Curv announces cryptocurrency insurance partnership with Munich Re

Today, Curv announced our insurance partnership with Munich Re, covering up to $50M of digital assets for customers of our institutional wallet service. Below, we elaborate on our announcement to explain what is insured, how it works and what we believe this means for the digital asset industry.

To date, our industry has created a narrative that the only way to securely hold digital assets is in offline cold storage. While it is easy to understand how this narrative emerged given the major losses we have witnessed in the last few years, it is our assessment that this cold storage-centric security approach is actually less secure on the whole compared to Curv’s model, and limits the use cases, applications and overall adoption of digital assets at scale.

Our mission at Curv is to enable institutions to store and use digital assets securely and seamlessly. We view this insurance milestone as a major validation of our wallet service and specifically our cloud based, cryptographically-enforced and distributed signing mechanism.

Our insurance carrier’s confidence in our security model, following a rigorous due diligence process, resulted in their decision to create a new product specifically to support our customers. And while we anticipate that no customer of ours should ever have to file a claim on our service, they can now have the peace of mind that comes with yet another layer of protection for their assets.

What is insured?

A primary insurance carrier of Munich Re Group, which is a S&P AA- rated international insurance company, is insuring Curv in the case of an external cyber breach or malicious behavior by Curv or one of its employees. Customers of Curv’s platform have to opt-in to the insurance backed service at an additional cost based on the amount of assets they are managing through the platform.

How does it work?

Curv offers a cloud-based wallet-service for institutions. We use a cryptographic mechanism, based on MPC (read more here), that eliminates the private key altogether. Since there is no private key involved in the signing mechanism, there is no private key to insure.

By eliminating the private key and adopting a cloud-based model, Curv vastly reduces the overall risk profile of digital asset operations and enables real-time access to assets. With Curv, there are no more hot and cold wallets, but instead a universally accessible wallet that is governed by cryptographically-enforced corporate policies and controls.

To sign a transaction, both Curv and our customers independently store and secure shares that allows us to jointly sign transactions. Curv only signs transactions in accordance with the corporate policy that our customers independently create and control. Should an attacker gain control over a share (either ours or our customer’s), it is cryptographically insignificant in terms of their ability to sign an illicit transaction.

This is where Curv’s insurance backed wallet service and insurance model advances beyond the current industry standard. For a cyber attacker to be successful, they would need to obtain both Curv’s shares and our customer’s at the same moment in time. Due to Curv’s design and the continuous and automated rotation of shares, this event is extremely unlikely. It is also important to note that a breach of one customer and Curv will never affect any other customers’ wallets and funds.

Even in an extreme scenario where both networks’ shares were somehow simultaneously compromised and a transaction were initiated outside of the corporate policy, Curv’s insurance would kick in to cover the loss*.

Is there a catch?

No. But it is important for customers to understand that it is up to them to manage their institution’s risk profile by setting appropriate corporate policies about who can transfer funds, when and for how much. For example, if the corporate control set up by the customer’s administrators on the Curv platform are too loose, a rogue employee or fat finger could trigger an unwanted transaction. Because it could be in-line with the corporate policy configured by their administrators, Curv will recognize it as valid and our insurance won’t cover the loss.

As long as appropriate steps are taken, an institution can directly control their risk profile and update it as needed.

What steps did Curv take to obtain the policy?

Munich Re has conducted a rigorous due diligence process to assess Curv’s cryptography, cloud deployment, architecture, security model, and code, and validated the threat model and risk structure. In December of 2018, Munich Re conducted an on-site risk assessment of the Curv platform in Tel Aviv.

Curv’s advantages and key features

  • Curv replaces the need for separate hot and cold insurance policies with one simple policy that covers storage and transaction signing.
  • Policy exclusions are transparent and simple to understand.
  • Curv customers have visibility into what portion of their funds fall under the insurance protection that is in place for Curv. For example, when a provider purchases insurance, they are usually insuring their entire assets under management. This means that should the service provider incur a loss, a customer would only be reimbursed for their percentage of the total assets that are insured.
  • Customers benefit from out-of-the-box insurance with no need for additional audits or interviews, while retaining full control of their assets.

What’s next?

In the future, we see the industry moving towards signing mechanisms that are done primarily off-chain. Beyond security, there are other benefits to this approach that include assurance, privacy, and auditability.

Private keys that are managed in a hot or cold environment at an institutional level are doomed for failure, as we have seen repeatedly in the past few years. They create various types of cyber risks and operational complexity. In a world that will likely include many types of digital assets, smart contract platforms, and blockchains, Curv is committed to creating the simplest and most secure solutions in the world for institutions.

As in any insurance policy, restrictions and limitations apply. Customers should contact Curv to get a detailed description of the policy. A copy of the Munich Re insurance policy can be provided upon request. Curv is not an insurer nor an insurance broker.