Bitcurex faced a hacking attack on Friday morning, forcing the Polish Bitcoin exchange to (temporarily) go offline. Reportedly, the attack was blocked but some funds were still stolen. This is yet another example of counterparty risk faced by investors in digital currencies. Some services have responded by starting to offer insurance for Bitcoins, as a way to mitigate some of this risk. But a closer look reveals that there’s a catch.
Counterparty credit risk
According to a status update on Bitcurex’ home page “hackers managed to defraud only a portion of the funds stored in operational Hot Wallet Bitcurex.” This happens only shortly after the bankruptcy of MtGox, which was forced to shut down “due to the theft or disappearance of hundreds of thousands of bitcoins owned by MtGox customers as well as MtGox itself.” It reveals how easy cryptocurrencies can be lost due to a weak counterparty. The best way to mitigate this risk is to buy insurance. In the case of Bitcoin, there are no credit derivatives available to this purpose. It is, however, possible to get insurance from storage providers like Elliptic and Xapo.
Elliptic allows for the insurance of a specified amount in British Pounds Sterling (GBP) of the Bitcoins stored in its vault. The current exchange rate is about £370 ($614) per Bitcoin. Insuring the current market value of 100 Bitcoins would thus require a Liability Limit of £37,000 ($61,400). Elliptic charges 2% of the chosen Liability Limit (in GBP) per annum. This is deducted from the amount of Bitcoins stored at Elliptic, converted at relevant market rates. If the exchange rate would drop to £185 ($307) per Bitcoin, 4 Bitcoins would be deducted from the stored amount to cover the cost. This would be the best scenario for Elliptic, as it means the remaining 96 Bitcoins won’t utilize the full Liability Limit unless the exchange rate moves back up to £385 ($640). The Liability Limit also means that if the exchange rate increases to £740 ($1,228) per Bitcoin, you would only get 50 Bitcoins back if they go missing. Overall, the limited protection seems expensive and it should be noted that the insurance underwriter isn’t known.
At a service cost of 0.12% per year, Xapo offers free protection from “all incidents that are not caused by you” for all Bitcoins stored in their vault. Xapo claims to be fully backed by an insurer called Meridian Insurance. Further details on their policy, however, aren’t provided. This might sound too good to be true, and it probably is. Not a single insurer would be willing to fully cover possible millions of dollars in claims for free. Any statement that implies otherwise should be approached with appropriate scepticism. Let’s assume Xapo manages to attract 16,287 Bitcoins (over $10 million in value). If Bitcoin prices were to increase tenfold, the insurer would have to be able to pay out $100 million. This risk (to the insurer) is said to be provided at no cost. If there is any real insurance at all, this is most likely to be only a limited liability in the form of a fixed dollar amount. Furthermore, as Xapo charges a service cost in BTC rather than in USD, it exposes its operating cash flows to a significant risk in market price fluctuations. This would be even more risky if Xapo is actually paying a fixed amount of dollars for its (potentially) limited insurance. Given the previous, Xapo should be avoided until it can provide more (confirmed) details on its own insurance.
The best alternative to buying insurance is diversification. A diversification strategy could include spreading coins over various exchanges and wallets. It is to be expected that some coins will be lost if they are spread out, but this is the cost of significantly reducing the risk that all coins are lost. Let’s assume that exchange A has a probability of default (over a one year horizon) of 10%, and exchange B has a default probability of 15%. Their joint probability of default (assuming zero default correlation) can be calculated as 10% times 15% resulting in 1.5%. This method is guaranteed to reduce the credit risk of holding any digital currency. It also helps to protect oneself from stolen passwords. But in the end, not a single method is bulletproof, and your coins are still at risk from any regulation that might negatively impact cryptocurrencies in general.