3 Key Facts
$2.72 billion was stolen from crypto firms in 2025, per TRM Labs and Chainalysis data cited by TechCrunch and Decrypt — surpassing all prior annual records. The Bybit hack alone accounted for $1.46 billion of that total. North Korean state-sponsored actors were responsible for at least billion of the year’s losses, per Elliptic and Chainalysis. Despite this, the vast majority of crypto firms still operate without adequate cyber insurance coverage, and many that do hold policies face surprise exclusions when claims are filed.
Cyber insurers are tightening underwriting standards significantly in 2026, according to Allianz, Wiley Law, and Infosecurity Magazine analysis. New exclusions now cover state-sponsored attacks, AI-driven exploits, third-party vendor failures, and incidents arising from unpatched known vulnerabilities. Firms that cannot document MFA deployment, endpoint detection, immutable backups, and incident response plans face denial of coverage or sharp premium increases at renewal.
Premium pricing has softened — 44% of accounts saw decreasing premiums at renewal by Q3 2025, per Founder Shield data — but this masks a harder reality: broader exclusions, stricter documentation requirements, and rising compliance obligations under DORA, NIS2, and SEC cybersecurity disclosure rules mean the cost of a bad claim has never been higher, even as the headline premium number appears lower.
The Bybit hack in February 2025 was the largest theft in the history of cryptocurrency. A compromised developer laptop gave North Korean operatives access to a multi-signature cold wallet, and $1.46 billion in Ethereum was gone in hours. Bybit survived — barely — because it had reserves large enough to absorb the hit. Most crypto firms do not have that buffer. The question is whether their insurance does.
The answer, for most firms, is more complicated than they realize. Cyber insurance for crypto firms exists, is increasingly available, and has become cheaper on headline pricing since the 2022 premium spike. But the gap between what founders think is covered and what is actually covered has never been wider. State-sponsored attacks, smart contract exploits, third-party custody failures, and incidents arising from known unpatched vulnerabilities all sit in grey zones that insurers are actively narrowing through new exclusion language in 2026.
This guide covers what cyber insurance actually covers for crypto firms, the nine exclusions most likely to invalidate your claim, how underwriters assess crypto-specific risk, and the specific steps that demonstrably reduce premiums. For context on the breach landscape, see our coverage of the Figure Technology data breach by ShinyHunters and the Bank of America quantum-resistant blockchain patent — a signal of how seriously institutional players are taking the security infrastructure question.
| $2.72B Stolen in 2025 (TRM Labs) | $1.46B Bybit Alone (Feb 2025) | 44% Accounts With Lower Premiums Q3 2025 | 30%+ Claims From Third-Party Vendors |
1. What Cyber Insurance for Crypto Firms Actually Covers
Standard cyber insurance policies written for crypto firms typically fall across four coverage types, per the American Bar Association’s 2025 cyber insurance analysis. Understanding which type applies to which scenario is the first thing a crypto founder needs to get right — most policies do not provide all four in a single instrument, and the definitions of key terms vary significantly between carriers.
