In this multi-part series, The InsurTech Lawyer shares some thoughts on the opportunities for insurers in the Metaverse. Originally presented at the Association Internationale de Driot des Assurances (AIDA) conference in Zurich, 6-7 October 2022.
In Part 1 (Introduction), we introduced the idea of insurers playing in the Metaverse. But what are some legal proceedings and potential liability issues already arising? We take a closer look in Part 2 today.
Legal proceedings involving crypto assets
The category of liability that has seen the most litigation relates to crypto assets, particularly cryptocurrencies. While cryptocurrency is just one area of Web 3.0, it is fundamental to its existence. Web 3.0 technology relies on public blockchains, the same blockchains that facilitate cryptocurrency, and it is these cryptocurrencies that facilitate transactions. Lawsuits involving cryptocurrency are generally but not exclusively investor-led class actions, alleging negligence, misleading and deceptive conduct or violation of securities laws.
Directors’ and officers’ (D&O) cover?
D&O insurance has come a long way since its origins in the 1930s. As technology has evolved, so have the risks that directors are exposed to when undertaking their duties. The exposure of directors to liability refers to the risk of a claim for a penalty or compensation or some other form of relief being made by a third party against a director personally. The third party claimant may on occasions be the director’s corporation, fellow officers or a statutory body such as a regulator, in Australia the Australian Securities and Investments Commission (ASIC) or the Australian Competition and Consumer Commission (ACCC).
There are generally three ‘sides’ of cover offered, sides A, B and C. Side A provides direct indemnification of directors and officers for claims made against them. Side B reimburses the company for indemnification it has provided to the directors (eg pursuant to a deed of indemnity). Side C covers breaches of securities laws. It is the cover that generally responds to securities class actions.
There are a number of duties, both at common law and arising under statute, that directors of corporations must observe. These include the duties to exercise their powers with due care and diligence, in good faith, in the best interests of the corporation and for a proper purpose. Additionally, directors have a duty to avoid conflicts of interest, and must not use their position to improperly gain an advantage for themselves or disadvantage the corporation. Due to increasing public scrutiny and government pressure placed on companies and directors, it now seems that directors, in performing their duties, are expected to consider more than just the most effective ways to legally maximise shareholder wealth.
Online operations brought by Web 2.0 exposed companies and their boards to cyber risks, with cyber security now front of mind for many boards. The Governance Institute of Australia wrote that ‘cyber-security class actions are a ‘ticking time bomb’ for directors, recognising the immense impact of cybercrime on Australian corporates. In recent times, numerous securities actions have been filed alleging negligence in cybersecurity that has resulted in data breaches, business interruption or both. Some notable proceedings include the shareholder class action against SolarWinds and its directors, alleging they failed to monitor cybersecurity risks ahead of a major software breach that impacted thousands of customers, and also a proposed class action against telecommunications provider Optus for a data breach that affected over 9.8 million Australian customers.
While Web 3.0 is still in its infancy, early signs suggest that Web 3.0 will be no different in changing the liability landscape for D&O and cyber insurance.
The United States presently holds the record for the largest number of cryptocurrency related legal proceedings. In part, this is due to the regulator (the Securities and Exchange Commission (SEC)) taking enforcement action in relation to Initial Coin Offerings (ICOs), alleging such ICOs are securities and were unregistered with the regulator. This inevitably leads to legal proceedings against exchanges involved in trading such cryptocurrencies, and where investors have suffered losses, investor-led class actions often follow.
This phenomenon has been perhaps fuelled by the SEC, and other securities regulators around the world including ASIC in Australia, deciding not to release definitive guidance on whether cryptocurrencies are securities. Governments have been slow to regulate this area, instead waiting to see whether cryptocurrency is a ‘fad’ or opportunity.  The uncertainty has not surprisingly led to some taking a less conservative approach, instead rolling the dice on a high risks high reward strategy in launching cryptocurrencies or establishing exchanges.
