19 May 23
Foreword
Cyber Insurance is a strange animal, mostly because the field of cyber itself is strange. This area of insurance used to be only of concern to companies who had cyber (informational) assets to protect and that they wanted to insure, but it is increasingly all-encompassing.
Traditional insurance will be somewhat unprepared for Web3, yet many of their customers (B2B and B2C) will be affected by the changes to the Web in fundamental, financial ways. As people and businesses start seeing value in digital assets and start treating them as stores of money they will want to protect them, and to insure them.
Insurance companies wanting to insure the future will, therefore, have to insure Web3. It is incumbent on those involved in the industry to prepare themselves well.
This document explores what that future may look like, the types of assets Web3 may bring, as well as the areas of risk that forward-thinking insurers will be focused on, including the value of risk-mitigation and appropriate preventative measures.
Grant Ongers
Vice Chair, OWASP Global Board
CTO & Co-founder, Secure Delivery
Synopsis
This whitepaper aims to outline opportunities, threats and risks that are becoming evident and that could become critical within the next 3–5 years in an era led by novel technology and with increasingly virtual assets.
The value of this document to insurers is in helping expand their technical knowledge so they can better understand and prepare for the impending shifts in the Web and its threat landscape.
An improved knowledge of a changing Web will foster operational preparedness, leading to an understanding of novel risks and ultimately create businesses empowered to define appropriate propositions.
Introduction
The evolution of the Web to date
The shifts from Web1.0 to Web2.0 and into Web3/3.0 are not formal divisions, but rather generational gradients that represent the dominant usage, culture and companies that flourish within them.
Web 1.0, from 1991 to the early 2000s saw the beginning of the Web available to the general public. Defined by static web pages with few opportunities for users to contribute and share. Risks associated with contributing to and using Web1.0 were low.
Web 2.0, from the early 2000s to 2020/2, saw the birth of large centralised websites and is the version of the internet most will recognise today. There are more opportunities for users to contribute and share and as a result, it is dominated by companies that provide ‘free’ services to end-users, in exchange for providing those users’ personal data to third party services with an interest in them. This is the primary business model for companies like Facebook and Google, and the secondary business model for companies like Amazon. Risks to personal and business information and assets are much higher.
Web3, which started gaining traction in 2021, is built on concepts and technologies such as blockchain, cryptocurrencies, non fungible tokens (NFT) and decentralised finance (DeFi), and is moving towards an open, decentralised and permissionless Web. Web3 is able to leverage machine learning, artificial intelligence (AI) and the blockchain to facilitate more direct, real-world communication as well as remote learning and augmented reality (AR). With transactions widely conducted online and incalculable amounts of data stored, the risks are commensurately immense.
Figure 1. A visualisation of interests and threats (and therefore risk) proliferating with each generation of the Web (not to scale). Source: Secure Delivery Research & Insights 2022
Defined by growth of content, and with applications linking directly to each other rather than relying on intermediaries, Web3 is seeing the centralised apps of the last 15-20 years turn into ‘decentralised’ protocols. Initially explored through cryptocurrency, gaming and social media, accelerated by the Covid19 pandemic (which saw much of the world confined to their homes and relying on online interactions for work and socialisation) and further promulgated by the likes of Facebook (now Meta) and the Metaverse.
Web3 will allow for the spawn and growth of many, smaller decentralised applications. Users will have more control over any content or assets they create, rather than having to rely on larger companies and their websites to connect with family or friends, and the ownership of data will be returned to their personal sphere. Consumers are increasingly enjoying the gaming, entertainment and social aspects, as well as the investment opportunities, being afforded to them without the middlemen created under Web2.0. However, one of the benefits of middlemen is that they take on responsibility for risk. How this balance will change within Web3 remains to be seen.
“This new technology will fundamentally change how we collaborate—how we build businesses, how we design governance systems, how we operate global organisations.” – Jutta Steiner (Steiner 2017)
Following the disruption of the banking industry over the last decade (seeing the birth of Monzo and Revolut, among others), thought-leaders are now anticipating the next wave of financial disruption to see the rise of ‘neo insurance’ (more on this later). There is an expectation that further efficiencies in financial and insurance systems may result from the increasingly direct approach (its decentralised, peer-to-peer structure) that Web3 will bring.
Definitions
As many of the terms and concepts discussed in this paper are recently-coined, here we briefly outline their meaning.
Web3/3.0
Web3 is also sometimes called Web3.0* represents, and is part of, a phase change in our use of the internet, a ‘decentralised’ and ostensibly fairer Web where users control their own data, identity and destiny.