| Coverage Type | What It Covers | Crypto-Specific Examples |
|---|---|---|
| Data Breach | Incident investigation and forensics, data and identity recovery, legal fees, notification costs to affected users, regulatory fines from breach disclosure obligations, PR and reputational response costs. | KYC/AML database leak, customer wallet address exposure, employee credential theft. The Figure Technology breach by ShinyHunters is a recent example of this exposure type. |
| Ransomware / Extortion | Ransom payments (including in cryptocurrency), extortion consultant fees, system restoration costs, business interruption during downtime, data reconstruction. | Trading platform taken offline by ransomware, validator node encryption, admin panel locked pending ransom. Note: ransom payment coverage has specific sub-limits and insurer-approval requirements in most policies. |
| Loss of Funds / Cybercrime | Wire fraud, social engineering fund transfer fraud, push payment fraud, cryptojacking losses. Coverage definitions vary sharply between carriers — the exact wording of “funds transfer fraud” and “social engineering” determines whether a claim is paid. | CEO impersonation leading to unauthorized withdrawal, SIM-swap resulting in account takeover and fund drain. Two 2025 court cases (Kane v. Syndicate 2623 and Connelly Law v. Cowbell Cyber) found ambiguity in fund transfer fraud definitions, per Wiley Law’s 2026 analysis. |
| Tech E&O / Specific Incidents | Errors and omissions from code failures, system downtime caused by a breach, cryptojacking, bricking of systems. D&O liability tied to cyber incidents requires careful review — many D&O policies contain broad cyber exclusions that create uncovered gaps. | Smart contract coding error that enables drain, exchange downtime following DDoS, oracle manipulation resulting in wrongful liquidations. SEC enforcement actions for inadequate cybersecurity disclosure are an emerging D&O/E&O intersection risk. |
One structural issue specific to crypto firms: most standard cyber policies set primary layer limits at $5 million, per American Bar Association data. For an exchange holding hundreds of millions in customer assets, that primary layer covers a fraction of a realistic loss scenario. Institutional crypto firms typically need excess layers and speciality coverage through Lloyd’s syndicates or dedicated crypto insurers to achieve meaningful protection.
2. The Nine Exclusions Most Likely to Invalidate a Crypto Insurance Claim
This is where most crypto founders get surprised. The policy exists, premiums were paid, an incident occurred — and the claim is denied. Per analysis from Insurance Thought Leadership, Allianz’s 2025 cyber report, and Wiley Law’s 2026 predictions, the following nine exclusion categories are being applied more aggressively in 2026 than at any prior point in the market’s history.
| Exclusion | What It Means in Practice | Crypto Example |
|---|---|---|
| State-Sponsored / Nation-State Attacks | If an attack is attributed to a state actor, most standard policies exclude coverage under war or hostile acts exclusions. Captive insurance structures or specialist Lloyd’s policies are the only reliable path around this. | The $1.46B Bybit hack, attributed to North Korea’s Lazarus Group. Had Bybit held a standard policy, attribution to a state actor would likely have triggered denial. |
| Known Unpatched Vulnerabilities | If a firm was aware of a vulnerability and failed to patch it before an incident occurred, insurers are denying claims on the basis of preventability. Documented remediation timelines are now a condition of coverage, per Allianz 2025 report. | Smart contract with a known audit flag exploited before patch deployment. Dependency library with published CVE not updated before drain. |
| Third-Party / Vendor Failures | Over 30% of major cyber claims now originate from third-party vendor incidents, per Founder Shield. Most standard policies exclude losses where the originating failure was in a vendor’s system rather than the insured’s own infrastructure. | Custody provider breach leading to client asset loss. AWS outage causing platform downtime and business interruption. Safe developer compromise (the vector in the Bybit hack). |
| Missing MFA on Critical Systems | MFA on remote access, VPN, admin accounts, and email is now a baseline coverage requirement. Claims are being denied where MFA was not deployed on systems involved in the incident, per MIS Solutions and Insurance Thought Leadership analysis. | Admin console accessed via compromised password alone. Exchange hot wallet signing key accessed through account without MFA. |
| Smart Contract Exploits | On-chain smart contract exploits fall outside most standard cyber policies because they involve the loss of digital assets through code execution, not a traditional data breach. Specialist DeFi coverage or protocol-level insurance (Nexus Mutual, Sherlock) is required for this risk. | Flash loan oracle manipulation. Reentrancy attack. Cetus Protocol’s $223M exploit on Sui in May 2025. |
