Group-IB, an international company that specialises in preventing cyber attacks, and a Swiss insurance broker ASPIS SA that owns CryptoIns project, have developed the world’s first scoring model for assessing cryptocurrency exchange cybersecurity, allowing the exchanges’ clients to insure their assets. According to CryptoIns analysts, the crypto assets insurance market is expected to reach $7 billion by 2023.
While developing the insurance program the two companies have scored more than 20 crypto exchanges and crypto wallets providers using both open-source information, available on exchanges’ websites and analytical capabilities of Group-IB’s Threat Intelligence (TI) system. In particular, Group-IB TI correlates information about different cyber threats, Internet fraud, data leaks, attacks and hackers’ activity in real time, which allows to analyse past incidents, predict and mitigate any targeted attacks, including on cryptocurrency exchanges.
Based on the risk score, CryptoIns experts have calculated insurance rates for cryptocurrency exchange users who can now insure their accounts against cyber threats. The list of platforms now includes large exchanges, such as Kraken, Binance, Coincheck, Bithumb, HitBTC and many more. The full list of platforms is available on CryptoIns website. Going forward, the list of exchanges where users are eligible for insurance is expected to expand.
Group-IB assesses cryptocurrency exchanges’ security with criteria such as level of technical security, the reliability of storage of keys, passwords, and personal data of customers. Group-IB also evaluates exchanges’ infrastructure and architecture in order to understand ways to counter potential threats. This assessment focuses on open source data – white papers, information about founders, security policies. In some cases, with founders’ consent, the assessment includes penetration testing using social engineering methods aimed at the network compromise through the most vulnerable link at any organisation– humans.
It also takes into consideration the quality of the risk management systems, the availability of KYC/AML guidelines and independent ratings of the exchanges. Group-IB also creates an incidents map for every exchange. This map represents a detailed profile that shows the history of attacks on a particular exchange, any incidents involving fraud, attempts to compromise users or investors or any other information that can be found in Group-IB TI.
Initial scoring by CryptoIns includes the assessment of traded volume, traders’ activity, internal fees and other characteristics. Exchanges are then sorted into one of four risk groups based on the aggregated information. The first group is the least vulnerable, and the second and third groups are rated satisfactory and low in security risk, respectively. CryptoIns doesn’t provide insurance for users on the exchanges that find themselves in the fourth group.
Based on this classification, CryptoIns experts calculate insurance rates for different exchanges depending on the risk group. The most common rate is 1.9% with the maximum amount of 15BTC or equivalent in other cryptocurrencies that can be protected on one exchange. The insurance period ranges from 90 to 365 days. Protection can be renewed at the end of the period.
“Currently, approximately 3,600,000 BTC are stored in user accounts on cryptocurrency exchanges, making this market highly attractive for hackers,” explains Timofey Volkov, CEO of CryptoIns. Implementing insurance mechanisms in the cryptocurrency market is no easy task. One has to take into account many nuances, including those related to legislation. The challenge for insurers is how to cover emerging risks for customers in a young industry formed by completely new technologies and relationships between market participants. Collaboration with one of the leading international cybersecurity companies will help us organise and conduct pre-insurance evaluations of the exchanges in order to assess their security, as well as the potential for fraudulent activities on the part of the founders and management.”
According to Group-IB’s annual “2018 Hi-Tech Crime Trends” report, the estimated damage caused by targeted attacks on cryptocurrency exchanges in 2017 and the first three quarters of 2018 amounted to $877 million. During this period, at least 13 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group. Hackers attack not only exchanges, but also its clients. A Group-IB report “2018 Cryptocurrency Exchanges: Analysis of User Account Leaks” shows a steady increase in incidents involving compromised user accounts. From 2016 to 2017, the number of such incidents increased by 369 percent.
The lack of reliability and security of storing and withdrawing funds is one of the main deterrents for institutional investors managing cryptocurrency assets. “The crypto industry does not have sufficient means of securing customers’ funds against attacks by scammers and hackers”, commented Andrey Busargin, Director of Brand Protection at Group-IB. “Under the current circumstances, insurance of cryptocurrency assets on crypto exchanges is a good way to shield yourself from the risks most users are usually unaware of. Without a doubt, in order to create an insurance product it is important to involve independent experts specialised in countering cyber threats, who have access to unique data sources for crypto exchanges’ security assessment. Cryptocurrency exchanges collaborating with Group-IB help us create a more detailed cybersecurity profile, which at the end of the day improves their security and attracts new customers”.