With cryptocurrency assets now topping $1.5 trillion
globally, there is escalating potential for theft of assets held in bitcoin and
other forms of digital currency. The recent surge in bitcoin prices and large
institutions’ heightened interest in dealing in these new currencies have
raised the stakes. As more businesses consider investing in cryptocurrency and
incorporating cryptocurrency transactions into their operations, they will need
to take security and insurance coverage issues into account.
FBI, CISA and Treasury Department Issue Warning
In a joint advisory issued on February 17, 2021, the FBI,
the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S.
Department of Treasury highlighted the threat to cryptocurrency posed by the
AppleJeus code exploit, which has been attributed to North Korean threat
actors. According to the advisory, these actors “are targeting cryptocurrency
exchanges and accounts to steal and launder hundreds of millions of dollars in
cryptocurrency.” There are variations on
the scam, but a common tactic uses a copy of a legitimate-sounding
cryptocurrency trading platform or virtual wallet to steal credentials and
other vital information from victims in the United States and elsewhere.
During the past year alone, organizations in over 30
countries have reportedly been targeted in these cryptocurrency thefts.
According to the advisory, “It is likely that these actors view modified
cryptocurrency trading applications as a means to circumvent international
sanctions on North Korea—the applications enable them to gain entry into
companies that conduct cryptocurrency transactions and steal cryptocurrency
from victim accounts.”
The attacks have frequently targeted enterprises in sectors
like finance and energy. A previous CISA alert warned that “North Korea’s
widespread international bank robbery scheme” exploits critical systems and
presents risks to financial institutions around the world.
One malware trap involving cryptocurrencies is a program
known as Union Crypto. According to CISA’s analysis, the program loads a
legitimate-looking cryptocurrency trading application, which engages in “the
simultaneous buying and selling of securities, currency or commodities in
different markets or in derivative forms to take advantage of differing prices
for the same asset.” The application exhibits no signs of malicious activity,
but when launched, it collects and exfiltrates the victim’s information.
According to the advisory, companies the exploit impacts
should immediately contact law enforcement, and take a number of technical risk
mitigation steps. These include generating new keys for cryptocurrency wallets,
and/or moving funds to new wallets; using hardware wallets to keep the private
keys in a separate, secured storage area; introducing two-factor authentication
as an extra layer of verification; removing impacted hosts from the network and
changing all passwords to any accounts associated with impacted hosts; and
updating and installing patches for all software and hardware, including any
antivirus software, host-based intrusion detection software and firewall
firmware. Companies should also assume the threat actors have moved laterally
within the network and downloaded additional malware, and should scan systems
thoroughly as a result.
CISA also recommended the following proactive mitigation
steps to defend against AppleJeus malware and related activity:
- Verify the source of cryptocurrency-related applications.
- Use multiple wallets for key storage,
striking the appropriate risk balance between hot (online) and cold
- Use custodial accounts with multi-factor authentication mechanisms to verify both users and devices.
- Patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency.
- Consider having a dedicated device for cryptocurrency management.
- Train users to identify common social engineering, phishing and spearphishing techniques and report any suspicious activity.
Insurance markets have begun to roll out dedicated products
specifically designed to cover cryptocurrencies. Substantial limits may be
available for both assets in cold storage (under a specie policy) or assets in
Cold storage refers to cryptocurrency that is kept secure
using offline storage not connected to the internet. This typically involves
hardware devices, but could also include private keys written on paper and kept
in a safe. Specie policies were originally created to cover material assets
like precious metals, diamonds or currency kept in bank vaults. The coverage
has been updated in recent years to provide similar protection for
cryptocurrency assets in cold storage. Large cryptocurrency exchanges and
custodians may secure this coverage on their own behalf for client assets.
Cryptocurrency custody and trading platform BitGo, for example, has reported
that it maintains $100 million in specie coverage.
Crime policies are typically used to cover assets in hot
wallets, which are connected to the internet. Cryptocurrency exchange Coinbase
reported in 2019 that it had secured $255 million in coverage for hot wallet
assets, placed through Lloyd’s syndicates.
Individual corporate policyholders that have custody of
their own cryptocurrency may also have coverage under their dedicated cyber
insurance and commercial crime coverage policies, and may have coverage under
personal lines insurance policies as well. However, this is not an absolute
certainty, and any company that has a position in cryptocurrency assets and intends
to practice “self-custody” should carefully review their own policies. They
need to determine if, given their risk appetite, using a third-party custodian
with well-developed security protocols and coverage in place would be a safer
approach, even though it may provide less control over the assets themselves.
While some insurance
companies have taken the position that cryptocurrency is not “personal
property” subject to coverage, this argument is contrary to established
principles of insurance policy interpretation. Questions may also arise
regarding valuation of a loss and the amount to be reimbursed—that is, whether
the value should reflect the price of the currency at the time of the loss, the
price at the time of acquisition, or the price at the time the claims payment
is made. Here, the correct position may turn on facts, circumstances and policy
language, but given the volatility in cryptocurrency markets, reaching the
right answer is vitally important for any policyholder who has suffered a significant