This one's in case you need to learn the basics of commercial insurance for web3 businesses in under 20 minutes.
Looking for the checklist version? Here you go.
Web3 businesses face unique risks and challenges but it’s up to the insurance industry to understand them. Insurance for an evolving blockchain sector needs protection that scales to the technology and the businesses adopting it. For the onchain industry to progress, it will take insurers who are dedicating themselves to nurturing and protecting the web3 industry.
Founders of web3 businesses are also in the unique position in that they can single-handedly impact the understanding and sophistication of the insurance industry. How? By helping insurers understand the nuances and challenges of their business.
This guide is part of a collection of articles designed to help onchain businesses understand insurance, talk to insurers and address their unique risks through bespoke insurance policies. It works best as a reference guide and allows you, the reader, to select only the information they need.
Understanding insurance for web3 business
Stage: Seed
Key Person
Directors & Officers
Stage: Early
General Liability + Employers Liability + Office
Stage: Growth
Professional Indemnity
Cyber
Crime
Specialist Covers
Financial Institutions
Smart Contracts
Staking
The Parameters of your Insurance
Here are the fundamental factors that will dictate the price and availability of insurance for a web3 business:
Type of insurance required
Amount (or limits) of insurance required
The jurisdiction and regulatory environment of the business
Insurance market conditions
The evolution of cover required is similar for most tech businesses. Here are the types of insurance you should consider as the business grows:
This one's often a requirement for VCs to invest in your business.
Key Person insurance is a type of Life insurance that’s designed to protect a business in the event of the death or disability of a key employee or executive, also known as a "key person". In a startup, there may be key individuals whose contributions are critical to the success and viability of the business. Key Person insurance helps ensure that the business is financially protected if such a person is unable to continue working.
This one's about you and your co-founders.
Director's and Officer's (D&O) insurance is designed to protect directors and officers of a company from personal financial liability from lawsuits relating to their responsibilities in running the business. Board members' personal assets are also potentially liable, which is a primary reason investors require their portfolio companies to purchase the cover.
D&O’s especially important for web3 founders because the regulatory landscape for the crypto sector is still in rapid development and can be highly unpredictable, making it significantly more risky than TradFi businesses. Onchain businesses could face legal actions from a variety of stakeholders, including investors, customers, competitors, and regulators. These could be claims of financial mismanagement, misleading statements, errors or misrepresentations in a pitch deck, regulatory compliance failures, security breaches and a range of other disputes, all of which might lead to legal fees, settlements and damages.
The more blockchain-native a business is, the more they need to understand that decentralised technologies create unique challenges in identifying and holding individuals accountable for legal violations. This is even further complicated when forming DAOs, stateless entities or most other forms of fully decentralised projects, where it’s not always clear who is in charge and what legal jurisdiction they are subject to. This means that if liability can’t be attributed to a specific party because they’re hard to identify, the claim will most likely attach to the nearest tangible entity, namely the founders, or even every participant in the DAO.
These concerns are coming to fruition after insurance has seen a dramatic increase in the number of D&O claims being made against crypto and blockchain businesses. Bear market conditions in particular appears to be a primary driver of claims as investors look for ways to claw back losses to help towards surviving a downturn.
By purchasing a D&O policy, broad cover is provided for management decisions made by yourself or the decentralised collective. Not only is D&O one of the most prudent and protective covers a well-run business can buy, it provides investors, founders and board members with greater peace of mind as you all navigate the rapidly evolving landscape of blockchain regulation.
This one's all about the people.
There comes a time when you're building a team where health and safety must be a top priority. There are four generic types of insurance that tick these boxes and there’s nothing specific to your industry that needs to be kept in consideration. These cover the cost of legal fees, settlements, and judgments related to these types of claims.
General Liability (GL) - Designed to protect your business from financial loss resulting from claims of property damage or bodily injury to members of the public. Trips, slips and damaging someone's property fall under GL.
Employers Liability (EL) - If you employ people, this is a legal requirement in most countries. It protects your business from financial loss resulting from claims by employees who suffer work-related injuries or illnesses. This is not to be mistaken with Employment Practices Liability (EPL).