| Insider Threats / Employee Fraud | Intentionally dishonest or criminal acts by employees are excluded under most standard cyber policies. Employee crime coverage requires a separate fidelity or crime policy. The Coinbase breach in May 2025 — where overseas subcontractors were bribed to leak customer data — sits in this territory. | Subcontractor bribed to leak KYC data. Insider key extraction. Rogue developer with privileged access. |
| AI-Driven Attacks | Insurers are implementing AI exclusions across E&O, D&O, and cyber policies in 2026, per Lexology and Wiley Law. These exclusions are often written broadly — any claim “in any way involving” AI systems of any party. Specific endorsements confirming coverage for AI-enabled social engineering attacks are available from some carriers. | Deepfake CEO voice used in social engineering transfer authorisation. AI-automated credential harvesting at scale. Hyper-personalised phishing generated by LLM. |
| Regulatory Fines Beyond Policy Sub-Limits | Coverage for fines and penalties is typically sub-limited and subject to the insured being able to demonstrate documented compliance at the time of the incident. SEC enforcement actions under the 2024 cybersecurity disclosure rules represent a significant emerging exposure with limited coverage certainty. | SEC action for inadequate cybersecurity disclosure. GDPR fine following a KYC data breach. FinCEN penalty following a breach that exposed AML controls. |
| Systemic / Catastrophic Events | Events affecting multiple policyholders simultaneously — like the CrowdStrike outage in 2024 — expose insurers to aggregated risk they manage through systemic exclusions. The threshold for how many affected entities triggers exclusion varies by carrier. One form reviewed by Lexology set the trigger at 15 affected firms. | Shared oracle failure affecting multiple DeFi protocols simultaneously. Major cloud provider outage impacting multiple hosted exchange platforms. |
3. How Underwriters Assess Crypto-Specific Risk in 2026
Cyber insurance underwriting for crypto firms in 2026 is no longer a questionnaire exercise. It is increasingly treated as an audit. Underwriters are requesting documentation, not just declarations. The shift was driven by years of paying claims insurers believed were preventable — and it has permanently changed what “applying for cyber insurance” means for a crypto business.
The following are the controls underwriters prioritise when assessing crypto firms, based on Founder Shield’s 2026 analysis, MIS Solutions’ renewal guidance, and Allianz’s 2025 cyber report:
| Control Area | What Underwriters Want to See | Impact on Premium |
|---|---|---|
| MFA Deployment | MFA enforced on all remote access, VPN, admin accounts, email. Hardware key preferred over SMS. Must be documented and auditable, not just self-declared. | High — absent MFA is grounds for coverage denial |
| Endpoint Detection (EDR) | Real-time EDR tools on all endpoints. Traditional antivirus is no longer accepted as equivalent. Insurers increasingly reward EDR deployment with premium discounts, per Founder Shield’s 2026 report. | High — material premium reduction for documented EDR |
| Immutable Backups | Backups that cannot be modified or deleted by ransomware. Tested restore procedures. Air-gapped or offline backup copies. Underwriters specifically ask whether backups are immutable and tested. | Medium-High — key ransomware coverage gate |
| Incident Response Plan | Documented IR plan with named roles, tested runbooks, and a retained IR firm. Plans that exist only on paper and have never been exercised are noted negatively. Tabletop exercises in the past 12 months are increasingly required. | Medium — affects coverage terms and limits |
| Third-Party Risk Management | Formal TPRM program with continuous vendor monitoring, not annual questionnaires. Contractual safeguards with vendors specifying security standards and breach notification obligations. Per Founder Shield, TPRM is shifting from nice-to-have to a coverage condition. | High — >30% of claims originate from vendor failures |
| Privileged Access Controls | PAM (Privileged Access Management) tools, just-in-time access provisioning, separation of duties on signing keys. For crypto firms specifically: multi-sig governance, key ceremony documentation, and hardware security module deployment. | High for crypto firms — cold wallet governance is critical |
| Security Awareness Training | Documented annual training, simulated phishing drills, and specific focus on high-risk roles (executives, finance, developers with key access). Per Founder Shield, training records are now requested at underwriting. | Medium — phishing remains the most common attack vector |
One shift noted by Infosecurity Magazine’s December 2025 analysis: the softening premium market of 2025 — where 44% of accounts saw decreasing premiums at renewal — came paired with broader exclusions and higher documentation burdens. The headline premium went down; the coverage actually got narrower. For crypto firms evaluating renewal options, the advice from Infosecurity’s experts was consistent: “Figure out what coverage you need before you meet with the broker. Be willing to pay a small amount extra to avoid unpleasant exclusions.”
