Crypto Insurance: Coverage Options for Digital Assets

Crypto insurance is dedicated risk-transfer cover for digital-asset businesses and custodians. It pays out when private keys are stolen, a hot wallet is hacked, custody assets are lost, or executives face liability, because standard commercial policies generally exclude digital-asset risk altogether. For licensed exchanges and custodians, it is increasingly a condition of holding a licence rather than an optional safeguard.

That distinction matters. A founder reading this page may want to understand what crypto insurance covers; a compliance officer at a Hong Kong SFC VATP regime operator needs to know exactly how much of client assets has to be insured before a licence is granted. This guide serves both: it defines the product, maps the coverage lines, makes the cold-versus-hot distinction concrete, and then sets out where insurance is a hard regulatory requirement, citing the Hong Kong SFC, Dubai's VARA, New York's NYDFS, and the EU's MiCA framework directly.

What is crypto insurance?

Crypto insurance is specialty cover that protects cryptocurrency and digital-asset risk: theft, hacking, custody loss, cyber events, and management liability such as directors' and officers' (D&O) and professional indemnity claims. It exists because conventional business insurance treats crypto as an excluded or undefined risk class, leaving operators exposed unless they buy dedicated policies built for the asset class (Lloyd's of London).

In practice, crypto insurance is not one product but a family of coverage lines. Some protect the assets themselves (crime, specie, hot-wallet cover); some protect the business and its people (cyber, D&O, professional indemnity); and a younger niche protects code and protocols (smart-contract and DeFi cover). Several regulators now treat one or more of these lines as a mandatory licensing condition, which is the part of the picture most operators underestimate.

Why standard business insurance excludes digital assets

Standard commercial and general-liability policies were written for tangible property and conventional financial loss. Cryptocurrency does not fit cleanly into either category: private keys are not physical property, on-chain theft is irreversible, and valuations swing sharply. As a result, general policies generally exclude digital-asset risk, and a dedicated crypto, specie, or crime policy is required to transfer that exposure (Lloyd's of London).

This exclusion is the single most important framing on the page. An operator who assumes its existing business policy covers a wallet breach will discover, after a loss, that it does not. The specialist market exists precisely to fill that gap, but capacity is limited and underwriting is selective, so cover must be arranged deliberately and early.

Who needs crypto insurance

The clearest buyers are the businesses that hold client assets: crypto exchanges, custodians, and licensed virtual asset service providers (VASPs) and crypto-asset service providers (CASPs). For these operators, insurance or an equivalent compensation arrangement is often written into the licence conditions. Token issuers and infrastructure providers also carry exposure, typically through cyber, D&O, and professional indemnity lines.

Individual holders sit at the other end of the market. They can sometimes obtain cover through their custodian or a consumer product, but the protection gap (covered below) shows how few actually do. For operators, the practical question is not whether to insure but which lines a given jurisdiction mandates, which is where the regulatory layer of this guide begins.

Types of crypto insurance coverage

Crypto insurance breaks into eight recurring coverage lines. Each addresses a different peril, attaches to a different storage model, and carries a different premium. Several map directly onto the requirements regulators impose, so understanding the taxonomy makes the later mandate section far easier to apply.

The eight lines that recur across regulators and the specialist market are:

1. Crime insurance covers theft, fraud, dishonest acts, and external hacking. It is the core line for exchanges and custodians (SFC Hong Kong).
2. Specie / custody (cold-storage) cover protects offline private keys and vault-stored assets. It is the cheapest line per dollar because cold assets are well insulated from hacking.
3. Hot-wallet / commercial crime cover protects internet-connected assets. It carries a higher premium and is the line Dubai's VARA mandates and that Lloyd's productized in 2020.
4. Cyber insurance covers business interruption, data breach, unauthorised access, and incident-response costs.
5. Directors and officers (D&O) cover protects executives against personal and regulatory liability; it is mandated by VARA.
6. Professional indemnity / errors and omissions (E&O) covers claims from professional service failures; it is also mandated by VARA.
7. Smart-contract / DeFi cover protects against code-exploit and protocol-hack losses; it is a capacity-constrained niche.
8. Property insurance covers the physical key-storage infrastructure, such as hardware security modules and data centres.

