A practical guide for risk managers, institutional investors, and compliance professionals navigating the fast-evolving world of digital asset insurance.
Why Crypto Custody Insurance Matters Right Now
If the Bybit hack of February 2025 taught us anything, it is that even cold storage with multi-signature controls can be compromised at industrial scale.
That single breach drained approximately $1.5 billion in Ethereum from what was supposed to be an air-gapped wallet, making it the largest cryptocurrency theft in history.
According to Chainalysis, hackers stole more than $3.4 billion in cryptocurrency during 2025, with losses concentrated in a small number of high-impact breaches.
For institutional investors, pension funds, and any organization holding digital assets, the message is clear: technical security is necessary but insufficient. Insurance is the financial backstop that bridges the gap between what your controls can prevent and what determined, state-sponsored attackers can achieve.
This guide walks you through every insurance option currently available for crypto custody, what each policy covers (and excludes), how to evaluate coverage, and what to demand from your custodian. If you are responsible for enterprise risk management or cybersecurity risk at your organization, this is essential reading.
The 2025 Threat Landscape: Why Insurance Is No Longer Optional
Let us start with the numbers that should keep every CFO awake at night. SlowMist tracked approximately 200 security incidents across the ecosystem in 2025.
That is roughly half the 410 recorded the previous year. Yet total losses climbed to about $2.9 billion, up significantly from $2 billion in 2024. The average loss per event more than doubled, rising from roughly $5 million to nearly $15 million.
What is driving this? Three converging forces:
Professionalized, state-backed attackers. North Korean-linked groups like Lazarus were responsible for the majority of high-value service compromises in 2025, achieving record theft volumes of at least $2 billion. These are not opportunistic hackers. They are well-funded intelligence operations with sophisticated laundering networks.
Concentration risk in centralized custody. Centralized exchange platforms and custodial services documented 10 incidents in 2025 with aggregate losses of $1.7 billion, representing over 53% of total losses. The shift from many small DeFi exploits to fewer but catastrophic custody breaches changes the risk calculus entirely.
Regulatory acceleration. The SEC, MiCA in Europe, and regulators in Singapore, Hong Kong, and the UAE are all tightening custody and disclosure requirements. Insurance is fast becoming a regulatory expectation, not just a nice-to-have. For more on how regulatory risk intersects with your compliance framework, see our guide on NIST cybersecurity risk indicators.
Six Types of Insurance for Crypto Custody
The crypto insurance market has matured significantly. According to WTW’s Digital Assets Insurance team, policies now cover a wide range of risks. Here is the current menu of options, with what each does and does not cover.
1. Specie / Custody Insurance (Cold Storage Coverage)
This is the foundational policy for any custodian or institution holding digital assets. Specie insurance, borrowed from the traditional vault and bullion market, protects against physical loss, theft, or damage to digital assets stored offline.
What it typically covers:
- Physical destruction of devices storing private keys (fire, flood, earthquake). Theft of hardware devices by employees or third parties at custody sites. Theft or copying of private keys while in transit between custody locations.
What it excludes: Losses from software exploits, smart contract failures, market volatility, and assets in hot wallets (unless specifically endorsed). As Lockton’s custody insurance guide explains, this coverage sits within either the crime/fidelity market or the specialist specie market.
Real-world example: Crypto.com secured $120 million in crime and specie insurance coverage through Lloyd’s of London via Aon, with $100 million specifically for cold storage assets, according to their June 2025 announcement.
2. Crime / Comprehensive Crime Insurance
Crime insurance covers first-party losses from employee fraud and third-party losses from external hacks, social engineering, or extortion. This is the policy that addresses the scenarios that keep custodians up at night.
What it typically covers:
- External theft from hacking of custody infrastructure. Internal collusion and employee fraud. Social engineering attacks targeting custody operations. Extortion and ransomware affecting digital asset operations.
Munich Re’s Digital Asset Comprehensive Crime Policy is specifically designed to protect digital assets under custody against both internal and external threats, including breaches of external service provider systems.
Key caveat: Standard crime policies may not cover losses from smart contract vulnerabilities, protocol-level exploits, or user error. As BitGo explains, coverage typically includes external theft and insider collusion, but common exclusions include user error and blockchain failures.
3. Directors and Officers (D&O) Liability Insurance
D&O coverage protects against lawsuits arising from alleged negligence in security or regulatory compliance failures. If a major breach leads to investor lawsuits claiming the custodian’s leadership failed to implement adequate security controls, D&O insurance responds.
This policy is increasingly important as Relm Insurance notes, regulatory expectations around custody governance continue to tighten, and boards face personal liability exposure for digital asset management decisions.
