businesses accepted bitcoin as payment, Bareisis reports.

“Unlike more traditional currencies, there is no principal authority backing bitcoin,” the Deloitte Center for Financial Services, notes in the report, Bitcoin: The New Gold Rush? The report was written by Val Srinivas, research leader, banking and securities, Dennis Dillon, senior market insights analyst, and Ryan Zagone, lead market insights analyst, at Deloitte.

“It’s not clear whether (bitcoin is) money,” Ethan Wilding, project member for the Ethereum computer programming language and resident philosopher at Bitcoin Decentral, whose services include a bitcoin ATM machine in Toronto, said during a presentation at the Annual Engineering Insurance Conference (AEIC) in Toronto in October.

“Ultimately, it’s its own new asset class and we’re trying to figure out how to conceptualize it, at least in terms of the regulations,” Wilding told conference attendees. Unlike other payment methods, bitcoin does not go through a bank or a central processing system, he explained.

“Many of the risks involved are possible to insure under various types of insurance policies,” such as technology errors and omissions, crime and cyber risk, says Mason. “However given the relative newness of bitcoin, the lack of regulation and anonymity associated with it, and the myriad of issues surrounding it in the past couple of years, many insurers may be reluctant to offer such coverages,” she suggests, alluding to the recent collapse of the Moolah bitcoin exchange.

In order to store and transfer bitcoins, a user needs a “wallet,” explains Kyle Kemper, vice president of business development at CAVIRTEX.

But in the context of bitcoin, a wallet is not literally a case in which to hold money and identification. Rather, bitcoin wallets take different forms – such as apps on wireless devices, software on desktop computers or web services – and typically display a bitcoin balance, Bareisis notes in the Celent report.

Users can also “create paper wallets or wallets on computers that are offline,” says Wilding. “Insofar as they are doing that, there is no way for them to be hacked, except for someone physically stealing that device. Because once it’s connected to the Internet, you will always have that risk, however small, that some hacker is going to get into your computer.”

The cyber risks for users sending or receiving bitcoin payments “would be similar to those of any depository institution,” Mason explains. “Systems can be breached and funds stolen, and they are huge targets for hacker theft. These sorts of risks are likely more pronounced with bitcoin given the lack of centralization and regulation,” she says.

Mason adds that underwriters who determine their clients are involved in bitcoin “should then be looking at the frequency and value of bitcoin transactions, the type of wallet being used to store bitcoins, and as best as possible, analyze the security surrounding the storage and transfers.” In addition, she notes, the policyholder’s “level of experience with and understanding of bitcoin should also be investigated where possible.”

Wilding notes that bitcoins are transferred from one wallet to another using a “peer-to-peer network,” over the public Internet, which is why there is “no centralized point of control.”

A peer-to-peer network “allows for the creation of decentralized, dynamic and anonymous logical networks for information exchange over the public Internet,” Cisco Systems Inc. notes in the white paper, Managing Peer-To-Peer Traffic With Cisco Service Control Technology.

Bareisis notes that bitcoin is the first system to rely on peer-to-peer network decentralization to avoid double spending. “Every bitcoin transaction ever made within the network is recorded on the public ledger called the blockchain.”

Adds Kemper, “Once a transaction is logged in the blockchain, it can never be removed or altered. All these transactions are recorded, but there is no upfront personal information associated with any of the transactions.”

The fact that personally identifiable information is not stored is one advantage of bitcoin, Mason suggests, because this offers “more protection from identify theft than traditional depository institutions.”

That said, the security of the transactions depend, in part, on the “private keys” that the bitcoin protocol uses for authentication, Bareisis cautions. “It is helpful to think of public keys as your bank account number and the private key as the signing authority on that bank account. Public keys can be given to payers so that they could deposit money into your ‘account,’ but private keys have to be kept secret so only you can authorize payments,” he explains.

As such, users can “lose access” to their bitcoin holdings if their private keys are lost or stolen, Bareisis warns, adding that private keys could potentially be stolen “as a result of malware attacks either on their own ‘hot storage’ wallets or bitcoin balances held in custody at the exchanges.”

Cold storage is actually “the ideal storage solution for long-term storage of bitcoins because they are offline and, thus, cannot be hacked,” Kemper says.

“All known major bitcoin breaches to date were on coins stored on a ‘hot’ wallet or unencrypted back-ups stored on a ‘hot’ computer,” Bareisis reports.

“In contrast, ‘cold’ wallets private keys are created on the offline computer and never leave it; transactions are signed offline,” the report adds.

In order to steal the bitcoin from a cold wallet, a thief needs to have “physical access, extremely advanced USB viruses, or a user accidentally installing malicious software,” he writes.

This theft risk is something insurers can cover, Wilding told attendees of AEIC, part of the Canadian Boiler & Machinery Underwriters Association.

Insurance carriers covering bitcoin risk would “typically ensure that there are proper security practices on the bitcoin cold storage,” he said. This is something those working in the insurance industry “might want to consider” covering.

Another risk arising from bitcoin is compliance for financial institutions. Bitc oin raises many concerns from a compliance and risk perspective, the Deloitte paper notes, including adequately safeguarding against cyber threats and properly assessing counterparty risk when a new or existing customer begins using cryptocurrencies.

“Risk governance and internal controls may need to be developed or updated to account for bitcoin and other cryptocurrencies,” the paper adds.