A surge of interest in blockchain has resulted in a growing insurance market. The technology famously behind Bitcoin has expanded into an entire "Decentralized Finance" ecosystem, colloquially known as "DeFi." Some observers claim that the abundance of blockchain-native financial products that have sprouted offer new opportunities to the public and the insurance industry. Prominent commentators, including SEC Chair Gary Gensler, have declared DeFi a "Wild West" -- with many highlighting new risks such as smart contract risk, governance risk, and oracle risk that present novel drivers of insurance demand.1 This new frontier has been said to offer insurers the chance to delve into new markets, improve fraud detection and pricing, and reduce expenses. Insurers have harnessed blockchain technology to build novel products as well.2 Understanding the developing regulatory environment will also help insurers navigate this expanding market.
Beyond Bitcoin: Building Blockchains Have Laid a Groundwork of Opportunity
Blockchain technology, a type of Distributed Ledger Technology (DLT), refers to the infrastructure and protocols for otherwise independent computers to simultaneously access, validate, and maintain data by replicating, saving, and updating identical copies of a ledger without a central authority.3
Bitcoin, first outlined in 2008, is generally considered to have been the first blockchain used effectively as a store of value.4 But by design, the Bitcoin blockchain is limited to being a medium of exchange by functioning as a record of transactions. By contrast, many observers have traced the origin of DeFi to around 2015 when a new blockchain called Ethereum introduced the capacity for developers to embed business applications, or "smart contracts," on the blockchain.5 The technology enabled sophisticated decentralized financial products.6 Thus, DeFi was born.
In the paradigmatic DeFi protocol, a smart contract is coded to "lock" some value on the blockchain, and will unlock upon a predefined event. A protocol can thereby act as a decentralized and automatic investment or lending vehicle. Likewise, corporate governance of these smart contracts can be designed to be decentralized.7 For example, Aave, currently the largest DeFi protocol, allows users to invest and earn interest, and uses the pool of capital from those investments to fund smart contract lending.8 In exchange for depositing funds, users receive Aave tokens, which entitle them both to propose and vote on governance changes, their vote proportionally weighted by their tokens' value.9
Analysts have suggested that smart contracts lower barriers of access to financing; increase efficiency, interoperability, and transparency; and reduce costs associated with disputes.10 The DeFi sector has reportedly grown to over roughly $100 billion in market capital.11
Insurance Options Have Appeared In Connection With Risks Unique to DeFi
While commentators generally have suggested that DeFi offers decentralized financial products, they have also widely identified novel forms of associated risk. Bitcoin insurance policies for risk of theft or loss coverage have already appeared. For instance, the cryptocurrency exchange Coinbase announced the purchase of $255 million in such coverage from Aon in 2019 -- to cover crypto assets held in so-called "hot" storage, reportedly meaning the assets were stored "essentially online and open to potential hacks."12 Daily price fluctuation can also make for additional considerations when insuring assets such as Bitcoin, but this has led insurers to innovate.13 Lloyd's notably advertises a "first of its kind liability policy" that provides "flexible limits" that increase or decrease in accordance with price changes of crypto assets to "indemnif[y] for the underlying value" even if that value fluctuates over the policy period.14
Beyond cryptocurrency, commentators have identified a number of other risks unique to DeFi including: (1) smart contract risk, (2) governance risk, and (3) oracle risk.15 Observers have further noted the potential of rapidly emerging DeFi regulation. Analysts have commented that competent insurance options may be important to the continued growth and viability of the space.16 Speaking to Forbes about DeFi insurance, Marouane Hajji, blockchain entrepreneur and founder of crypto insurance platform Unslashed, stated: "[Insurance is] really the bedrock on which everything else is built . . . It's of paramount importance for banking, trade, international commerce, anything in finance really, relies on insurance."17 A closer look at certain of these risks and the insurance offerings already emerging to respond to them highlights the development of insurance in the rapidly growing DeFi space.