4. Professional Indemnity / Errors and Omissions (E&O)
E&O insurance covers claims arising from professional negligence in the delivery of custody services. Think of it as protection against operational mistakes: a misconfigured wallet, a failed transaction, or incorrect execution of a client’s instructions.
According to HCP National, E&O coverage is becoming increasingly difficult for crypto businesses to obtain but remains absolutely necessary. The policy fills a critical gap between what crime insurance covers (deliberate acts) and what happens through genuine operational errors.
5. Cyber Insurance
Traditional cyber insurance policies are adapting to cover digital asset-specific risks, but the fit is imperfect. Standard cyber policies focus on data breaches, business interruption, and notification costs. For crypto custodians, the primary loss is asset theft, which standard cyber policies may not adequately cover.
WTW notes that bespoke digital asset cyber policies are evolving to include coverage for blockchain-specific threats, but the number of providers is limited.
Organizations should not assume their existing cyber policy extends to digital asset losses without explicit confirmation. For foundational concepts on managing cyber risk within an enterprise risk framework, see our article on NIST cybersecurity key risk indicators.
6. Emerging and Specialist Coverages
The market is developing rapidly. Several new product categories are gaining traction:
Smart contract insurance: Covers asset loss from failures, breaches, or exploitations of smart contracts used in custody operations. Munich Re offers dedicated smart contract risk insurance, and it is particularly relevant for custodians using DeFi protocols or automated custody functions.
Staking risk insurance: Protects against slashing losses in Proof-of-Stake networks. When a validator node is penalized for being offline or acting maliciously, specialized policies cover the resulting losses. This is critical for custodians offering staking-as-a-service.
Business interruption: If a major security incident forces a custodian to pause operations, this coverage compensates for lost revenue and extra expenses during downtime. Given that the Bybit hack triggered massive withdrawals and operational disruption, this coverage has moved from theoretical to practical necessity.
NFT and digital collectible coverage: An emerging area analogous to fine art insurance, covering theft or destruction of high-value NFTs held in custody.
Coverage Comparison: What Leading Custodians Offer
Insurance coverage varies dramatically across providers. Based on publicly available data from Cobo’s 2025 comparison and YellowCard’s definitive guide, here is what major custodians currently offer:
| Custodian | Coverage Amount | Regulatory Status | Key Features |
| Coinbase Custody | One of the largest commercial crime policies | NY State Trust Charter | Public company (NASDAQ: COIN), segregated client assets |
| BitGo | Up to $250M | Multi-jurisdiction (US, EU, Singapore, Switzerland) | Multi-sig pioneer, 1,500+ institutional clients |
| Fidelity Digital Assets | Up to $1B reported | Trust charter | Traditional finance heritage, Lloyd’s backed |
| Anchorage Digital | Comprehensive institutional coverage | OCC federal bank charter | First federally chartered crypto bank, SOC audits |
| Fireblocks | Partners with leading insurers | NYDFS trust company | MPC-based custody, 120+ blockchain support |
| Crypto.com Custody | $120M (crime + specie) | US trust company | Lloyd’s backed via Aon, cold + hot wallet coverage |
Sources: Hashlock’s 2026 Institutional Custody Guide, CitizenX Best Custodians 2025, and provider announcements.
How to Evaluate Crypto Custody Insurance: A Risk Manager’s Checklist
Insurance headlines make great marketing. But as one industry observer put it, “Knowing exactly how you are protected is essential risk management.” Here is what to verify before trusting any coverage claim.
1. Scope of coverage. Does the policy cover hot wallets, warm wallets, and cold storage, or only cold? The Bybit breach compromised a cold-to-warm transfer process, which might fall in a coverage gap if the policy only protects assets in static cold storage.
2. Coverage limits relative to AUC. A $250 million policy sounds impressive until you learn the custodian holds $50 billion in assets. Calculate the coverage ratio and ask whether it covers your specific allocation or is shared across all clients.
3. Exclusions. Scrutinize what is excluded. Common exclusions include: user error (sending to wrong address), phishing attacks on the asset owner (not the custodian), market value fluctuations, self-custody assets, smart contract bugs, and blockchain protocol failures.
4. Claims process and insurer quality. Who is the underwriter? Lloyd’s of London syndicates, Canopius, Munich Re, and Aon are among the more established players in this market. Ask for the insurer rating and claims payment history.
5. Policy structure. Understand deductibles, sublimits, co-insurance requirements, and whether the policy is occurrence-based or claims-made. Higher deductibles lower premiums but mean the custodian self-insures smaller losses.
6. Segregation and insolvency protection. Confirm that client assets are held in segregated accounts and would not be affected by custodian insolvency. Insurance is a last resort; structural protection should be the first line of defense.
This due diligence process aligns with the third-party risk management lifecycle principles we have covered previously. Crypto custodians are, after all, critical third-party service providers.
Who Provides Crypto Custody Insurance?