The Web3 Foundation is a useful resource which was “created to nurture and steward technologies and applications in the fields of decentralised web software protocols, particularly those which utilise modern cryptographic methods to safeguard decentralisation, to the benefit and for the stability of the Web3 ecosystem”.
The Web3 Foundation believes in an internet where:
- Users own their own data, not corporations
- Global digital transactions are secure
- Online exchanges of information and value are decentralised (Web3 Foundation 2022)
Web3 is based on a novel type of data architecture; blockchain (see definition of blockchain below).
* Not to be confused with Semantic Web: Web 3.0, the extensions to the W3C standards to make the web more machine readable
Figure 2. The Web 3 Technology Stack. Source: Web3 Foundation open source resource (Web3 Foundation 2022)2
Blockchain
Blockchain, one of the main technologies underlying Web3, was originally outlined by Satoshi Nakamoto (a pseudo-anonymous name for the person, or group of people, who developed bitcoin).
A blockchain is a growing list of compound data segments (or records), called blocks, linked cryptographically. Once recorded, the data in any block cannot be altered without affecting all subsequent blocks, this means they are inherently resistant to modification of their data.
Blockchain-based transactions and data are recorded identically in multiple locations (distributed ledger technology). Data generated and stored in this way benefit from improved integrity, security and ease of access (real-time).
Since the source of data and the way it is collected is essential to its quality, data being gathered and validated on the blockchain will become far more valuable.
Cryptocurrency
Cryptocurrency is digital or virtual currency that is secured by cryptography, which makes it nearly impossible to counterfeit or double-spend (Frankenfield 2022). Examples include: Bitcoin, Litecoin, Zcash and Ether.
Like conventional currency, any bitcoin (for example) is equal to any other. Cryptocurrencies are themselves a secure product (to note: there have been no significant data integrity breaches on the Bitcoin blockchain since its inception 13 years ago). However, this does not mean they are immune to significant incidences of fraud or theft: Chainalysis reported that 3.2 billion USD in cryptocurrency was stolen from individuals and services in 2021, almost six times the amount stolen in 2020 (Chainalysis 2022).
While both tokens and coins are critical to the crypto economy, coins (such as Bitcoin) are used as money, while tokens represent value and run on existing, independent blockchains, rather than their own (Bybit Learn 2021).
NFTs (non-fungible tokens)
Unique digital files (such as art, games, music, films) which are stored on a blockchain network that can be bought, sold or traded online via marketplaces such as OpenSea. The chain of custody is permanently marked in the file with any changes in ownership verified by a worldwide network and logged in public. Authenticity is therefore practically guaranteed and audit trails of ownership are traceable, which is part of their appeal to collectors.
Creators can ‘mint’ NTFs, sell them and earn royalties on all future sales. Most NFTs are bought or sold with cryptocurrency though this is not a requirement.
Metaverse
A portmanteau of meta and universe; a metaverse is a 3D virtual world (or network of worlds) with a focus on social connection. Examples of which include Roblox and Meta’s Horizon Worlds. Usage can be enhanced via virtual/augmented reality and, recently, users have been able to attend virtual events and purchase virtual property or land within a metaverse. The real estate sale in the metaverse reportedly grossed over 500 million USD in 2021 (MetaMetric Solutions 2022).
Decentralised Finance (DeFi)
Decentralised finance represents a financial system without the involvement of banks or third parties. It “removes the control banks and institutions have on money, financial products, and financial services” (Ethereum.org 2022). Financial transactions are via peer-to-peer networks that use security protocols, connectivity, software and hardware advancements (Sharma 2022). Some of the attractions of DeFi are:
- Elimination of the fees that banks (and other financial institutions) charge for using their services (however, these are increasingly being replaced by alternative fees to transact on a blockchain network, such as ‘gas fees’ for transacting on the Ethereum blockchain)
- Money is held in a secure digital wallet instead of a bank
- Anyone connected to the internet can use it without needing approval
- Funds can be transferred in seconds and minutes (Sharma 2022)
DeFi is not anonymous and is traceable, however, it is currently largely unregulated. Other concerns are system stability, energy requirements, carbon footprint, system upgrades, system maintenance and hardware failures. It is susceptible to infrastructural mishaps, hacks and scams (Sharma 2022).
Digital wallet
Also known as an e-wallet, a digital wallet is a software-based system that stores users’ payment information and passwords securely for use with multiple payment methods and websites, some of the most well-known examples are Cash App, ApplePay and Google Wallet. Use of a digital wallet usually allows users to conduct purchases using near-field communications technology.
