Policyholders Should Not Overlook Traditional Policies In Evaluating Coverage For Cryptocurrency-Related Risks – Technology

In Short

The Situation: Companies using or investing in
cryptocurrencies face various risks, including digital theft,
ransomware attacks, and market volatility. The availability of
insurance coverage for these risks is evolving rapidly.

The Result: In addition to evaluating new forms
of coverage that may be available for these risks, policyholders
facing cryptocurrency-related losses should also review their
traditional insurance policies carefully for potential protection
against such losses.

Looking Ahead: As with many emerging losses,
the insurance industry has already begun trying to develop and add
language to traditional policies attempting to limit or modify the
scope of coverage for cryptocurrency-related risks while
simultaneously marketing new forms of specialty coverage tailored
to cryptocurrency risks. Policyholders should be mindful of any
such language when purchasing traditional forms of insurance and
consider whether additional specialized coverage should be
purchased.

Introduction

Cryptocurrency, such as Bitcoin, is a decentralized and
exclusively virtual currency that is secured through cryptography.
Companies using or investing in cryptocurrency face various risks,
such as market volatility, ransomware attacks, and digital theft.
Losses resulting from such risks may be covered by existing
insurance policies, such as property insurance, cyber insurance,
and/or directors and officers (“D&O”) insurance
policies. For example, property insurance may cover monetary losses
if cryptocurrency is stolen; cyber insurance may cover ransom
payments to hackers targeting cryptocurrency; and D&O insurance
may cover legal costs in connection with claims against directors
or officers for their decisions and actions in connection with
cryptocurrency use and/or investments. Because cryptocurrency is
relatively novel, courts and government agencies have not yet
reached a consensus as to how to categorize it. For example, some
courts and/or agencies have categorized cryptocurrency as property,
while others have characterized it as funds or money. And, whether
cryptocurrency constitutes a security is currently being litigated
in Securities and Exchange Commission v. Ripple Labs Inc.,
Case No. 20-cv-10832 (S.D.N.Y. 2020). Policyholders facing
cryptocurrency-related losses should carefully evaluate these
varying and evolving characterizations of cryptocurrency and
analyze potential coverage under their existing insurance
policies.

Property Insurance

Policyholders may be able to recover cryptocurrency-related
losses under their property insurance policies. Property policies
typically cover physical damage or loss to tangible property.
Guidance from the Internal Revenue Service (“IRS”) and
rulings by some courts suggest that cryptocurrency qualifies as
“property.” For example, the IRS has indicated that for
federal tax purposes, virtual currency is treated as property.
See I.R.S. Notice 2014-21. An Ohio court relied on this
IRS guidance in Kimmelman v. Wayne Ins. Grp., 2018 Ohio
Misc. LEXIS 1953 (Ct. Comm. Pl. 2018) to confirm coverage under a
homeowner’s property policy for stolen Bitcoin. There, the
policyholder suffered a $16,000 loss when his Bitcoin portfolio was
stolen. The insurer tried to characterize the Bitcoin as money,
which was subject to a $200 sublimit under the policy. The court
rejected this argument, holding that the policyholder’s Bitcoin
portfolio constituted property, which was not subject to the $200
sublimit. The court reasoned that “‘virtual currency’
is recognized as property by the IRS and shall be recognized as
such by this Court.” Id. at *2.