Office - This type of insurance is designed to protect your business property, equipment, and operations. It can cover the cost of damage to your business property from events such as fire, theft, or natural disasters, as well as the cost of lost or stolen equipment. Office insurance can also provide protection against business interruption, which can occur when your business is unable to operate due to an event such as a fire or natural disaster. A few extra points to consider is if your business is covered when using shared workspaces, allowing working from home or remote working.
Employment Practices Liability (EPL) - This protects employers against claims made by employees alleging discrimination, harassment, wrongful termination, or other violations of their rights as employees. EPL doesn’t cover intentional acts of discrimination or harassment, so it is important to have effective policies and training in place to prevent bad employment behaviours.
This one's all about your customers.
Professional Indemnity (PI) insurance is also known as 'Errors and Omissions' (E&O) or 'Professional Liability' insurance. PI is a type of policy that provides financial protection to the business when a client or user makes a professional negligence claim against you.
Do you develop or audit smart contracts or other infrastructure? Provide DeFi services? Create NFTs or build tools and platforms for creators? Have ‘traditional’ contracts with your clients and partners? Terms & conditions with your users?
Whatever your business does, PI covers a breach of contract with your customer because of an error in your work. A claim made against the business could cost legal fees, settlements or damages awarded to your client, and if the fallout of this is likely to exceed the amount you pay for your insurance, it becomes a no-brainer. PI has become so important to protecting businesses and their clients that you’ll usually see a level of PI mandated in commercial contracts.
Understanding how much professional indemnity insurance is needed can be straight forward for many businesses. When a business has contracts with their clients, that contract will state the value of the goods and services, the terms and conditions of the relationship and the limit of liability for each party. When it comes to buy insurance, the business needs a limit that sufficiently covers their largest contract.
Professional Indemnity needs some re-framing in the context of onchain businesses. Decentralised technologies create unique challenges in identifying and holding individuals accountable for contractual violations. Without KYC, KYB or any user details, it can be extremely difficult to understand who they are and what your legal or contractual obligation might be towards them. Sometimes this is an intended feature of dApps (see Uniswap or TornadoCash), but understand that if you’re trying to present yourself as an organisation that can work with and around traditional businesses, they’re going to expect you to have a full grasp on who you’re doing business with and your exposures to the risks that come with it.
What if you’re relying on other decentralised businesses that break or stop working? Or even open-source software that breaks? You’ll quickly understand why Cyber insurance has become critical for web3 businesses.
When you've done all you can to secure your software, networks and data, this one's your final safety net when things still go wrong.
This is often the most challenging insurance to obtain for a business and the reason is agreed upon by both insurers and security professionals across the ecosystem. Onchain businesses regularly fail to apply ‘traditional’ cybersecurity best practices to their operations because they assume the main attack vector for hackers will be through compromised wallets and private keys.
Cyber insurance is designed to protect businesses from losses or damages resulting from cyber attacks, network & data breaches and systems failure. The policy typically covers expenses from cybersecurity incidents, which include legal fees, public relations expenses, notification & credit monitoring costs, and business interruption losses. It may also cover broader cybersecurity risks, such as social engineering and fraudulent funds transfers.
The cost of Cyber depends on a few key factors, most notably: the type of data handled; how critical it is for your services to be online; the security measures in place, and; the amount of coverage needed. It's vital for founders to carefully consider the security of their business and speak to insurers who are experts in both security and onchain systems.
Cyber insurance is designed to protect businesses from losses or damages resulting from cyber attacks, network & data breaches and systems failure. The policy typically covers expenses from cybersecurity incidents, which include legal fees, public relations expenses, notification & credit monitoring costs, and business interruption losses. It may also cover broader cybersecurity risks, such as social engineering and fraudulent funds transfers.
It's important to understand that the 'computer systems' covered in Cyber policies are referring to websites, servers and cloud services, but typically exclude smart contracts. To cover smart contracts or any other onchain system, underwriters should specifically include them within the terms provided in their policy or provide dedicated smart contract cover (discussed in a later section). This is where the expertise of the brokers who specialise in web3 become invaluable, as they’ll ensure that the policy will provide coverage for smart contracts and other onchain systems.