Unfortunately the high risk high reward strategy has also led to some significant consumer detriment, with some crypto companies collapsing leaving billions of consumer dollars never to be seen again. It is also becoming increasingly apparent that cryptocurrency related lawsuits increase when the market experiences a downturn, as the value of investors’ assets plummets. The 2022 cryptocurrency bear market has led to a spike in cases.
While plaintiffs’ lawyers can be creative in their pleadings, the types of claims raised to-date typically fall into three categories:
1. violation of securities laws;
2. misleading and deceptive conduct;
Violation of local securities laws
As mentioned above, violation of local securities laws is the most common type of legal proceeding to-date in the United States. Generally, the pleadings allege that the crypto company has issued or sold unregistered securities in violation of United States securities legislation. This may be because legislation provides a private right of action for investors of a security, and so it is in investors’ interests to seek a declaration that the crypto assets are securities. In determining whether something is a security, the leading test is the Howey test, named after the case in which the test was set out: Securities and Exchange Commission v. W. J. Howey Co., 328 U.S. 293 (1946). To satisfy the Howey test, the pleadings must show that:
a) there was an investment of money;
b) the investment was for a ‘common enterprise’;
c) investors expected profits; and
d) profits were expected to be derived from the efforts of others.
The Howey test has been used to determine that some cryptocurrencies are indeed securities. However, the opposite is also true and some cryptocurrencies including Bitcoin have been held not to be securities because they do not pass the Howey test.
The Ripple litigation, which is still ongoing, highlights these issues. Such cases are significant for the cryptocurrency market as a whole because the characterisation of one token has the ability to impact a large number of similarly issued tokens. Furthermore, tokens are often the basis for blockchain operations. An adverse ruling could pose an existential threat to the tokens and their blockchain operations that they facilitate.
The most closely watched litigation in this space is possibly the Securities and Exchange Commission’s prosecution of Ripple Labs, Inc. (Ripple). Ripple Labs operated a payment network that allowed financial institutions to transfer money more quickly, utilising the XRP crypto currency. It is estimated Ripple owns approximately 60% of all XRP. XRP is an intermediate currency used so that institutions do not need to hold deposits in foreign currency. However, like a number of cryptocurrencies, XRP is not minable because it does not use a proof-of-work consensus algorithm. This distinguishes XRP from other well-known cryptocurrencies such as Bitcoin. There is also a maximum supply of XRP.
The Ripple litigation was commenced by the SEC on 22 December 2020, alleging that Ripple and two of its executives raised over $1.3 bn through an unregistered digital asset securities offering. In summary, the allegations are that:
a) Ripple raised funds through the sale of the XRP token, in an unregistered securities offering to investors;
b) Ripple distributed billions of XRP in exchange for labor and market-making services; and
c) the two executives effected personal unregistered sales of XRP totalling $600 million.
In addition, there are class action proceedings that have been brought by XRP purchasers claiming that XRP is a security under federal securities laws. Both the purchasers and the SEC allege the offering of XRP ought to have been registered with the SEC and complied with federal securities laws.
In defence, Ripple puts forward a number of arguments, including that:
- XRP holders cannot acquire any claim to the assets of Ripple and do not have an ownership interest in Ripple;
- XRP holders do not receive a portion of Ripple’s revenue or profits;
- Ripple has never held an ‘initial coin offering’, and has never offered future tokens to raise money;
- Ripple did not promise any profits to any XRP holder;
- there is no relationship between Ripple and most XRP holders, as most of them purchased XRP from the open market;
- the XRP ledger is completely decentralised;
- XRP’s price has no relation to Ripple’s activities and is determined by market forces; and
- Ripple does not pool proceeds of XRP sales in a ‘common enterprise’.
At the time of writing, Ripple is seeking summary judgment in an effort to finalise the legal proceedings without a trial. Evidently, whichever way it goes, the judgment may provide important guidance as to whether cryptocurrencies such as XRP are considered securities in the United States. For Ripple, the decision may either mean it can continue its business or it may have the more drastic consequence of requiring its business to shut down altogether.