Smart Contract Risk
Analysts have indicated that DeFi faces a variety of unique and novel risks, which also offer opportunity for the insurance industry.18 The first of these has been called "smart contract risk." Analogous to drafting issues in traditional contracts, smart contracts are vulnerable to coding errors. Such errors -- or hacking exploits designed to take advantage of them -- can divert the value stored inside smart contracts or render it inaccessible. If a mechanism to correct a fault in the programming is lacking, value can even be irretrievably lost.19
Over the past few years there have been reports of attacks on DeFi platforms causing substantial losses.20 Famously, a DeFi protocol known as the Distributed Autonomous Organization, or DAO -- established to build a smart contract venture capital firm -- suffered a hack in 2016 and lost $50 million in value. This loss led the core developers behind the Ethereum blockchain to hack the hacker to retrieve the lost value and then execute a socalled "hard fork," reprogramming the Ethereum blockchain itself to unwind the transactions.21
Such smart contract risk has produced demand for insurance products. While traditional insurance options to deal with DeFi risks are reportedly still limited, DeFi insurance based on blockchain technology has begun to appear.22 One such market entrant, Nexus Mutual, claims to have grown to insure over $1 billion in value.23
Nexus Mutual insures against errors or hacks in blockchain transactions resulting in loss.24 The insurance product is advertised as operating in a discretionary mutual structure, whereby those purchasing the product become members of the product structure who receive voting rights to whether a claim should result in a payout.25 The members commit cryptocurrency to fund share pools of collateral against smart contract vulnerabilities.26 Members pay a small fee, and acquire an "NXM token" that entitles them to participate, as well as to vote on governance decisions.27 Then, members can "stake" (put up as collateral) cryptocurrency to fund a pool for a smart contract, or enter the details of a DeFi investment -- including among other things the amount of value and the duration for the investment that will be covered -- and receive a quote.28 Insured users can then at any time submit a claim, which is paid when approved by the vote of members, subject to any governance measures instituted by the members.29
Numerous other blockchain-based insurance protocols are also currently on offer or in development in the space.30 Traditional insurers too have begun to venture into blockchain-based smart contract solutions -- for instance, in the case of Allianz, to automate catastrophe swap transactions (financial instruments in which an insurer pays a third party to assume the risk of a defined catastrophic event in exchange for a string of payments).31
Another core risk category driving novel insurance offerings in the space has been termed "governance risk."32 While some DeFi protocols are purely autonomous after launch, many build in governance procedures, as mentioned above.33 Commentators have suggested that protocols utilizing decentralized governance may be at risk of a malicious actor exploiting procedures to drain value from a protocol.34 Observers have further noted that, while as of August 2021 there had not yet been a successful governance attack on any Ethereum-based DeFi protocol, such attacks might arise at some point in the future.35
Analysts point to more subtle governance risks that have led to new insurance opportunities as well. For instance, some protocols rely on a practice called "slashing," which incentivizes consistent processing performance by the entities hosting the blockchain by exacting a predefined monetary penalty for lack of compliance.36 Launched in June 2021, the platform Unslashed offers policies to insure against certain risks including slashing.37 Unslashed's decentralized insurance protocol has reportedly issued nearly a billion dollars of insurance coverage.38 In one example, Unslashed provides $200 million worth of slashing coverage for a prominent DeFi protocol Lido, which allows users to invest or "stake" tokens for a return.39
"Oracle risk" presents a third core category that commentators have identified as particular to DeFi.40 Oracles are systems or third parties that transfer information from the outside world into a blockchain system. For instance, Chainlink is a decentralized oracle network that provides data feeds, such as the price of Bitcoin, to many DeFi platforms, like Aave, which enables loans and interest on deposits.41 Without oracles, DeFi protocols are isolated from the outside world, and outside information like price data is necessary to make many protocols useful.42 However, analysts have indicated that these oracles can also pose a potential point of weakness for malicious actors to attack.43 One such exploit, highlighted by a security researcher known by the Twitter handle "samczun" affected the DeFi plaforms bZx and DDEX, exposing, at the time, the equivalent of $700,000 in value.44 Later, when the bZx platform was attacked in a different fashion, its co-founder nonetheless emphasized that the protocol was bolstering oracle security in response, noting concern that oracles could "become a central point of failure."45