Finally, Cyber insurance needs its own contextualisation regarding onchain business. Similarly to Professional Indemnity, decentralised technologies can make it so that the customer is hard to identify for a business. Consider the position of your business being the customer or dependent on someone else’s smart contract. As the flip-side to the challenges discussed in PI, what if your business relies on a third party service, but they’re decentralised enough that you can't make a claim against them if they don’t deliver?
This one's for when bad-actors make it past your defences.
Generally speaking, this covers the business losses as a result of crime, rather than reimbursing the individual (retail) users of DeFi protocols after a hack or rug-pull. Crime insurance protects against various criminal activities from both insider and external threats. Although traditional crime policies cover many scenarios that include the theft of physical money or forged cash and cheques, it’s the online theft and fraud that web3 businesses need to focus on.
Employee Theft Coverage safeguards businesses from losses from theft committed by an malicious employee, acting alone or in collusion with others.
Funds Transfer Fraud offers protection for cash directly and fraudulently extracted from the business.
Similarly, Computer Fraud Coverage protects against loss of funds and other securities resulting from other types of fraud committed by hackers.
One that’s crucial for relationships, Client Coverage addresses any direct losses sustained by a client because of theft or forgery committed by one of your employees.
Given the era of AI and deepfakes, Social Engineering Fraud Coverage has become absolutely essential for fintech and web3 businesses handling funds. This protects you from losses caused by transferring money or securities after being socially engineered by someone impersonating a vendor, client, or authorised employee.
The cover provided is relatively broad, but it's important to note that crime insurance policies typically have an "absolute cryptocurrency exclusion," meaning that losses denominated in cryptocurrencies are not covered. If this additional protection is crucial for your business, a specialist broker can work with underwriters to include a set of insurable circumstances when ‘crime’ extends to the theft of cryptocurrencies.
This one's for when you're building to replace TradFi.
This is Professional Indemnity for businesses providing financially regulated services regardless if they’re ‘on’ or ‘off’ chain. Exchanges, neobanks, market makers and lending platforms (to name a few) use Financial Institutions Professional Indemnity (FIPI or FI) to protect themselves against legal actions resulting from professional negligence, errors, or omissions. Given its proximity to finance, FI looks to cover services such as investment management, financial advice, fiduciary duties and DeFi protocols.
As companies are being held to higher standards of care to consumer and retail investors, FI policies have become a crucial cover for many onchain businesses. Regulatory understanding of crypto is early and our understanding of its impact even more so. Claims because of the misselling of investments or securities, not providing clear risk statements and mishandling of customer funds are all areas that could entice claims.
To compare FI to PI, regulated fintech businesses and financial institutions operate in a more centralised and controlled environment with significantly larger sums of money, debt and obligations to clients.
There are two circumstances that businesses using smart contracts are concerned by:
1. The losses suffered by the business should a smart contract(s) they rely on fails, breaks or is hacked.
Here we are discussing the third-party risks of using someone else's smart contract within a business.
Onchain insurance platform Nexus Mutual are the biggest insurer of third-party smart contract risk and provide cover for hacking and stablecoin de-pegging. The availability of capacity is limited and doesn’t go far to cover commercial needs. This exposure should be taken by founders as an on-going business and security risk that needs to be assessed and managed as a priority.
If you have a direct contract with the owners of the third-party smart contract, you may look to specify a level of Professional Indemnity insurance that will make your business whole after an incident.
Cyber insurance policies sometimes include ‘Dependent Business Interruption’, (here, the smart contract) goes down or is hacked. Including a smart contract under these terms can only be done through an expert insurance broker and will increase the cost of insurance.
If the smart contract is open source or takes no liability for its use (as is with 99% of smart contracts we see) and isn’t covered by your Cyber insurance, there really is no other accessible way to protect against these exposures other than excellent risk management. Sometimes it's most cost effective to spend funds on additional security rather than bespoke smart contract insurance.
We anticipate the commercial insurance market will come around to providing third-party smart contract cover sometime within the next one or two years.