Edge and mist computing
Edge and mist computing are similar concepts. Edge computing brings computation and data storage close to the source of data. It is critical in the infrastructure of high speed 5G connections. Mist computing allows computing to happen at the very edge of a network, where the sensors and actuators are (Yogi et al 2017).
Smart contracts
Smart contracts are types of programs stored on a blockchain that run when preset conditions are met. They can be used to automate the implementation of an agreement with immediate outcome, without any intermediary’s involvement or time loss. For example, a smart contract can be programmed to send/refund money from one account to another, without the need of a financial institution managing the transaction or charging fees, or to provide immediate insurance benefits providing all conditions have been met. Caution is still necessary since bugs in the code of smart contracts can and have caused massive losses (Natalee 2022).
Quantum computing
Quantum computers use the properties of quantum physics to store data and perform computations. This means they can potentially outperform even the best supercomputers at certain specialised tasks. The basic unit of memory in a quantum computer is a quantum bit or qubit, compared to classic computers (including smartphones and laptops) where it is binary ‘bits’ (0s or 1s).
Encryption
Encryption is a technique using mathematical methods to secure digital data. A key is required for decryption. The encryption process translates information using an algorithm that makes the original information unreadable.
AI poisoning
AI (or data) poisoning is a type of attack directed at the input of data for training AI or machine learning models. The inputs can be affected in such a way as to cause inappropriate learning and render the outputs (inferences) inaccurate.
The changing Web
What does the adoption and proliferation of these novel concepts mean for how the internet will look in the next 5 years? The number of Internet connected devices is expected to increase from 31 billion in 2020 to 35 billion in 2021 and 75 billion in 2025 (Maayan 2020). This includes everything from light fixtures and other home appliances to cars and smart cities and medical devices, through to military applications
There will be a huge increase in connectivity, data storage and virtual assets, with a commensurate increase in the risks associated with owning and trading them. Theft is still theft, fraud is still fraud but the number of susceptible consumers and business transactions will steeply increase and the traceability of cyber crime can be more difficult in a decentralised Web, where anonymity and regulation- or sanction-evasion schemes are commonplace. While the blockchain can technically make money laundering (or moving money involved in criminal activities) less easy, law enforcement is not currently widely set up to investigate and discover the pathways and people involved, especially when this spans geographical territories and jurisdictions.
Along with the increased risk, there will also be commensurate opportunities for insurtechs to capitalise on the technology to make considerable improvements in core business functions such as underwriting, determining risk and settling claims. By taking advantage of the new technologies, including artificial intelligence, current methods can be challenged.
Increasingly, as transactions are recorded in real-time using blockchain, which automates better quality and encrypted data storage, businesses can take advantage of subsequently automating processes. The insurance sector in particular can benefit in the following areas:
- Fraud detection and risk prevention
New tools and access to customer information provide real-time collection of large amounts of good quality data (including claims information. This allows for more powerful analysis, better pattern recognition and, therefore, detection of possible instances of fraud. This can also help insurers be proactive in fraud/risk prevention by highlighting trends or red flags pre-sale. - Property and casualty (P&C) insurance
Use of blockchain facilitates the digital management, tracking and insurance of physical assets (with real-time data collection and analysis, which is faster and cheaper). Smart contracts can then allow for automated claims processing. Audit trails are also permanently captured. - Health insurance
Patients, insurers and healthcare professionals can potentially benefit from a transparent, accurate and real-time view of medical data. The data provenance and audit trails, which will catalogue and monitor actions from healthcare professionals can help to track (and ultimately possibly prevent) errors. Smart contracts are again useful here as the use of blockchain can present medical events as they occur. Impending technological advancements have the potential to be safer, cheaper, quicker and automated as long as the highly-regulated medical data is protected, and anonymised, where necessary. - Life insurance
Insurers in this area can use a combination of AI and big data to automate underwriting decisions. In many cases policies can be issued without needing traditional approaches, saving time, money and preventing unnecessary medical examinations.Blockchain-powered automation can also reduce claim settlement time and streamline the process. The beneficiaries’ difficult circumstances are therefore not exacerbated by difficult or lengthy claims procedures.
Insurance the current position
Insurance risks
Though insurance liabilities span the real and virtual worlds, considerable risks are increasingly apparent in the technological space. Some of the biggest risks of 2021 were due to Covid19, cyber crime, compliance with regulations and environmental, social and governance (ESG) factors (Schiavone 2021). Cybersecurity is no longer a well-contained, fringe area but a field that spans all aspects of the business. Companies need to continue to appropriately and thoroughly map their business processes in order to properly define the risks and build in their prevention and response to regulation and privacy rights, and not look at cybersecurity as a discrete subset. Fundamentally, technological risks increasingly span the four main subsets of business risk (operational, strategic, compliance and reputational (Fallon 2020)) and this will only expand further.