4. The 2025 Breach Landscape: What Happened and What It Means for Coverage
The specific incidents of 2025 are not just news stories — they are underwriting data points that directly shaped how insurers priced and structured crypto coverage going into 2026. Per TRM Labs and Chainalysis data cited by TechCrunch and Decrypt, $2.72 billion was stolen in 2025 across approximately 200 security incidents. Here are the defining cases and their insurance implications:
| Incident | Loss | Vector | Insurance Implication |
|---|---|---|---|
| Bybit (Feb 2025) | $1.46B | Compromised Safe developer laptop, multi-sig cold wallet drain. Attributed to North Korea’s Lazarus Group by Chainalysis and Elliptic. | State-sponsored exclusion likely applies. Third-party vendor failure (Safe). On-chain crypto asset loss typically outside standard policy scope. Bybit survived on reserves, not insurance. |
| Coinbase (May 2025) | Up to $400M | Overseas subcontractors bribed to leak customer data. No funds or keys stolen, but remediation and notification costs reached up to $400M. | Classic data breach coverage scenario — notification, legal, PR, regulatory costs. Insider/employee crime exclusion may apply depending on policy language around third-party agents. Strong TPRM documentation critical for claim. |
| Cetus Protocol / Sui (May 2025) | $223M ($162M recovered) | Smart contract exploit using spoof tokens to manipulate price calculations. DeFi protocol on Sui. $162M frozen and recovered via governance action. | Smart contract exploit falls outside standard cyber policy. On-chain parametric insurance or DeFi-native coverage (Nexus Mutual, Sherlock) is the correct instrument. The recovery story shows governance mechanisms can substitute for insurance in DeFi contexts. |
| Figure Technology (2025) | Data exposure | ShinyHunters group leaked customer data. Covered in detail in our Figure Technology breach analysis. | Standard data breach coverage should apply for forensics, notification, and regulatory response — subject to documented security controls being in place at time of breach. |
| BtcTurk / Upbit (2025) | $86M combined | Hot wallet compromises. Upbit attributed to Lazarus Group (North Korea). Meme coin assets among stolen holdings. | State-sponsored exclusion risk for Upbit. Hot wallet compromise may be covered under loss of funds or cybercrime if not attributed to state actors and MFA controls were in place. Cold vs hot wallet distinction matters for coverage scope. |
5. How to Lower Your Cyber Insurance Premiums: The Actionable Checklist
The firms that achieve the best coverage terms in 2026 are not necessarily the ones with the smallest risk profiles — they are the ones that can document their risk management most clearly. Per Founder Shield, MIS Solutions, and Infosecurity Magazine’s expert guidance, the following actions demonstrably reduce premiums and improve coverage terms at renewal.
