Policyholders Should Not Overlook Traditional Policies in Evaluating Coverage for Cryptocurrency-Related Risks
The Situation: Companies using or investing in cryptocurrencies face various risks, including digital theft, ransomware attacks, and market volatility. The availability of insurance coverage for these risks is evolving rapidly.
The Result: In addition to evaluating new forms of coverage that may be available for these risks, policyholders facing cryptocurrency-related losses should also review their traditional insurance policies carefully for potential protection against such losses.
Looking Ahead: As with many emerging losses, the insurance industry has already begun trying to develop and add language to traditional policies attempting to limit or modify the scope of coverage for cryptocurrency-related risks while simultaneously marketing new forms of specialty coverage tailored to cryptocurrency risks. Policyholders should be mindful of any such language when purchasing traditional forms of insurance and consider whether additional specialized coverage should be purchased.
Cryptocurrency, such as Bitcoin, is a decentralized and exclusively virtual currency that is secured through cryptography. Companies using or investing in cryptocurrency face various risks, such as market volatility, ransomware attacks, and digital theft. Losses resulting from such risks may be covered by existing insurance policies, such as property insurance, cyber insurance, and/or directors and officers ("D&O") insurance policies. For example, property insurance may cover monetary losses if cryptocurrency is stolen; cyber insurance may cover ransom payments to hackers targeting cryptocurrency; and D&O insurance may cover legal costs in connection with claims against directors or officers for their decisions and actions in connection with cryptocurrency use and/or investments. Because cryptocurrency is relatively novel, courts and government agencies have not yet reached a consensus as to how to categorize it. For example, some courts and/or agencies have categorized cryptocurrency as property, while others have characterized it as funds or money. And, whether cryptocurrency constitutes a security is currently being litigated in Securities and Exchange Commission v. Ripple Labs Inc., Case No. 20-cv-10832 (S.D.N.Y. 2020). Policyholders facing cryptocurrency-related losses should carefully evaluate these varying and evolving characterizations of cryptocurrency and analyze potential coverage under their existing insurance policies.
Policyholders may be able to recover cryptocurrency-related losses under their property insurance policies. Property policies typically cover physical damage or loss to tangible property. Guidance from the Internal Revenue Service ("IRS") and rulings by some courts suggest that cryptocurrency qualifies as "property." For example, the IRS has indicated that for federal tax purposes, virtual currency is treated as property. See I.R.S. Notice 2014-21. An Ohio court relied on this IRS guidance in Kimmelman v. Wayne Ins. Grp., 2018 Ohio Misc. LEXIS 1953 (Ct. Comm. Pl. 2018) to confirm coverage under a homeowner's property policy for stolen Bitcoin. There, the policyholder suffered a $16,000 loss when his Bitcoin portfolio was stolen. The insurer tried to characterize the Bitcoin as money, which was subject to a $200 sublimit under the policy. The court rejected this argument, holding that the policyholder's Bitcoin portfolio constituted property, which was not subject to the $200 sublimit. The court reasoned that "'virtual currency' is recognized as property by the IRS and shall be recognized as such by this Court." Id. at *2.
Although cryptocurrency is virtual, it can also exist as physical, tangible property in the form of "cold cryptocurrency." Cold cryptocurrency is stored offline on hard drives or flash drives, which can be physically damaged or stolen. Such damage should satisfy any requirement of "physical damage to tangible property" covered under property policies. Insurers may attempt to distinguish physical hard drives from the data stored within the hard drives. For example, the Fourth Circuit has labeled the data stored within physical hard drives as "abstract ideas, logic, instructions, and information" and not "tangible property." Am. Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 96 (4th Cir. 2003). However, courts have rejected insurers' arguments that data, such as cryptocurrency, is not property susceptible to physical loss or damage. See, e.g., EMOI Servs., LLC v. Owners Ins. Co., 180 N.E.3d 683, 693-96 (Ohio Ct. App. 2021) (holding that a ransomware attack that encrypted the policyholder's software and data (and only decrypted it upon a Bitcoin payment) caused "direct physical loss or damage" to the policyholder's property, rejecting the insurer's arguments that "the software and data have no physical existence and thus are not susceptible to physical loss or damage").
Cryptocurrency-related losses may also be covered under cyber insurance policies. Cyber policies typically cover cyber risks such as losses from malicious code and viruses, attacks, unauthorized access, theft, web site defacement, and cyber extortion (i.e., ransom payments). The meteoric rise in value of several types of cryptocurrency, including Bitcoin, makes cryptocurrency an increasingly popular target and/or demand amongst ransomware hackers.
Fortunately, many cyber policies expressly cover cryptocurrency losses, or are worded broadly enough to clearly encompass cryptocurrency-related losses. However, to the extent cyber policies use terms like "money" or "securities," insurers may argue that such terms do not include cryptocurrency. In response, policyholders can point to multiple favorable characterizations of cryptocurrency by courts and administrative agencies. For example, courts have held in criminal cases that Bitcoins are both funds and money. See, e.g., United States v. Ulbricht, 31 F. Supp. 3d 540, 570 (S.D.N.Y. 2014); United States v. Ologeanu, No. 5:18-CR-81-REW-MAS, 2020 WL 1676802, at *11 (E.D. Ky. Apr. 4, 2020). In addition, the issue of whether cryptocurrency may constitute a security is currently being litigated in Securities and Exchange Commission v. Ripple Labs Inc., No. 20-cv-10832 (S.D.N.Y. 2020).
Directors and Officers Insurance
Companies and their directors and officers could face claims from investors and other third parties arising out of their decisions and actions in connection with utilizing and/or securing cryptocurrency. Indeed, SEC Chairperson Gary Gensler likened the crypto landscape to "the Wild West" because the unregulated cryptocurrency market is so fraught with fraudsters. A company with deficient storage, security, and recovery protocols relating to its use of cryptocurrency may face not only lost or stolen assets, but also potential claims against it for negligence and breach of fiduciary duty. In addition, directors and officers may face additional risks arising from increasing cryptocurrency regulation.
D&O policies generally cover claims arising from managerial decisions that have adverse financial consequences. Thus, claims against companies and/or their officers or directors in connection with their investment in and/or use and security of cryptocurrency may be covered under D&O policies. Policyholders evaluating coverage under their D&O policies should pay careful attention to any exclusions that could potentially limit the scope of coverage for cryptocurrency-related losses, such as electronic data exclusions and/or exclusions for criminal conduct.
Three Key Takeaways:
- Because cryptocurrency is relatively new, traditional insurance policies may not expressly address cryptocurrency-related risks. However, that does not mean cryptocurrency-related losses are not covered.
- Actual policy language, relevant case law, and guidance from government agencies and/or other resources regarding the characterization of cryptocurrency should be evaluated in determining the potential availability of coverage under traditional policies. Importantly, the same cryptocurrency loss may be covered under several different types of policies. For example, theft of cryptocurrency due to alleged insufficient security measures could result in claims under property, cyber, and D&O policies.
- Accordingly, it is important for policyholders to consider how the characterization of cryptocurrency (e.g., as property, data, money, and/or securities) may impact coverage under all potentially applicable policies.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.