Corporations have faced a growing set of challenges and requirements within the regulatory view of privacy and cybersecurity in recent years. The reputational and financial costs of data breaches are increasing, with more strict enforcement, higher fines and regulatory costs, and growing third-party liability, culminating in litigation. The legal implications for business continuity, operational resilience and third party risk are being reviewed more closely following outages at banks, healthcare organisations and utility supply.
“While companies may not be able to completely avoid business risk, they can take steps to mitigate its impact, including the development of a strategic risk plan.” – Will Kenton and Julius Mansa, Investopedia (2022)
Corporations increasingly adopting Web3 technologies such as blockchain in their businesses will benefit from the collection of real-time, high quality data and in-built audit trails, as discussed. Unfortunately, despite many advantages, the total risk of breaches does not necessarily decrease. Consider that security is a combination of ‘CIA’ (confidentiality, integrity and availability) and, although the blockchain helps with integrity and availability, it does not inherently provide total confidentiality. In a public blockchain transaction, details are not confidential. Confidentiality and privacy are less mature and are active areas of research and development (Ali and Afzal 2018).
Insurance gaps
Current gaps include insufficient cybersecurity protection. Many organisations (even large ones with considerable liabilities in this space) do not have adequate insurance, or have made the business decision not to insure in this field due to deficiencies in offered coverage. Complete protection is currently either non-existent or prohibitively expensive. A number of large insurance companies announced the removal of payouts for ransomware in 2021. The former head of the NCSC (the United Kingdom’s National Cyber Security Centre) called for a dialogue over whether or not it is time to ban insurers from covering ransomware payments altogether.
A sample corporate policy may currently include:
- Information Security & Privacy Liability
- Data Breach Response Expenses
- Regulatory Defence and Penalties
- Website Media Content Liability
Personal protection available currently includes health, life, travel and a number of aspects of cyber protection (such as cyber bullying and identity theft), and consumers are covered by financial regulations if their money is held in a bank. Consumers can also currently insure their virtual lives (valuable online accounts in certain games) or for personal accidents when using a VR headset, but it is not yet commonplace.
Cyber insurance and cybersecurity for Web3 over the next 5 years
The concept for Web3 and the virtual spaces facilitated by the metaverse explores the idea that in the future our real-time, physical reality will be mirrored and augmented by technology in an online world. The risks that exist to be insured against in reality will still exist, but also digitally and on a magnified level, and in ways that we may not have yet conceived of.
- Cybercrime is predicted to cost the world 10.5 trillion USD annually by 2025
- 66% of SMBs had at least one cyber incident between 2018-2020, according to Mastercard
- ESG factors (seen as an important facilitator of the change needed to tackle climate change and encourage sustainability) will increasingly force regulatory and compliance measures (Morgan 2020)
Figure 3. A visualisation of the Web3 threat landscape, outlining the threats that could potentially affect the interests becoming more relevant in Web3. Source: Secure Delivery Research & Insights 2022
Cyber crime
Cyber crime; encompassing cyberattacks (hacking, data/password/currency theft and network outages, ransoms/ransomware, malware), as discussed, already significantly affects people and businesses. According to Check Point Research (2021), cyberattacks increased 50% in 2021 as compared with 2020, with each organisation facing an average of 925 attacks (mainly automated, Internet-based) per week towards the end of the year. Phishing and ransomware were the primary attack vectors (affecting both large and small businesses), others included: use of penetration testing frameworks, commodity malware and challenges to IT and OT networks.
In Web3 these issues will increasingly affect personal and business investments in cryptocurrency and virtual assets (including potentially valuable online personas in metaverses) as well as regulated (and large volumes of) data.
Web3: Conceptual case study
Potential situation: A person stores their savings in a digital wallet.
Threat: Using a phishing technique, a criminal is able to trick the user into approving a transaction that delegates permission to access their cryptocurrency
Propositions for consumers in this space may include: Education in prevention of phishing, insurance to cover the amount stored in the digital wallet that pays a lump sum in the event of loss
Business interruption
Defined as a corporate liability, in addition to the losses resulting from the interruption, there may also be risks to health/lives when the interruption affects a critical healthcare service or product.
In Web3 this will play a bigger part as more of business and personal data is held online, particularly in the healthcare setting. Access to investments or digital assets will also potentially be affected.