Premium Reduction Checklist for Crypto Firms
| 1 | Deploy and document MFA everywhere. Remote access, VPN, admin consoles, email, signing tools. Use hardware keys for privileged accounts. Provide written attestation to your broker before renewal — verbal confirmation is no longer sufficient. |
| 2 | Replace antivirus with EDR. Endpoint detection and response tools that provide real-time threat visibility are specifically rewarded with lower premiums by insurers, per Founder Shield. Document the tool, its coverage scope, and your response SLAs. |
| 3 | Test your backups, then document the test. Immutable backups with a tested restore procedure are a ransomware coverage gate. If you cannot prove backups are immutable and have been tested in the past 12 months, a ransomware claim is at risk of denial. |
| 4 | Run a tabletop exercise in the 90 days before renewal. Documented IR exercises with named roles and a retained IR firm are increasingly required — not just asked about. Firms that have run a tabletop in the past year receive materially better terms. |
| 5 | Build a formal TPRM program before renewal. Continuous vendor monitoring, not annual questionnaires. Contracts with all critical vendors that specify security standards, audit rights, and breach notification timelines. Over 30% of major claims come from vendor failures — insurers know this and price accordingly. |
| 6 | Document your key management and cold storage governance. For crypto-native firms, multi-sig key ceremony documentation, HSM deployment records, and cold wallet governance policies are underwriting inputs that no standard industry questionnaire asks for — but any experienced crypto insurer will want to see. |
| 7 | Consider a captive structure for state-sponsored and AI risk. Standard market policies increasingly exclude these at the policy form level. Captive insurance structures allow firms to self-insure against exclusions like state-backed cyberattacks and AI liabilities, keeping premiums and underwriting profit within the organisation, per Insurance Thought Leadership. |
| 8 | Start the renewal process at least 90 days early. Underwriting questionnaires are now treated as audits. Firms that begin preparation days before renewal consistently receive worse terms than those that begin 90 days out and have time to remediate gaps identified during the process. |
6. DeFi and On-Chain Coverage: The Gap Standard Policies Cannot Fill
For DeFi protocols, DEXs, and on-chain applications, standard cyber insurance policies have a fundamental limitation: they were not designed for assets that exist as entries on a public blockchain. Smart contract exploits, oracle manipulation, flash loan attacks, and bridge failures result in on-chain token losses — not the data breach or system compromise scenarios that traditional cyber policies are built around.
The Cetus Protocol case in May 2025 illustrated both the gap and an alternative path. The $223 million exploit on Sui involved smart contract logic manipulation using spoof tokens. A standard cyber policy would have provided no coverage. But the DeFi community’s governance mechanisms — freezing $162 million in funds and relaunching within 17 days — functioned as a form of community-backed recovery that no insurance product had to provide.
The dedicated on-chain insurance alternatives for DeFi firms include protocol-level coverage from platforms including Nexus Mutual, Sherlock, and InsurAce, which offer parametric and discretionary coverage for smart contract failures, oracle attacks, and custody failures. These operate fundamentally differently from traditional insurance — coverage is triggered by on-chain conditions rather than claims assessments — and they have coverage limits significantly smaller than the losses seen in major 2025 incidents.
The honest assessment for DeFi founders: no single insurance product currently covers the full risk surface of a serious on-chain protocol at meaningful scale. The risk management strategy for DeFi in 2026 is layered — smart contract audits, bug bounties, formal verification, protocol-level parametric cover for sub-limits, and sufficient treasury reserves to absorb a worst-case scenario. For deeper analysis of where on-chain parametric insurance is heading, the intersection with the broader crypto regulatory environment under the CLARITY Act 2026 is increasingly relevant — licensing requirements for DeFi operators create compliance obligations that interact directly with insurability assessments.
Frequently Asked Questions
📰 Related Coverage on CryptoNewsBytes
Sources
TechCrunch — $2.72B Stolen in Crypto 2025 · Decrypt — 2025’s Biggest Crypto Hacks · Chainalysis — Crypto Hacking 2025 Report · Founder Shield — Cyber Insurance in 2026 · Insurance Thought Leadership — Exclusions 2026 · Wiley Law — 7 Predictions for Cyber Insurance 2026 · Infosecurity Magazine — State of Cyber Insurance 2025 · American Bar Association — Cyber & Data Privacy Insurance 2025 · MIS Solutions — Cyber Insurance Requirements 2026
Disclaimer: This article is for informational and educational purposes only and does not constitute legal, financial, or insurance advice. Cyber insurance policy terms vary significantly between carriers and jurisdictions. All figures are sourced from named industry reports and publications as of March 2026. Consult a qualified insurance broker and legal counsel before making coverage decisions for your organisation.
