The usual conversations are taking place about what new regulations need to be enacted to prevent another FTX. While it is obvious something needs to happen, experience makes clear that the current regulatory regime is not well equipped to prevent these events. Indeed, even if the Securities and Exchange Commission, for example, did have the knowledge and agility required to adequately regulate Web3, its reach extends only to the limits of its jurisdiction and, as we have seen with the Bahamas-based FTX, that reach was too short by about 150 miles.
As founders of the first crypto and blockchain infrastructure insurance company, we suggest regulator-required insurance as a market-oriented means of preventing the damage caused by crypto exchange insolvency and related catastrophic events.
Just as auto insurance has led to safer cars involved in fewer and less-damaging accidents, requiring crypto-asset exchanges to undergo a rigorous underwriting process to become and remain insurable will make insolvency events much less likely to occur, while reducing the damaging reverberations that follow if they do.
There is extensive precedent for the federal government and its regulatory agencies encouraging and often requiring companies providing critical infrastructure to secure insurance, particularly those covering rapidly evolving risks which statutes struggle to keep up with.
When discussing opportunities for the federal government to work with the private sector in reducing terror threats, then-Secretary of the Department of Homeland Security Michael Chertoff said, “Sometimes it's a question of letting the private sector find a coordinated way to make sure people can operate in a consistent manner across the board. Sometimes we can ... be a little bit more vigorous in using market-based incentives; working with the insurance industry, for example, doing other things to take advantage of the energy of the marketplace.”
Though much differentiates cyber and crypto insurance, the shared network security component makes cyber insurance a useful reference point. Here, regulators have gone to great lengths to encourage internet companies to carry cyber coverage, the benefits of which were very elegantly observed by the Obama Administration in the report, "Cyber-Insurance Metrics and Impact on Cyber-Security":“Insurers will require a level of security as a precondition of coverage, and companies adopting better security practices often receive lower insurance rates. This helps companies to internalize both the benefits of good security and the costs of poor security, which in turn leads to greater investment and improvements in cyber-security.”
A rigorous underwriting of an entity the size of FTX would have required an active and independent board of directors as a condition of insurability.
The underwriting process would also include a review of the histories of key personnel, accounts and associated crypto wallet addresses to ensure that only reputable people are involved, reserves are sufficient and assets are present. This likely would have resulted in FTX selecting a chief compliance officer better suited to the job.
Finally, the underwriting process would examine the exchange’s policies to ensure that customer and institutional funds are thoroughly segregated, such that the former’s funds can’t be used to settle the latter’s debts nor finance their own trading. This would also see that assets are returned to their owners in case of insolvency.
Admittedly, the FTX terms and conditions did segregate account holder funds, though it appears that’s not how they were treated. If active deception is the goal, neither insurance nor regulation can prevent that.
The pervasive libertarian ethos in the Web3 world always results in strong reactions to talk of further government regulation. But avoidable losses or failures, particularly at the scale of an FTX, hurts the cause of broad-based adoption of blockchain technology with its many benefits of improved transparency, transactional friction, resilience and censorship resistance. We believe that regulator-required insurance is the kind of agile, responsive and precise market-based solution that the Web3 community will accept and needs in order to allow present and future users, builders, participants and even regulators to view the sector with the confidence it deserves.