Nonetheless, the case to-date highlights a few things of importance for financial lines insurers around the world that may be seeking to insure companies that have similar exposures. The company, and its directors and officers, can be subject to severe penalties. The main points illustrated by this case are that:
- a cryptocurrency can be issued by any company;
- the technical specifications are defined by the developer coding it; and
- a detailed technical analysis is required to form a view on its characterisation.
In the Ripple litigation, the technical aspects of XRP has featured heavily in the litigation, including the way in which XRP was sold, the way it was used (to transact forex transactions), and the extent to which it was decentralised. It is evident that while XRP was traded on a decentralised public blockchain, it was not fully decentralised in that the blockchain is owned by a private company.
Until the SEC provides some more definitive guidance on whether tokens are securities, or law reform takes place that provides certainty on characterisation, then it is likely we will continue to see such litigation take place in the United States.
Misleading and deceptive conduct & negligence
Coinbase consumer litigation
While the Ripple litigation concerned the issuer of a token, exchanges are also a critical component of the Web 3.0 ecosystem. Crypto exchanges facilitate the transfer between the real and the virtual. Many exchanges operate in a grey area, contributed to by regulatory uncertainty, and are largely unregulated. However, this has not affected the proliferation of crypto exchanges, with over 1500 exchanges around the world.
The Coinbase consumer litigation, currently ongoing, highlights the potential issues that may arise out of providing exchange services. In August 2022, a class action proceeding was filed in the United States District Court, Northern District of California against major crypto exchange Coinbase, alleging failures in its security system that exposed users’ accounts to hacking thefts. The case essentially pleads that:
- Coinbase advertised its platform as secure, using phrases such as ‘best in class storage’, ‘your assets are protected’ and ‘industry-leading security’;
- Coinbase represented that it was ‘the only crypto exchange to have never been hacked’
- Coinbase disclosed to investors that it provided ‘bank-level security’ and that its co-founder and CEO Brian Armstrong explained that the reason for such representations was that it created a ‘competitive moat’ to secure a competitive advantage;
- that those representations relating to security were untrue because Coinbase had been hacked several times, it was aware of a security vulnerability in its platform that allowed hackers to access detailed account information, and the security updates it may have made in 2021 were in sufficient to prevent funds being stolen by hackers in subsequent years;
- the plaintiff was the subject of a number of hacking thefts for the $200,000 of bitcoin it held and Coinbase was unable to prevent the hack despite the plaintiff’s reasonable efforts to notify Coinbase;
- Coinbase refused to compensate the plaintiff; and
- the disclaimer of liability in the Coinbase user agreement was unconscionable and unenforceable.
The lead plaintiff pleads numerous causes of action, including negligence in maintaining, controlling and protecting customer funds, as well as misleading representations.
While this class action has topped headlines because Coinbase is the largest crypto exchange in the world, any crypto exchange could find itself in this position. In Australia, negligence and misleading and deceptive conduct claims are not uncommon against financial services providers, in both regulatory proceedings as well as private actions. Such claims may fall for cover under professional indemnity / civil liability insurance policies.
At the time of writing, the case has only just been filed. However, some key issues emerge that are worthy of further consideration by insurers and their insureds:
- it is tempting for exchanges to seek a competitive advantage over others by representing their security credentials. Hacking thefts are the most significant vulnerabilities for exchanges and a real question arises whether it is prudent to advertise security credentials and risk a misleading and deceptive conduct claim. Whether underwriters will review or impose conditions on representations made remains to be seen although market evidence suggests that public disclosures are reviewed when considering whether a prospective insured is an acceptable underwriting risk;
- technical specifications are important. While an exchange might be able to make some representations relating to security, broad statements such as ‘never been hacked’ or ‘bank-level security’ that are difficult to justify may not be useful. Technical specifications such as ‘we use multi-factor authentication’ may be lower risk from a liability standpoint;
- the actual security processes must be of an appropriate standard. While the matters raised in the Complaint are allegations yet to be tried, failure to have appropriate and fit for purpose security measures not only to prevent, but mitigate, hacking thefts may be an essential ingredient for crypto exchanges due to the environment in which they operate. However, the standard at which this must be performed to avoid being considered negligent is presently unclear. In the Coinbase class action, the plaintiff was unable to reach a real person at Coinbase during the 49 minute hack whereby his Coinbase account was drained; and
- consumer protection laws may apply to unfair disclaimers. For example, Australian legislation can render void a term of a standard form contract that is unfair.
