Introduction

Financial institutions offering digital payment token (“DPT”) services face significant risks, including cyberattacks, operational disruptions, and legal liabilities. For example, the Bybit hack resulted in losses exceeding US$1.4 billion, exposing vulnerabilities in its Safe UI system. Attackers exploited flaws in this user interface to gain unauthorized access and execute fraudulent transactions.¹ Such incidents highlight the importance of robust security protocols, as well as the potential role of insurance in mitigating financial losses for both service providers and their customers if security is compromised.

While insurance can act as backstop to help manage these risks, firms must also weigh its benefits against potential drawbacks. This article explores key risks faced by DPT service providers, the types of insurance available to mitigate these risks, how regulations are changing to include insurance requirements and why some firms might or might not choose to purchase insurance as a means of transferring risk

Risks Faced by Digital Asset Firms

Cybersecurity Threats and Hacks

DPT service providers are prime targets for cyberattacks due to the liquidity of cryptocurrencies and the speed of transactions. Given the sensitive nature of financial transactions and customer data in the DPT space, a breach can lead to severe reputational damage and legal consequences if the worst occurs.

Operational and Custodial Risks

Firms offering custody services face challenges such as securing private keys and managing wallets. Loss or theft of private keys can result in irretrievable asset losses, while operational errors or system failures can damage customer trust.

Legal and Regulatory Liability

Directors and officers of DPT service providers are exposed to personal liability risks from regulatory investigations, shareholder lawsuits, or allegations of mismanagement. Firms may also face professional indemnity claims if their services cause financial harm or damage to third-parties

Types of Insurance to Mitigate Against Such Risks

Cyber Insurance

Cyber insurance protects against losses resulting from hacks, ransomware attacks, data breaches, and other cyber threats. Typical coverage includes:

• breach response costs (e.g., forensic investigations);
• business interruption losses;
• legal defense costs for third-party claims; and
• regulatory fines for data protection violations.

Nevertheless, it is important to note that a typical cyber insurance policy will have an exclusion for digital assets or cryptocurrencies.

Digital Asset Custody Insurance

Digital asset custody insurance offers protection against theft or loss of assets stored in cold wallets (offline storage) or hot wallets (online storage). Coverage may include:

• theft due to hacking or insider threats;
• loss of private keys through physical damage or theft; and
• fraudulent transfers initiated under duress.

Typically, the market offers two types of policies – specie insurance which covers cold storage including loss of private due through physical damage or theft and fraudulent transfers initiated under duress but excludes external theft due to hacking and crime insurance which extends to external theft.

Insurers providing specie coverage can offer limits up to US$1 billion, making it attractive for larger custody providers or those seeking relief from capital requirements.  Crime insurance, which covers external theft, typically offers limits up to US$100 million.  It is more comprehensive but also more expensive and less readily available than specie insurance.

Directors & Officers (“D&O”) Insurance

D&O insurance is readily available to DPT service providers and safeguards the personal assets of company directors and officers against claims arising from decisions made in their management capacity. This coverage is particularly important given the regulatory scrutiny faced by regulated DPT service providers.  In addition, D&O insurance policies often require firms to implement robust governance practices, such as enhanced internal controls and compliance frameworks, as part of the eligibility criteria, which can help reduce operational risks by promoting better decision-making and risk management.  D&O policies typically cover:

• defense costs for lawsuits alleging mismanagement;
• settlements or judgments from such claims; and
• regulatory investigations targeting executives.

Professional Indemnity (“PI”) Insurance

PI insurance protects firms against claims arising from errors, omissions, or negligence in the provision of services. For example, a firm offering wallet solutions or blockchain consulting may face liability if its technology fails or causes financial harm to clients. PI coverage typically includes:

• legal defense costs for negligence claims;
• compensation for damages awarded; and
• breach of contract disputes related to service delivery.

Reasons Financial Institutions Take Insurance

Risk Management Considerations

The Guidelines on Licensing for Payment Service Providers (the “Licensing Guidelines”) published by the Monetary Authority of Singapore (the “Authority”) applicable to DPT service providers do not require maintaining insurance coverage of any specific type.  Nevertheless, the Authority’s comprehensive risk management guidelines emphasize the importance of effective risk mitigation.  To satisfy the Guidelines on Fit and Proper Criteria and demonstrate financial soundness, a firm should assess whether it requires insurance coverage to withstand certain types of losses.  The Technology Risk Management Guidelines further state that a financial institution “should take insurance cover for various insurable technology risks to reduce financial impact such as recovery and restitution costs”.  Finally, DPT custody insurance can mitigate the risks of consumer harm arising from dealing in DPTs, a goal of the Authority stated in the Guidelines on Consumer Protection Measures by DPT Service Providers.   Given the evolving regulatory landscape and the inherent risks in the digital asset space, having appropriate insurance coverage can provide significant protection and operational stability.