Crime insurance

Crime cover is the foundational line for any business holding client crypto. It responds to theft, fraud, dishonest acts by employees, and external hacking. For an exchange or custodian, it is the policy most likely to be tested in a real incident, because the dominant loss event in this industry is the misappropriation of assets rather than physical damage. Crime cover is the spine that the SFC, VARA, and NYDFS requirements all build on in different forms (SFC Hong Kong; VARA Dubai).

Specie / custody (cold-storage) cover

Specie cover is the traditional Lloyd's vault-insurance line adapted to private keys. It protects assets held offline, in cold storage or physical vaults, against theft and physical loss. It is generally the cheapest cover per dollar of value because cold assets are, in the SFC's own rationale, well insulated from security threats such as hacking (SFC Hong Kong). For operators that keep the bulk of client assets offline, specie cover is the most cost-effective way to satisfy a large slice of any compensation requirement.

Hot-wallet / commercial crime cover

Hot-wallet cover protects assets connected to the internet, which carry materially higher theft and hacking risk. Premiums are higher and capacity is harder to secure than for cold-storage cover. This is the precise line Dubai's VARA mandates for hot-wallet assets, and the segment Lloyd's and Coincover productized in 2020 with a dedicated hot-wallet liability product (VARA Dubai; Lloyd's of London).

Cyber, D&O, and professional indemnity cover

Beyond the asset-protection lines, operators need cover for the business itself. Cyber insurance responds to business interruption, data breach, and unauthorised access. Directors and officers (D&O) cover protects executives from personal and regulatory liability, and professional indemnity (E&O) responds to claims arising from service failures. Dubai's VARA explicitly mandates both professional indemnity and D&O cover for licensed VASPs, alongside commercial crime cover (VARA Dubai).

Smart-contract and DeFi cover

Smart-contract and DeFi cover protects against losses from code exploits, smart-contract failures, and protocol hacks. It is a younger and capacity-constrained niche, and it is often provided through decentralized cover protocols rather than traditional carriers. This is an important disambiguation: when people say crypto insurance they usually mean traditional carrier cover, whereas decentralized cover is a separate, less mature market. Operators building on-chain products should read it alongside our DeFi compliance steps and the rules on tokenized asset rules.

Cold storage vs hot wallet insurance: what is the difference?

The difference comes down to where the assets sit and how exposed they are. Cold storage keeps private keys offline, away from internet attack surfaces, so specie cover is cheaper and easier to place. Hot wallets stay connected to the internet to enable trading and withdrawals, so hot-wallet or commercial-crime cover is dearer and harder to secure. Regulators encode this split directly: Hong Kong's SFC requires at least 98% of client virtual assets in cold storage and no more than 2% in hot and other storage (SFC Hong Kong).

The SFC also calibrates the compensation requirement to that risk split: 50% of client virtual assets in cold storage must be covered, but 100% of those in hot and other storage must be covered (SFC Hong Kong). The logic is consistent throughout the market: cold assets are safer, so they need less cover per dollar; hot assets are riskier, so they must be fully covered.

Why cold storage costs less to insure

Cold storage costs less to insure because offline keys are physically and digitally insulated from the dominant loss event in crypto: remote hacking. There is no live internet connection for an attacker to exploit, and access typically requires physical and multi-party controls. The SFC made this rationale explicit when it reduced its cold-storage coverage threshold from a proposed 95% to 50%, reasoning that cold assets are well insulated from security threats such as hacking and therefore need less cover without compromising client protection (SFC Hong Kong).

Why hot-wallet cover is harder to place

Hot-wallet cover is harder to place because internet-connected assets face a constant, evolving threat surface and because past large-scale exchange hacks have made underwriters cautious. Premiums are higher and capacity is scarcer. The market's response has been product innovation: the Lloyd's product behind Coincover introduced a dynamic limit that moves with crypto prices, so the insured stays indemnified for the underlying value as it rises and falls, with flexible limits starting from £1,000 (Lloyd's of London). That is also why VARA singles out hot wallets for a specific commercial crime mandate.

Is crypto insurance legally required to run an exchange or custodian?