Web3: Conceptual case study
Potential situation: A successful, private hospital uses a blockchain-based approach for pharmaceutical stock levels, ordering and traceability in its supply chain.
Threat: The business is subject to a ransomware attack which puts their pharmaceutical ordering process off-line.
Propositions for a business in this space include insurers enforcing engagement in appropriate risk engineering measures, as well as preventative measures, such as the use of security tools. Benefits such as legal protection, assistance with re-ordering products, compensation payments to patients whose health has been affected by the delay.
Compliance
Compliance issues are already one of the biggest drivers of claims, and compliance risk is growing. Many aspects of Web3 are not currently governed by regulatory/legal requirements.
Compliance & cryptocurrency
The use of digital or cryptocurrencies will increasingly present operational and regulatory risks for financial institutions—borne of uncertainty around potential asset bubbles and the potential for money laundering, ransomware attacks and even ESG issues such as the mining of cryptocurrencies using large amounts of energy (Schiavone 2021).
Wider global recognition and mass adoption of cryptocurrency (and related concepts within the metaverse) will require regulations and international standards to prevent activity such as money laundering, terrorism financing, data control to reasure users of safety and foster trust
Web3: Conceptual case study
Potential situation: A virtual casino, operated online with transactions via cryptocurrency. Not currently regulated or subject to usual reporting or taxation rules.
Threat: Regulations are introduced which affect the business margins, investments, potential wins and potential profits. Affects consumers as well as the casino operators.
Propositions for businesses in this space may include encouraging preparation for this (arguably inevitable) eventuality as well as proposed benefits after the event, such as the provision of legal or accountancy services, or payouts.
Personal
There are innumerable risks to individuals in the real world which will only be added to in the Web3 landscape. There are, of course, already threats to privacy, digital data and virtual assets. However, with more people (and their devices) connected, making more virtual transactions, there is an increased risk of cyber crime and threats to their privacy, data, identity, digital wallets and any virtual property/land/assets. As well as a risk of decreasing value of their currency/tokens and virtual assets/property.
Web3: Conceptual case study
Potential situation: A customer has bought a virtual holiday to an exclusive online resort in the metaverse.
Threat: Their ISP experiences an outage lasting 10 hours which begins on the arrival day of the customer, affecting the enjoyment of the holiday and causing lasting effects from having missed first-day orientation events.
Propositions for consumers in this space may include a version of what we currently recognise as travel insurance but with specific additional wording to recognise the virtual nature of the holiday.
Potential situation: A customer is enjoying an online quiz game in a virtual gaming/gambling platform.
Threat: Having entered a correct answer for a (prize-winning) quiz game, the user experiences a delay in the transfer of their answer (latency) meaning they miss out on the highest prize.
Propositions for consumers in this space may include insuring against the latency issues of their ISP/network connectivity issues which pays compensation for their loss of potential winnings.
Evolution of the threats from now to 2025
The radar shown in figure 4 explores the likelihood and potential increase or decrease of the financial impact of threats, across the interests that are affected, now and into Web3. Datapoints shown in the ‘Now’ sector that are not shown to increase or decrease are presumed to remain at the same financial impact and likelihood level over the next two/three years. Other datapoints can be seen to emerge later that are not yet significantly relevant.
Figure 4. Risk radar demonstrating projected near-term variation in financial impact and likelihood of potential threats in Web3. Source: Secure Delivery Research & Insights 2022
Though new technologies such as AI, biometrics and virtual currencies will likely raise new risks and liabilities (Schiavone 2021), there will also be considerable benefits to their use. There is an opportunity for insurance to evolve for the better, to take advantage of advancements in AI and machine learning to collect real-time data, and offer the most appropriately customised services and protection. For example, it’s estimated that adopting emerging innovations such as AI could save insurers as much as 2.3 billion USD by 2024:
- Machine learning algorithms can analyse car accidents and estimate repair costs up to 10x faster than humans
- Health data generated by wearable devices and recorded in the blockchain can be more reliable indicators of life expectancy than actuarial tables. Real-time health metrics provide improved risk differentiation and more accurate pricing than recording morbidity and mortality at single points in time. Wearables also provide motivation to engage in risk-lowering behaviours and can offer rewards based on this.
- Automating analysis of fraudulent claims already saved the insurance industry 260 million USD in 2019
(Love 2022, Farrell 2020)
Ideal protections would include risk mediation efforts on the part of the businesses and appropriate insurance propositions, incorporating ultra-efficient underwriting.
Insuring the future of the Web
The acceleration and wider adoption of Web3 may happen rapidly or its popularity will be tempered by the disadvantages:
- The energy expenditure required to mine cryptocurrency is huge (Cambridge Centre for Alternative Finance 2022). As a species looking to slow the effects of the climate crisis on the planet, this is suboptimal.