Competitive Advantage

In the light of incidents such as the Bybit hack, both customers and investors are increasingly questioning how firms keep their client’s assets safe including aspects of security, segregation and insurance. With the digital asset custody market becoming more competitive, the procurement of insurance with regulated insurers can serve as a competitive advantage.  

Also, once a DPT service provider has been through the process of procuring its own insurance it then has the opportunity to sell on the insurance (via a licensed insurance broker) to its clients much like a bancassurance model.  This may provide a competitive advantage and an additional revenue stream.

Finally, and unusually, most insurers are happy to allow the policyholder to state on the website or related marketing material what they are insured for and how much coverage they hold in support of providing an additional layer of credibility.

Reasons Financial Institutions May Not Take Insurance

High Costs, Limited Availability and Competitive Disadvantage

Insurance premiums for DPT service providers are often more expensive due to the perceived risks and limited actuarial data.²  Smaller firms or startups may struggle to afford coverage, especially as insurers impose strict underwriting criteria following major failures like FTX.  Additionally, insurance increases early operational costs.  If competitors do not incur similar costs—or if clients do not value insured services—this can make a firm’s business model less price-competitive.

Whilst the cost and availability of insurance for DPT service providers in Singapore is reducing as more insurers enter the space and the understanding of digital assets risks matures, the timing of when to look at insurance will very much depend on the scale, funding and risk posture of the individual businesses.

Coverage Limitations and Exclusions

Even when insurance is available, policies often contain exclusions that limit their scope and value. For instance, cyber insurance policies may exclude losses from state-sponsored attacks or industry contagion events. Engaging a professional advisor or broker to carefully review policy terms is essential to ensure adequate protection against the most pressing risks.

Alternative Risk Management Strategies

Some firms prefer “self-insurance” by setting aside reserve funds for potential losses rather than paying high premiums for limited coverage.  Others invest heavily in security infrastructure as a preventive measure against hacks and operational disruptions.

Conclusion

Prudent risk management requires considering all stakeholder interests—including clients—when evaluating whether to obtain insurance coverage. While insurance can mitigate downside risks for DPT service providers’ clients, the cost of premiums coupled with limited historical data may make pricing risk challenging for insurers. This dynamic often forces firms to weigh the benefits against competitive pressures and operational feasibility.

We recommend that financial institutions work with advisers such as Continuum to explore available insurance options and assess whether costs fit within their budgets. Firms that choose not to obtain insurance should document their reasoning, including an assessment of internal controls that may mitigate the risks insurance would cover. This decision should be approved by the Board and re-assessed periodically.  Please feel free to reach out if you would like HM’s assistance in considering your firm’s risk profile and documenting an assessment on the need to obtain insurance.       

For further information, contact:

HM

Chris Holland: Partner | chris.holland@hmstrategy.com

Continuum Risk Advisory

Rob Russell: Founder & Director | rob@continuuminsure.com

Download a copy of the article here

Disclaimer: The material in this post represents general information only and should not be relied upon as legal advice. Holland & Marie Pte. Ltd. is not a law firm and may not act as an advocate or solicitor for purposes of the Singapore Legal Profession Act.  Continuum Risk Advisory Pte Ltd (“Continuum”) registered in Singapore, UEN 202316352E is an independent risk advisory consultancy and technology provider. Continuum provides general risk advice and insurance product information through our website and other online means. Continuum is not an insurance company, insurance agency or insurance brokerage company and does not provide financial advice.

¹ For a more thorough discussion of the ByBit hack, please see Kara Struckman and Madison Binder. “The Bybit Heist: What Happened & What Now?”. Wilson Center, Accessed April 7, 2025

² Insurers rely on historical data to set premiums by analyzing past claims, loss patterns, and industry-specific risks, but in emerging sectors like digital assets, the lack of sufficient actuarial data makes pricing more challenging and can result in higher premiums.