It depends on the jurisdiction, but in several major regimes the answer is yes. Hong Kong's SFC, Dubai's VARA, and New York's NYDFS all impose insurance, compensation, or bond conditions on licensed operators, and the EU's MiCA framework imposes strict custodian liability that pushes operators toward cover even without a separate mandate (SFC Hong Kong; VARA Dubai; NYDFS). The four regimes below show how different supervisors structure the same underlying goal: making sure client assets are protected if something goes wrong.

Hong Kong (SFC): compensation arrangement

The SFC's Guidelines for Virtual Asset Trading Platform Operators, which took effect in June 2023, require licensed VATP operators to maintain a compensation arrangement approved by the SFC to cover potential losses of client virtual assets (SFC Hong Kong). The core numbers are 50% of client virtual assets held in cold storage and 100% of those held in hot and other storage. The 50% cold-storage threshold was reduced from a proposed 95% in the consultation conclusions of 23 May 2023, to lower the cost of insurance without compromising security.

The arrangement can comprise three components, used alone or in combination: (a) third-party insurance; (b) funds set aside by the operator or its group companies, held as demand or time deposits maturing within roughly six months and designated for the purpose; and (c) a bank guarantee from a Hong Kong authorised financial institution. Operators must monitor client-asset value daily and notify the SFC if coverage becomes inadequate (SFC Hong Kong).

Dubai (VARA): mandatory insurance lines

VARA's Company Rulebook, Part VI Section D on Insurance, explicitly mandates that VASPs maintain insurance adequate to the size and complexity of the business, held with a regulated insurer (VARA Dubai). The mandated lines are professional indemnity insurance (Rule VI.D.1.a), directors' and officers' insurance (Rule VI.D.1.b), commercial crime cover or similar for all virtual assets stored in hot wallets (Rule VI.D.1.c), and any other insurance VARA deems appropriate for specific activities (Rule VI.D.1.d).

Insurance may be held in another group entity's name provided the VASP is named as an insured party (Rule VI.D.3). VARA does not specify a fixed coverage amount; it sets adequacy case by case in the licence. Operators planning Dubai entry should read this alongside our Dubai VARA licensing guide, because the insurance condition sits inside the broader licensing process.

New York (NYDFS): surety bond / trust account

New York's NYDFS does not mandate a specific crime-insurance percentage but imposes a financial-security requirement under the BitLicense regime. Under 23 NYCRR section 200.9, licensees must maintain a surety bond or trust account for the protection of the BitLicensee's customers, in a form and amount acceptable to the Superintendent (NYDFS). The amount is set by NYDFS at its discretion and scaled to the licensee's risk profile rather than fixed by a single statutory figure.

NYDFS custody guidance reinforces customer-asset segregation, confirms that beneficial interest remains with the customer, and constrains the use of customer assets as collateral. These obligations sit alongside the formal bond or trust-account requirement and shape how a US-facing operator structures its protection. For the wider federal and state picture, see our US crypto licensing requirements guide.

EU (MiCA): custodian liability that drives cover

The EU's MiCA framework takes a different route. Rather than mandating insurance, MiCA (Regulation (EU) 2023/1114), through its custodian-liability provision attributed to Article 75, makes a custody CASP liable to clients for the loss of crypto-assets or means of access (MiCA via White & Case). This liability is statutory and is a stronger standard than most pre-MiCA custody terms, which excluded or capped liability.

MiCA does not separately require a policy, but this strict liability effectively pushes CASPs toward crime and custody cover to fund that exposure. The practical takeaway is that insurance becomes a tool to meet a regulatory liability even where it is not formally mandated. Operators should read it together with the EU's MiCA regime guide, where the custody obligations sit in full context.

Who underwrites crypto insurance?

The specialist crypto-insurance market is anchored by Lloyd's of London. Lloyd's brings together syndicates that can pool capacity for risks too novel or volatile for a single carrier, which is exactly the profile of digital-asset cover. The clearest example is the hot-wallet product Lloyd's launched on 28 February 2020 for Coincover, with Atrium as lead syndicate and TMK and Markel as supporting syndicates (Lloyd's of London).