Other commentators have identified oracle risks as systemic.46 As one commentator noted, even if a technological solution is found "it will still take many years for that system to become trusted. And as the pot of money controlled by the oracles continues to grow, so too will the potential reward for someone who finds a flaw in the design."47
Despite the risk, observers suggest that oracles in their own right have a role to play in offering new opportunities to the insurance industry. The decentralized oracle network Chainlink has advertised its potential use to build "parametric" insurance products -- meaning products that provide a pre-specified payout when triggered by a predefined event, or parameter, without adjustment -- by relaying real-world data onto the blockchain.48 Chainlink's representatives suggest that such parametric insurance contracts could insure against clearly defined events and automatically provide a pre-agreed amount should the event occur.49 Indeed, backers of other parametric insurance protocols have contended that such decentralized insurance could make possible reliable, automatic insurance against difficult to predict events like earthquakes, without costly and time-consuming claims investigations.50
Regulation and the Compelling Path Forward for Insurance
While insurance in DeFi is clearly a growing market, developing regulation is sure to influence the future of the industry. Observers have taken note of the breadth and speed at which regulatory action has begun to occur. China recently intensified a crackdown on cryptocurrencies with a blanket ban on all cryptocurrency trading and mining.51 The U.S. Department of the Treasury too issued sanctions blacklisting a cryptocurrency platform accused of assisting cybercriminals to convert funds into traditional government-backed currencies, labeling a cryptocurrency exchange, for the first time, a "malicious cyber actor."52 Further, nascent U.S. federal regulatory action has begun at the CFTC, the SEC, and the IRS.53 The SEC notably has approved a Bitcoin futures-based ETF.54 No enacted federal legislation has yet focused on DeFi, however, the currently pending infrastructure bill may change that.55 The novelty of DeFi technology contributes to ambiguity as to the rules that DeFi must follow, and who will enforce them.56
In this fluid space, enforcement actions are shaping the regulatory environment insurers will want to keep apprised of. On August 6, 2021, the SEC issued an order, reprimanding Blockchain Credit Partners, operators of a DeFi Money Market, in part for using smart contracts to sell digital tokens that offered specified returns, which the SEC alleged was an unregistered securities offering.57 The DeFi Money Market operators were ordered to disgorge in excess of $10 million in profits.58 Recent remarks by SEC Chair Gary Gensler portend further regulatory attention. Gensler suggested that, in his view, Crypto assets are "highly speculative stores of value" that often "are offered and sold as securities" and thus "are subject to the securities laws and must work within our securities regime." Gensler states that "significant gaps in investor protection" exist, and claims very broad SEC authority while also calling for Congressional action to grant, among other things, "additional plenary authority to write rules for and attach guardrails to crypto trading and lending."59
In particular, stablecoins have drawn regulatory focus. Stablecoins are crypto tokens that are pegged to some value. Many are tied to the U.S. dollar, such as tokens called USDC, Tether, and Dai. But stablecoins may be pegged to other assets, like gold -- as in the case of the recently launched Djed.60 Stablecoins are said to facilitate crypto market operation by reducing the volatility associated with other cryptocurrencies like Bitcoin or Ethereum.61 Notably, in November 2020, Bridge Mutual, a decentralized insurance provider, announced an insurance coverage offering for stablecoins, noting at that time "the massive $20B+ stablecoin economy, which is growing at an exponential rate."62 In recent remarks, however, Gensler likened stablecoins to "poker chips" and the SEC prevented the cryptocurrency exchange Coinbase from implementing a plan to pay users interest on stablecoin holdings.63 Regulators have announced concerns that stablecoins are susceptible to the equivalent of bank runs and could pose systemic risk.64 Stablecoins are said to have helped facilitate the growth of DeFi, and commentators have suggested that it is unclear how their regulation could affect the industry as a whole.65
At present, while the DeFi ecosystem and associated insurance offerings are growing rapidly, it is unclear how emerging regulation will mold the sector. Understanding and readiness to advocate from a number of viewpoints will be essential to anyone navigating this exciting space.