Coinbase surprises with news of a year-old deposit insurance program, but what of its cold storage?

By Michael Carney , written on August 28, 2014

From The News Desk

Coinbase dropped a bombshell on the bitcoin world yesterday by revealing that not only are its bitcoin deposits insured, but they have been so for more than a year. This after months of competitors listing insurance as a differentiating feature. The company wrote in a blog post:

We’re proud to publicly announce that Coinbase holds insurance against theft or loss of its bitcoin.  We’ve been insured for almost a year, but given the recent claims of insurance in the industry, thought it was appropriate to tell our users about it. Our users, of course, won’t be charged for this insurance.
While Coinbase’s latest announcement is undeniably good news, the details of the insurance protection demand further analysis. First, the company specifies that it is insured against “losses due to breaches in physical or cyber security, accidental loss, and employee theft,” by not “bitcoin lost or stolen as a result of an individual user’s negligence.” Fair enough.

The caveat to what has thus far been all good news is that Coinbase’s insurance only covers deposits held in its online wallet, or “hot wallet.” This means that the company’s offline deposits, “cold storage,” or vault are not insured. Cold storage could be thought of as a bank holding cash or gold reserves, except in the case of bitcoin, it means (hopefully encrypted) hard drives and occasionally even paper printouts of data corresponding to bitcoin deposits. These assets are typically stored in a secure facility, of unknown location, and often have round the clock security.

Coinbase likely holds just three to five percent of all deposits in it online wallet at any time, which means that 95 to 97 percent of all deposits would be uninsured. But is this a bad thing? The answer to that question depends on the reliability of the company’s security procedures pertaining to its offline storage and the faith that consumers have in Coinbase to make them whole should something go wrong.

Surely, the most vulnerable portion of any bitcoin company’s assets are those which are connected to the internet, and thereby subject to remote attacks. The prospect of locating and then breaching the security of an offline storage facility is far more demanding of a task, but it’s not impossible. Mt. Gox, for example, lost deposits in both its hot wallet and cold storage, but we do not yet know if that was a result of incompetence, fraud, or simply an impressive feat of hacking. Had Mt. Gox’s online deposits been ensured at the time of its security breach, the exchange would have still lost more than 800,000 uninsured bitcoin, worth several hundred million dollars.

The challenge with securing and insuring offline deposits is that they are very difficult to monitor in real-time, and will require regular manual audits to verify their existence. It’s little surprise that insurers are not yet comfortable with this arrangement, given the nascency of crypto-currencies. In fact, the only precedent is the Mt. Gox fiasco, a memory that is sure to give any underwriter nightmares.

Coinbase goes out of its way to compare its newly revealed insurance coverage with that of its (unnamed) competitors. Not surprisingly, the company believes that it comes out ahead, writing:

Some bitcoin wallets may claim to be “fully insured” while not working with accredited carriers or outright self-insuring.  Others may be able to claim “fully insured” at the moment because their number of bitcoin stored are so low that a small insurance policy happens to cover everything until they grow.
Of course, given this setup, it should come as no surprise that Coinbase works with accredited carriers. The company “teamed up with Aon, the world’s largest insurance broker, and only use underwriters with high credit ratings,” its blog states.

While not stated explicitly, the veiled pot shots above appear to be aimed at Xapo (self-insured) and Circle (fully insured, but nominal deposits). Neither of these strategies is a permanent solution, but then again, insuring only your hot wallet as Coinbase does is also less than ideal. It’s a fair bet that all three of these leading bitcoin companies companies are aware of and working to address their shortcomings, including Coinbase seeking to insure its cold storage sooner rather than later.

The good news for consumers with regard to all three companies is that each is heavily funded – Coinbase has raised $32 million, Xapo $40 million, and Circle $26 million – backed by top tier investors, and led by capable and well-respected founders. None of this is a guarantee against weak security measures or rogue employees, but as far as recipes for trust go, you couldn’t ask for much more in the startup world.

It’s common for hardcore bitcion users to refuse to allow any third-party to take custodianship over their deposits, preferring instead to secure their own online and offline storage. And it’s true, Coinbase (like Xapo and Circle) go against bitcoin’s fundamental tenet of decentralization. But for bitcoin to truly cross the chasm and become a mainstream financial tool, trust and ease of use will be paramount.

Each of these companies has made major progress toward lowering the barriers to entry for new bitcoin users, including through offering familiar and approachable user experience designs. Insurance is the next key piece of this jigsaw puzzle. For sure, some insurance is better than no insurance, and Coinbase’s coverage appears as legitimate as any in the ecosystem today. There remains room for improvement across the board, but the bottom line is consumers should have more peace of mind, not less, as a result of today’s announcement.