- Trading of NFTs and other virtual assets is speculative and does not usually have a foundation built on real assets, they may not retain their value in the long term.
In the first instance; for businesses and entrepreneurs to further invest in this space, take the associated risks and develop this technology, there need to be appropriate failsafes. Secondly, for businesses, investors and consumers transacting in the near future; prevention and protection is necessary.
Since assets will include cryptocurrencies, NFTs, other virtual objects and experiences, insurers will be looking to create cyber policies that cover hacking, data theft and network outages as well as non-physical losses. It has been proposed that a new concept of insurance will bloom in the Web3 world for the next wave of users (so-called ‘neo insurance’).
Figure 5. The neo insurance model. Source: Secure Delivery Research & Insights 2022
DeFi-enabled insurance companies and the wider adoption of cryptocurrencies are starting to facilitate the reimagining of how insurers think about their financial products and services. Distributed ledger technology, real-time data collection and claims automation through decentralised solutions, is leading to more transparency and connectivity in digital spaces. Insurers should focus on investment in innovation and tech adoption to stay current and capture the changing (and growing) virtual market.
Discovermarket’s recommendations to define compelling propositions for Web3
Discovermarket was founded with the aim of revolutionising the way insurance is perceived and centralised with a view to closing the protection gap in separated and emerging markets. Insurers can adapt and stay relevant in this shifting market by focusing on the following principles:
- Considering hiring employees with technological expertise, as well as upskilling their current workforce
- Carefully monitoring market trends, tracking data available—utilising cyber threat intelligence
- Taking advantage of novel technologies (data collection, AI, smart contracts)
- Anticipating needs by offering appropriate risk mediation efforts and insurance propositions at the earliest opportunity
There is considerable value in the market currently with 275 billion USD in total value locked in DeFi, which has grown exponentially (up ~17x year-on-year). It’s therefore projected to reach 785 billion USD by 2025. Assuming a 10% insurance penetration rate, there is a 78 billion USD market available (Love 2022). Data from Juniper Research (2019) forecasts that the value of AI-underwritten insurance premiums will exceed 20 billion USD by 2024. Additional benefits of insurers becoming more invested in Web3, and its technological advancements, include:
- Micropayments result in decreased admin for businesses with additional trust and perception benefits from consumers
- Ultimate proof of value at key moments (eg. death) (related to timeliness of payment)
- The increasing value of offering risk mitigation services
Ultimately, insurers proactively becoming educated in, and taking advantage of, the emerging advancements will drive sales, increase customer engagement and gain a competitive advantage.
Proactive prevention/risk engineering
Having appropriate insurance in place is a necessary last resort. When it comes to cyber risk, the impact on business continuity, regulatory fines and reputational damage is of primary concern to businesses. Increasing preparedness, reducing both the likelihood and impact of a cyber incident is of benefit to both insurers and customers.
Financial incentives for customers adopting preventative approaches have their place, but having these measures implemented brings businesses far greater benefit from improved operational capability and reduced operational risk than any potential premium reduction. This can be conveyed to customers through a combination of discounted premiums and clearly laying out these measures as prerequisites for underwriting.
For incorporated businesses operating within the field of decentralised finance, all of the traditional cyber risk reduction measures are still required, including:
- Having documented incident response procedures to meet national level reporting obligations to regulators and law enforcement
- A continuous programme of training for all staff, including company leaders, in cybersecurity as it applies to their role and responsibilities
- Attaining certification to recognised information security standards such as the ISO27000 series and SOC 2
Decentralised finance decentralises risk, however, for incorporated businesses with a responsibility to their customers there has to be an even stronger focus than usual on educating their customers in cybersecurity—ensuring they have the necessary knowledge and procedures in place themselves to stay safe and secure financially. Should a customer’s blockchain-based assets be irrevocably transferred illegally then there is a serious risk that national legal systems will find the business at fault and liable to civil or even criminal legal proceedings.
The Securities and Exchange Commission (2022) recently proposed updated rules for US companies in March 2022: “We are also proposing to require periodic disclosures about a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk.”
What does the right protection for Web3 look like?
Web3 is already creating new types of transactions and ownership that will benefit from more transparent insurance products and services. AI and smart contracts will allow for improved streamlining and increased market penetration.
