Policyholders Should Not Overlook Traditional Policies in Evaluating Coverage for Cryptocurrency-Related Risks

Introduction

Cryptocurrency, such as Bitcoin, is a decentralized and exclusively virtual currency that is secured through cryptography. Companies using or investing in cryptocurrency face various risks, such as market volatility, ransomware attacks, and digital theft. Losses resulting from such risks may be covered by existing insurance policies, such as property insurance, cyber insurance, and/or directors and officers ("D&O") insurance policies. For example, property insurance may cover monetary losses if cryptocurrency is stolen; cyber insurance may cover ransom payments to hackers targeting cryptocurrency; and D&O insurance may cover legal costs in connection with claims against directors or officers for their decisions and actions in connection with cryptocurrency use and/or investments. Because cryptocurrency is relatively novel, courts and government agencies have not yet reached a consensus as to how to categorize it. For example, some courts and/or agencies have categorized cryptocurrency as property, while others have characterized it as funds or money. And, whether cryptocurrency constitutes a security is currently being litigated in Securities and Exchange Commission v. Ripple Labs Inc., Case No. 20-cv-10832 (S.D.N.Y. 2020). Policyholders facing cryptocurrency-related losses should carefully evaluate these varying and evolving characterizations of cryptocurrency and analyze potential coverage under their existing insurance policies. 

Property Insurance

Policyholders may be able to recover cryptocurrency-related losses under their property insurance policies. Property policies typically cover physical damage or loss to tangible property. Guidance from the Internal Revenue Service ("IRS") and rulings by some courts suggest that cryptocurrency qualifies as "property." For example, the IRS has indicated that for federal tax purposes, virtual currency is treated as property. See I.R.S. Notice 2014-21. An Ohio court relied on this IRS guidance in Kimmelman v. Wayne Ins. Grp., 2018 Ohio Misc. LEXIS 1953 (Ct. Comm. Pl. 2018) to confirm coverage under a homeowner's property policy for stolen Bitcoin. There, the policyholder suffered a $16,000 loss when his Bitcoin portfolio was stolen. The insurer tried to characterize the Bitcoin as money, which was subject to a $200 sublimit under the policy. The court rejected this argument, holding that the policyholder's Bitcoin portfolio constituted property, which was not subject to the $200 sublimit. The court reasoned that "'virtual currency' is recognized as property by the IRS and shall be recognized as such by this Court." Id. at *2. 

Although cryptocurrency is virtual, it can also exist as physical, tangible property in the form of "cold cryptocurrency." Cold cryptocurrency is stored offline on hard drives or flash drives, which can be physically damaged or stolen. Such damage should satisfy any requirement of "physical damage to tangible property" covered under property policies. Insurers may attempt to distinguish physical hard drives from the data stored within the hard drives. For example, the Fourth Circuit has labeled the data stored within physical hard drives as "abstract ideas, logic, instructions, and information" and not "tangible property." Am. Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89, 96 (4th Cir. 2003). However, courts have rejected insurers' arguments that data, such as cryptocurrency, is not property susceptible to physical loss or damage. See, e.g., EMOI Servs., LLC v. Owners Ins. Co., 180 N.E.3d 683, 693-96 (Ohio Ct. App. 2021) (holding that a ransomware attack that encrypted the policyholder's software and data (and only decrypted it upon a Bitcoin payment) caused "direct physical loss or damage" to the policyholder's property, rejecting the insurer's arguments that "the software and data have no physical existence and thus are not susceptible to physical loss or damage"). 

Cyber Insurance

Cryptocurrency-related losses may also be covered under cyber insurance policies. Cyber policies typically cover cyber risks such as losses from malicious code and viruses, attacks, unauthorized access, theft, web site defacement, and cyber extortion (i.e., ransom payments). The meteoric rise in value of several types of cryptocurrency, including Bitcoin, makes cryptocurrency an increasingly popular target and/or demand amongst ransomware hackers. 

Fortunately, many cyber policies expressly cover cryptocurrency losses, or are worded broadly enough to clearly encompass cryptocurrency-related losses. However, to the extent cyber policies use terms like "money" or "securities," insurers may argue that such terms do not include cryptocurrency. In response, policyholders can point to multiple favorable characterizations of cryptocurrency by courts and administrative agencies. For example, courts have held in criminal cases that Bitcoins are both funds and money. See, e.g., United States v. Ulbricht, 31 F. Supp. 3d 540, 570 (S.D.N.Y. 2014); United States v. Ologeanu, No. 5:18-CR-81-REW-MAS, 2020 WL 1676802, at *11 (E.D. Ky. Apr. 4, 2020). In addition, the issue of whether cryptocurrency may constitute a security is currently being litigated in Securities and Exchange Commission v. Ripple Labs Inc., No. 20-cv-10832 (S.D.N.Y. 2020). 

Directors and Officers Insurance

Companies and their directors and officers could face claims from investors and other third parties arising out of their decisions and actions in connection with utilizing and/or securing cryptocurrency. Indeed, SEC Chairperson Gary Gensler likened the crypto landscape to "the Wild West" because the unregulated cryptocurrency market is so fraught with fraudsters. A company with deficient storage, security, and recovery protocols relating to its use of cryptocurrency may face not only lost or stolen assets, but also potential claims against it for negligence and breach of fiduciary duty. In addition, directors and officers may face additional risks arising from increasing cryptocurrency regulation.

D&O policies generally cover claims arising from managerial decisions that have adverse financial consequences. Thus, claims against companies and/or their officers or directors in connection with their investment in and/or use and security of cryptocurrency may be covered under D&O policies. Policyholders evaluating coverage under their D&O policies should pay careful attention to any exclusions that could potentially limit the scope of coverage for cryptocurrency-related losses, such as electronic data exclusions and/or exclusions for criminal conduct.