The Lloyd's of London market and the Coincover product

The Coincover product illustrates how specialist capacity is structured and how the market handles crypto's volatility. It is a hot-wallet liability cover with a dynamic limit that moves with crypto prices, so the insured stays indemnified for the underlying value rather than a fixed sum, with flexible limits starting from £1,000 (Lloyd's of London). Coincover, operating as a managing general agent through Lloyd's capacity, has reported protecting more than US$300 million across over 200 assets and more than 15,000 wallets.

Other carriers and managing general agents are active in the segment, and emerging entrants such as the Bermuda-based Blockchain Deposit Insurance Corporation have signalled plans to seek Lloyd's coverholder status (Risk & Insurance). The structural point for operators is that capacity is concentrated and selective, so placement depends heavily on demonstrating strong custody and security controls.

Why is so little of the crypto market insured?

Because demand far outstrips available capacity. Against a digital-asset market referenced at roughly US$3.31 trillion, only about 11% of crypto holders are insured (Risk & Insurance). The appetite is there: around 42% of uninsured holders say they would buy cover, and a further 26% are open to it, yet specialist underwriting capacity is limited, premiums are high, and policies typically cover only a portion of assets under management, leaving exposure during large-scale events.

This protection gap is the single most citable fact about the market. It explains why insurance is treated as a scarce, selectively allocated resource rather than a commodity, and why regulators that mandate cover (like the SFC) accept compensation arrangements built from insurance, set-aside funds, and bank guarantees combined, rather than insurance alone.

What drives the coverage gap

Several structural forces keep the gap wide. Valuation volatility makes limits hard to fix, which is why Lloyd's introduced its dynamic limit (Lloyd's of London). Custody-model risk matters, since hot wallets are dearer and harder to place than cold storage. Novel and partly uninsurable perils, such as smart-contract exploits and protocol risk, sit outside traditional underwriting. Regulatory uncertainty across jurisdictions complicates pricing, and limited reinsurance appetite caps the total capacity the market can deploy.

Industry analysts estimate the dedicated crypto-insurance market at roughly US$1.94 billion in 2024, growing toward US$3.11 billion in 2025 at an estimated compound annual growth rate near 18%. These are analyst estimates, not regulator figures, and should be treated as approximate. The reliable, cited anchor remains the protection-gap data: a roughly US$3.31 trillion market with only about 11% of holders insured (Risk & Insurance).

What do insurers require before issuing a policy?

Underwriters in this market are selective, and a strong submission is what separates an operator that gets cover from one that does not. Before issuing a policy, insurers typically require evidence of robust custody controls, mature cybersecurity, clear segregation of client and corporate assets, and documented incident-response readiness. The closer an operator's controls map to what a regulator already demands, the easier placement becomes.

In practice the requirements insurers test most closely are:

• Custody controls: cold-storage dominance, multi-party authorisation, key-management procedures, and HSM use.
• Cybersecurity: penetration testing, access controls, monitoring, and patch discipline.
• Asset segregation: clear separation of client funds from corporate funds, mirroring NYDFS-style obligations.
• Incident-response readiness: documented playbooks, breach reporting, and recovery capability.

These are the same controls that underpin a successful licence application, which is why insurance and licensing are best planned together. The detail sits in our AML and custody compliance guide, and it shapes how an operator scopes both its cover and its regulatory submission.

How Crypto Valley Partners helps you meet insurance and licensing conditions

Crypto Valley Partners AG is a Zug-based advisory firm focused on crypto and VASP licensing worldwide. Because insurance is so often a licensing condition rather than a standalone purchase, we treat the two together: when we scope a licence in Hong Kong, Dubai, New York, or the EU, the insurance or compensation requirement is part of the plan from the first conversation, not an afterthought discovered at the final hurdle.

From our practice, the operators who place cover most smoothly are the ones whose custody architecture, segregation, and incident-response documentation were designed to satisfy both the regulator and the underwriter at once. We do not sell insurance and we do not quote premiums; instead we help founders understand which lines a chosen jurisdiction mandates, how those lines map onto the Hong Kong SFC VATP regime or Dubai VARA licensing conditions, and how to structure controls so that cover is placeable. For the regulatory backdrop, our crypto regulation insights hub tracks how these requirements continue to evolve.