The insurance market for digital assets is still maturing, but a credible ecosystem now exists. The key players include:
Lloyd’s of London syndicates: The largest marketplace for crypto custody coverage, with multiple syndicates competing for business. Lloyd’s backs policies for Crypto.com, Fidelity, BitGo, and many others. Canopius is one of the more active Lloyd’s syndicates in this space.
Munich Re: One of the world’s largest reinsurers, offering comprehensive crime policies, staking risk insurance, and smart contract coverage specifically designed for the digital asset ecosystem.
Specialist brokers: Aon and WTW both have dedicated digital asset teams. Relm Insurance focuses exclusively on emerging and innovative industries including crypto. OneDegree (Asia) provides bundled digital asset wallet insurance.
Policy limits typically start at $500,000 and can extend into hundreds of millions for large institutional custodians. Pricing is highly dependent on the specific risk profile, custody architecture, and security controls of the insured entity.
Integrating Crypto Insurance into Your Enterprise Risk Framework
Insurance is one layer in a defense-in-depth strategy. From an enterprise risk management perspective, here is how crypto custody insurance fits within the broader control environment:
First line: The custodian implements technical controls (MPC, multi-sig, cold storage, HSMs), operational controls (segregation of duties, key ceremony protocols, withdrawal whitelisting), and maintains the insurance policy.
Second line: Your risk and compliance function verifies the custodian’s insurance coverage, reviews policy terms against your risk appetite, monitors KRIs related to custody risk, and ensures regulatory compliance. See our guide on key risk indicators for frameworks that translate to this context.
Third line: Internal audit or an independent assessor validates that the custodian’s SOC 2 reports, insurance certificates, and security audits are current and adequate. This maps to Deloitte’s digital asset risk assessment framework, which identifies over 300 unique blockchain and digital asset risks.
For organizations operating under ISO 31000, this approach ensures crypto custody insurance is treated not as a standalone decision but as an integrated component of your risk treatment plan, with clear ownership, monitoring criteria, and review cadence. If you are also managing business continuity planning, consider how a custodian breach would trigger your BCP activation and whether your disaster recovery plan includes scenarios for digital asset loss or custodian failure.
What to Watch in 2026 and Beyond
Several trends will reshape crypto custody insurance over the next 12 to 24 months:
Regulatory mandates for insurance. MiCA in Europe and evolving SEC guidance in the US are likely to mandate minimum insurance coverage for qualified custodians. Organizations that get ahead of this requirement will find better rates and terms.
Parametric and on-chain insurance. DeFi-native insurance protocols are developing parametric products that pay out automatically based on on-chain triggers (e.g., a verified hack event). While still maturing, these could complement traditional policies for specific risk scenarios.
Premium reductions for demonstrable security. As the market matures, custodians with SOC 2 Type II reports, ISO 27001 certification, and proven incident response capabilities are securing better insurance terms. Security investment has a direct financial return through lower premiums.
Sovereign digital asset custody networks. Nations are exploring sovereign custody infrastructure operating under specific jurisdictional rules, which could create new insurance product categories tailored to public-sector digital asset management.
Next Steps: What You Should Do Now
If your organization holds or plans to hold digital assets, here is a practical action plan:
1. Audit your current custodian’s insurance coverage. Request the full policy document, not just the marketing summary. Verify coverage limits, exclusions, and the quality of the underwriter.
2. Map coverage gaps against your risk appetite. Compare the policy scope to your actual risk exposure, including hot wallet balances, transfer-in-transit risks, and staking positions.
3. Build insurance evaluation into your vendor due diligence process. Make it a standard component of your third-party risk management framework.
4. Engage a specialist broker. Aon, WTW, and Lockton all have dedicated digital asset teams that can benchmark your coverage against market standards.
5. Document everything in your risk register. Insurance coverage, gaps, review dates, and action items should be formally tracked and reported to the board. For a refresher on building effective risk registers, visit our financial risk assessment guide.
The crypto custody insurance market has come a long way from the days when coverage was nearly impossible to obtain. Today, credible options exist across multiple risk categories, backed by established insurers. The question is no longer whether insurance is available, but whether your coverage is adequate for the threats you actually face.
Related Articles on Risk Publishing:
Enterprise Risk Management Cyber Security
What Is Operational Risk Management?
Third-Party Risk Management Lifecycle
Business Continuity and Disaster Recovery Plan
NIST Cybersecurity Risk Indicators: Real-World Examples
Essential Risk Management Process Flow Chart
External Sources Cited:
BitGo, Canopius, Chainalysis, CryptoSlate, Crypto.com, Deloitte, Fortune, Hashlock, HCP National, Lockton, Munich Re, NCC Group, Relm Insurance, TRM Labs, WTW, YellowCard
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.