In addition to taking advantage of the technological innovations available, insurers can ensure their practices remain up-to-date by introducing or utilising:
1. Potential incentives for adopting preventative approaches, provided by insurers
- Points-based incentives for risk management offering percentage discounts
- Discounted security tools
- Discounted training packages
- Provision of CISO support, or equivalent, as an advisor or guardian of digital assets
With the aim of converting high risk customers into low risk customers, similar to how health insurers collect data via smart devices to monitor improvements in health and offer rewards and discounts. Insurers will benefit from real-time availability of data with transparency of business practices (eg. mapping business practices to support, visibility of training completed, demonstration of data backups etc.).
2. Prerequisites for underwriting
- In-built reporting obligations (to regulators/customers in case of data breach)
- Mandatory business use of multi-factor authentication/’Zero Trust approach’ etc.
- Use of appropriate security tooling for continuous monitoring of digital product development and end products
- Ensuring staff are trained and kept up-to-date with best-practice, security-focused development, through onboarding and continuous coaching programmes
- Yearly audits, with use of approved testing methods (eg. OWASP Application Security Verification Standard (ASVS) levels 1 and 2) (OWASP)
Self-reported questionnaires could enable an assessment of the level of preparedness, with insurers empowered to require a certain level before provision of cover.
Emerging legal and compliance requirements will also likely put more responsibility on businesses to ensure they are acting in accordance with more robust safeguarding measures.
3. Specific building blocks for policies to allow more efficient, timely and personalised underwriting
Insurers will stay current by providing a way for consumers or businesses to tailor what they need—a feedback and input method, backed up by AI to instantly predict risk and underwrite. Allowing for the appropriate terminology of risks such as ‘cryptocurrency’, ‘metaverse’ etc. Insurers’ increased access to operational and behavioural data will enable these enhanced data analysis capabilities.
3. Benefits that fit
Web3 will allow insurers to provide a more efficient and streamlined way to offer appropriate benefits that are in sync with the personalised underwriting.
Types of benefit may still include:
- Cash benefit/lump sums
- Payment in kind
- Assistance
- Replacement
- Service
- Data recovery
- Legal advice
- Psychological care
The Web3 future will create new types of transactions and novel modes of ownership, necessitating a need for more transparent insurance products. An increasingly decentralised business model may well shift the risks away from insurers, allowing them to focus on prevention and facilitating decentralised (or shared) responsibility for risk. Web3 will see increased opportunities for partnerships with, for example, wearables manufacturers, cybersecurity education or tooling companies, smart contract creators and insurance protection partners to further augment an improved insurance market.
Summary
We are presently living through the generational shift into Web3. Currently best defined by ‘decentralised’ protocols, however, a more firm definition will emerge in time, retaining some aspects more than others. While Web3 can technically exist without many of the concepts described in this paper, (and those concepts could also exist outside of Web3) the dominant themes will organically solidify over the next five years.
From a risk perspective, in web 1.0 there was no or very low risk, with the centralised guardians of data in Web2.0 profiting from it while historically not taking very good care of it. Web3 will return ownership of data to its originators and hopes to provide more secure global digital transactions across a decentralised foundation. In real terms, there will be increased risk commensurate with the increase in users, data, processes and transactions, but relatively we are striving for a decreased proportion at risk.
Risks within Web3 will encompass those we experience already as well as those based on novel interests and threats surrounding cryptocurrency and virtual assets, regulated (big) data, new regulations and international standards and new avenues for accidents or injury (based on the use of AR devices and increasingly connected tools/vehicles).
New technologies and concepts within Web3, such as blockchain, AI/machine learning and smart contracts can benefit the insurance industry by allowing real-time and better quality data collection and storage, and automation of processes.
Given the progressive decentralisation and exponentially growing market, it’s likely that the role of insurers will increasingly include proactive protection and risk mediation efforts to augment their more efficient (automated) underwriting and claims processing. It’s also predicted that the traditional model of insurance will continue to shift through neo insurance to increasingly decentralised models and with more reliance on partnerships.