Although cryptocurrency is virtual, it can also exist as
physical, tangible property in the form of “cold
cryptocurrency.” Cold cryptocurrency is stored offline on hard
drives or flash drives, which can be physically damaged or stolen.
Such damage should satisfy any requirement of “physical damage
to tangible property” covered under property policies.
Insurers may attempt to distinguish physical hard drives from the
data stored within the hard drives. For example, the Fourth Circuit
has labeled the data stored within physical hard drives as
“abstract ideas, logic, instructions, and information”
and not “tangible property.” Am. Online, Inc. v. St.
Paul Mercury Ins. Co., 347 F.3d 89, 96 (4th Cir. 2003).
However, courts have rejected insurers’ arguments that data,
such as cryptocurrency, is not property susceptible to physical
loss or damage. See, e.g., EMOI Servs., LLC v. Owners Ins.
Co., 180 N.E.3d 683, 693-96 (Ohio Ct. App. 2021) (holding that
a ransomware attack that encrypted the policyholder’s software
and data (and only decrypted it upon a Bitcoin payment) caused
“direct physical loss or damage” to the
policyholder’s property, rejecting the insurer’s arguments
that “the software and data have no physical existence and
thus are not susceptible to physical loss or damage”).

Cyber Insurance

Cryptocurrency-related losses may also be covered under cyber
insurance policies. Cyber policies typically cover cyber risks such
as losses from malicious code and viruses, attacks, unauthorized
access, theft, web site defacement, and cyber extortion
(i.e., ransom payments). The meteoric rise in value of
several types of cryptocurrency, including Bitcoin, makes
cryptocurrency an increasingly popular target and/or demand amongst
ransomware hackers.

Fortunately, many cyber policies expressly cover cryptocurrency
losses, or are worded broadly enough to clearly encompass
cryptocurrency-related losses. However, to the extent cyber
policies use terms like “money” or
“securities,” insurers may argue that such terms do not
include cryptocurrency. In response, policyholders can point to
multiple favorable characterizations of cryptocurrency by courts
and administrative agencies. For example, courts have held in
criminal cases that Bitcoins are both funds and money. See,
e.g., United States v. Ulbricht, 31 F. Supp. 3d 540,
570 (S.D.N.Y. 2014); United States v. Ologeanu, No.
5:18-CR-81-REW-MAS, 2020 WL 1676802, at *11 (E.D. Ky. Apr. 4,
2020). In addition, the issue of whether cryptocurrency may
constitute a security is currently being litigated in
Securities and Exchange Commission v. Ripple Labs Inc.,
No. 20-cv-10832 (S.D.N.Y. 2020).

Directors and Officers Insurance

Companies and their directors and officers could face claims
from investors and other third parties arising out of their
decisions and actions in connection with utilizing and/or securing
cryptocurrency. Indeed, SEC Chairperson Gary Gensler likened the
crypto landscape to “the Wild West” because the
unregulated cryptocurrency market is so fraught with fraudsters. A
company with deficient storage, security, and recovery protocols
relating to its use of cryptocurrency may face not only lost or
stolen assets, but also potential claims against it for negligence
and breach of fiduciary duty. In addition, directors and officers
may face additional risks arising from increasing cryptocurrency
regulation.

D&O policies generally cover claims arising from managerial
decisions that have adverse financial consequences. Thus, claims
against companies and/or their officers or directors in connection
with their investment in and/or use and security of cryptocurrency
may be covered under D&O policies. Policyholders evaluating
coverage under their D&O policies should pay careful attention
to any exclusions that could potentially limit the scope of
coverage for cryptocurrency-related losses, such as electronic data
exclusions and/or exclusions for criminal conduct.

Three Key Takeaways:

1. Because cryptocurrency is relatively new, traditional insurance
   policies may not expressly address cryptocurrency-related risks.
   However, that does not mean cryptocurrency-related losses are not
   covered.




2. Actual policy language, relevant case law, and guidance from
   government agencies and/or other resources regarding the
   characterization of cryptocurrency should be evaluated in
   determining the potential availability of coverage under
   traditional policies. Importantly, the same cryptocurrency loss may
   be covered under several different types of policies. For example,
   theft of cryptocurrency due to alleged insufficient security
   measures could result in claims under property, cyber, and D&O
   policies.




3. Accordingly, it is important for policyholders to consider how
   the characterization of cryptocurrency (e.g., as property, data,
   money, and/or securities) may impact coverage under all potentially
   applicable policies.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.