The cryptocurrency industry was recently shaken by a sophisticated attack on ByBit, resulting in a $1.5 billion loss in ETH. The attack, attributed to North Korea’s sanctioned Lazarus Group, has sparked extensive discussion within the security community. Rather than providing another technical analysis, this article examines the incident through an insurance lens, using Harry Donnelly’s comprehensive technical write-up as our foundation.
Insurance Coverage Analysis:
When examining potential insurance coverage for such an incident, two primary policy types come into play: specie and crime policies. It’s important to note that neither policy would cover the first attack vector (Safe Wallet’s infrastructure compromise), as these policies focus on first-party rather than third-party technology failures. Also, there would be no way for underwriters to feasibly underwrite every technology that custodians interact with in order to understand the third-party tech risk.
On this basis, we are examining the policy language only for coverage for the second attack vector. The analysis of both the specie and crime policies have been taken from market standard wordings, it’s also important to note that I do not have any knowledge of the insurance program of ByBit and have used a few assumptions to base my analysis upon.
Crime Policy Analysis:
A standard crime policy proves more promising, particularly under two potential coverage areas:
1. Computer Fraud Coverage (Insuring Agreement 5)
The compromise of a signer’s laptop could qualify as a “network security breach” under this coverage, which includes “change to data elements or program logic of your computer system.” This interpretation would likely trigger coverage without running afoul of standard exclusions.
2. Funds Transfer Fraud Coverage (Insuring Agreement 6)
While traditionally intended for social engineering attacks, the broad definition of “fraudulent instruction” could encompass the unauthorized transaction requests in this case. This is a very unique finding as the attackers sent a fraudulent transaction request to the signers which ultimately drained the wallets.
There were no notable exclusions in the Crime policy that would have excluded this claim.
Practical Considerations:
Despite potential coverage under a crime policy, several practical limitations exist:
– Maximum available market coverage typically caps at $100 million
– With a $1.5 billion loss, this leaves a $1.4 billion gap
– At market rates of approximately 2%, a $100 million policy would cost around $2 million in premium
– Standard deductibles hover around $250,000
While saving $98 million (after premium costs and not including a deductible) on a $1.5 billion loss is significant, it highlights the challenge of insuring against massive crypto losses. The maximum available coverage represents less than 7% of ByBit’s total loss.
It’s certain that insurance alone doesn’t solve this issue, but a united offering would. By creating a comprehensive risk management package that includes insurance with proactive risk mitigation as well as enhanced infrastructure segregation, the industry would be in a better position to defend and indemnify itself should this happen again.
https://ben755.substack.com/p/the-15b-bybit-hack-would-insurance