2. Their liability to their customers if their smart contract fails, breaks or is hacked.
Here we’re discussing the first-party risks of using a smart contract within a business that has been developed by that business.
Commercial insurance for first-party smart contract risks is somewhat more sophisticated but is often inaccessible or prohibitively expensive to businesses.
As with the previous section, there are various pathways to insurability. The clearest option is to have the business’ PI and Cyber insurance policies include cover for the smart contract(s). Similarly, we recommend the use of an expert web3/crypto/blockchain broker to ensure the nuances of your business and smart contract are covered as intended.
Some insurers have released dedicated smart contract specific policies to address the risks head-on, but they’re in very limited supply, they’re completely bespoke and are some of the most expensive insurance policies that can be bought.
Some projects gain insurance by auditing with a smart contract security firm who have an insuring solution with an underwriter. The few auditors that offer this may not be suitable for all audits, limiting insurance availability.
A common question I get is “can we buy insurance to cover the TVL of a smart contract?”. No, insurance isn't a product that transfers balance sheet risk to insurers. For example, buying $1m worth of insurance for $10k cannot be entered on a balance sheet as a $1m asset or $1m reduction in balance sheet liabilities. Insurance is designed to provide protection against a specific set of bad scenarios so that the business may remedy the situation and continue trading into the future. It’s a last safety net should all other protections and precautions fail.
We anticipate the commercial insurance market will provide affirmative cover for first-party smart contract risks within the next year.
Slashing insurance for institutional Ethereum validator operators works by providing coverage against slashing penalties after a large slashable event. It's not in either party's interest to provide insurance for tiny slashing penalties, they're a cost of doing business, but all commercial operators have the horror of large slashing events at the top of their concerns.
The cost of slashing insurance would depend on various factors, such as the size of the validator's stake, their history of rule compliance, and the overall risk level of the Ethereum network. Validator operators would need to assess the cost-benefit of purchasing slashing insurance based on their individual risk tolerance and the potential financial impact of slashing penalties.
Both DeFi and TradFi insurers are happy to underwrite this onchain native risk because the parameters of loss are clear, with well defined rules and a full history of prior slashing events.
By working with specialist web3 insurance brokers, you can tweak and adjust the above components to arrive at a bespoke solution tailored to your specific business.
Policy limits are the maximum amount that an insurer will pay out in the event of a covered claim. Choosing limits that fit your business's unique needs and risk profile is essential to ensure the safety net is big enough to support the business should the worst happen.
Deductibles, Retentions & Excesses are out of pocket expenses paid by the business before their insurance kicks in or are deducted from the final claim payment. Higher deductibles lead to lower premiums, but this needs to be carefully considered with how likely the business can afford to pay a larger excess during hard circumstances.
Exclusions and limitations are specific events or circumstances that are not covered by your insurance policy. Reviewing these with your broker is vital to ensure that there are no surprises if it ever comes to filing a claim.
Premiums are the payments you make to your insurer for coverage. The balance between the cost of your insurance and adequate cover for the business is an ongoing challenge brokers must help clients navigate.
Policy terms and conditions are the details of the insurance policy, including any specific requirements, restrictions, or clauses that may affect your coverage. Again, make sure to review these carefully with insurance professionals before committing to a policy.
Third party vs first party risk is a simple but important distinction to understand. Insurance policies cover both first-party risks (exposures your business faces due to the services you provide) vs. third-party exposures (risks faced due to the business’ reliance on other businesses).
I’m Dan Ross, an Insurance Underwriter protecting onchain businesses and their founders.
I share my views on all things insurance for web3 businesses. You can follow them on twitter, mirror or my website.
I work at London insurance broker, Superscript. Our web3, crypto and blockchain team is world-leading and supports many of the biggest names across the ecosystem. To find out more, visit our website and follow our Twitter.
Articles published are for educational purposes and don’t constitute financial, legal or professional advice – always speak to a professional advisor if you need advice. I won’t be responsible or liable for any loss, damage or inconvenience that arises in connection with your use of this content. The personal opinions published in views, blog posts, opinion pieces or articles are my own. I am not responsible or liable for the contents of external websites. External links shouldn’t be taken as an endorsement of the website or its operators.