Resources & references
Ali, A and Mazhar Afzal, M. (2018). Confidentiality in Blockchain. International Journal of Engineering Science Invention (IJESI), 7, pp. 2319–6734. Available from: http://www.ijesi.org/papers/Vol(7)i1/Version-1/H0701015052.pdf [Accessed 10 June 2022]
Bybit Learn. (2021). Token vs. Coin: What Sets Them Apart? Available from: https://learn.bybit.com/crypto/token-vs-coin/ [Accessed 10 June 2022]
Cambridge Centre for Alternative Finance. (2022). Cambridge Bitcoin Electricity Consumption Index. Available from: https://ccaf.io/cbeci/index [Accessed 10 June 2022]
Chainalysis. (2022). The 2022 Crypto Crime Report. Original data and research into cryptocurrency-based crime. Available from: https://go.chainalysis.com/2022-Crypto-Crime-Report.html [Accessed 10 June 2022]
Check Point Research. (2021). Cyber Attacks Increased 50% Year over Year. Available from: https://blog.checkpoint.com/2022/01/10/check-point-research-cyber-attacks-increased-50-year-over-year/ [Accessed 10 June 2022]
Ethereum.org. (2022). Decentralized finance (DeFi). Available from: https://ethereum.org/en/defi/ [Accessed 10 June 2022]
Fallon, N. (2020). Business News Daily. 6 Biggest Business Insurance Risks (and How to Mitigate Them). Available from: https://www.businessnewsdaily.com/9024-biggest-business-insurance-risks.html [Accessed 10 June 2022]
Farrell, M. (2020). Wearables in Insurance: Where Do We Go From Here? Available from: https://www.soa.org/globalassets/assets/files/resources/research-report/2020/actuarial-practice-innovation-essays.pdf [Accessed 10 June 2022]
Frankenfield, J. (2022). Cryptocurrency. Investopedia. Available from: https://www.investopedia.com/terms/c/cryptocurrency.asp [Accessed 10 June 2022]
Juniper Research. (2019). Global AI insurance premiums to exceed $20Bn by 2024. Available from: https://www.juniperresearch.com/press/global-ai-insurance-premiums-exceed-20-bn-2024 [Accessed 10 June 2022]
Kenton, W and Mansa, J. (2020). Business Risk. Investopedia. Available from: https://www.investopedia.com/terms/b/businessrisk.asp [Accessed 10 June 2022]
Love, C. (2022). Insurtech Predictions: Insurance, the industry technology forgot to change is now changing. Available from: https://medium.com/lightspeed-venture-partners/insurtech-predictions-insurance-the-industry-technology-forgot-to-change-is-now-changing-dc096351b6c2 [Accessed 10 June 2022]
Maayan, GD. (2020). The IoT Rundown For 2020: Stats, Risks, and Solutions. Security Today. Available from: https://securitytoday.com/Articles/2020/01/13/The-IoT-Rundown-for-2020.aspx?Page=1 [Accessed 10 June 2022]
MetaMetric Solutions. (2022). Via CNBC. Metaverse real estate sales top $500 million, and are projected to double this year. Available from:
https://www.cnbc.com/2022/02/01/metaverse-real-estate-sales-top-500-million-metametric-solutions-says.html [Accessed 10 June 2022]
Morgan, S. (2020). Cybercrime Magazine. Cybercrime To Cost The World $10.5 Trillion Annually By 2025. Available from: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ [Accessed 10 June 2022]
Natalee. (2022). Akutar Launch: What Happened to Lock $34M Forever. Available from: https://www.nftculture.com/nft-news/akutar-launch-what-happened-to-lock-34m-forever/ [Accessed 10 June 2022]
OWASP. OWASP Application Security Verification Standard. Available from: https://owasp.org/www-project-application-security-verification-standard/ [Accessed 10 June 2022]
Schiavone, P. (2021). Top Risk Concerns for 2021. InsuranceThoughtLeadership.com
Available from: https://www.insurancethoughtleadership.com/risk-management/top-risk-concerns-2021 [Accessed 10 June 2022]
Securities and Exchange Commission. (2022). Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Available from: https://www.sec.gov/rules/proposed/2022/33-11038.pdf [Accessed 10 June 2022]
Sharma, R. (2022). Decentralized Finance (DeFi) Definition. Investopedia. Available from: https://www.investopedia.com/decentralized-finance-defi-5113835 [Accessed 10 June 2022]
Steiner, J. (2017). Blockchain Will Bring Empowerment And Transparency To Development. Huffington Post. Available from: https://www.huffingtonpost.co.uk/jutta-steiner/blockchain-will-bring-emp_b_15353760.html [Accessed 10 June 2022]
Web3 Foundation. (2022). About. Available from: https://web3.foundation/about/ [Accessed 10 June 2022]
Yogi, MK et al. (2017). Mist Computing: Principles, Trends and Future Direction. SSRG International Journal of Computer Science and Engineering (SSRG-IJCSE), 4(7), pp. 19-21. Available from: https://arxiv.org/pdf/1709.06927.pdf [Accessed 10 June 2022]
Publishing details
Published by Discovermarket Asia Pte. Ltd.
Referencing and re-use
Reproduction in part or in whole is permitted only if the source is cited.
Important note
The authors and publishers assume no liability for decisions taken on the basis of this paper or for any consequences thereof.