While a decision is yet to be handed down, the Coinbase consumer litigation is an example of a typical claim involving crypto where professional indemnity insurance, covering negligence and misleading and deceptive conduct, might respond. Crypto exchanges still seek insurance from traditional CeFi insurance providers. The risks are heightened in crypto because of market volatility and use of new, untested technology. For example, a product or service provider might want to talk about expected returns when speaking with investors or when advertising a particular service on its website. High levels of market volatility mean it is virtually impossible to know whether the promised rate of return will be met and such representations could lead to claims of misleading or deceptive conduct.
Proposed regulation of crypto service providers such as exchanges may also lead to greater scrutiny in this area. Regulation typically imposes minimum standards on service providers. In Australia, minimum standards on financial services licensees include obligations to act efficiently, honestly and fairly, and when providing personal financial product advice, to act in the best interests of the client. If standards imposed by regulation are not met and lead to customer losses, there is a prima facie case against the service provider. In Australia, regulatory action against financial services providers continues to lead to significant claims on professional indemnity insurance policies and has led to some major insurers exiting the market altogether. Some have described financial services as a ‘loss-making sector’ for professional indemnity insurance.
Accordingly, it will be important for any proposed regulation to balance the needs of consumer protection and minimum standards with the practicalities of offering crypto related services, taking into account its emerging nature and the fact there are still many unknowns relating to its characterisation and even technology itself. An over-zealous regulatory regime may have unintended consequences, making it unsustainable for crypto businesses to operate either due to overly onerous compliance costs and/or threat of litigation from users or authorities.
Coinbase securities class action
In addition to the Coinbase consumer litigation described above, which is an example of the emerging professional indemnity risks arising from providing crypto related services, the Coinbase securities class action provides some insight into potential Side C exposure under D&O insurance policies. As described above, Side C covers breaches of securities laws. It is the cover that generally responds to securities class actions.
The legal characterisation of cryptocurrencies is not settled, partly due to an absence (for now) of regulation. Accordingly, meaningful clarity is still some time away. While the legal nature of cryptocurrencies continues to be in a state of flux, so are the risks to directors and officers of companies dealing in it.
The Coinbase securities class action, Patel v. Coinbase Global, Inc., No. 22-cv-04915 (D.N.J.) was filed on 4 August 2022 in the United States District Court, District of New Jersey against Coinbase and two of its directors. The securities class action covers all persons and entities that purchased or otherwise acquired Coinbase securities between 14 April 2021 and 26 July 2022 and alleges breaches of federal securities laws. The allegations set out in the Complaint include made materially false and misleading statements in relation to and/or failed to disclose:
- Coinbase custodially held crypto assets on behalf of its customers, and knew or recklessly disregarded that they could qualify as property of a bankruptcy estate;
- This meant that those assets may potentially be subject to bankruptcy proceedings in which Coinbase customers would be treated as general unsecured creditors;
- Coinbase allowed users to trade digital assets that knew or recklessly disregarded should have been registered as securities with the SEC;
- the above conduct subjected the company to heightened risk of regulatory and governmental scrutiny and enforcement action;
- Coinbase’s public statements were materially false and misleading; and
- led the plaintiffs to significant losses and damages.
A relevant disclosure was made to the markets after they closed on 10 May 2022, where Coinbase disclosed a new bankruptcy related risk factor in its quarterly report:
‘Moreover, because custodially held crypto assets may be considered to be the property of a bankruptcy estate, in the event of a bankruptcy, the crypto assets we hold in custody on behalf of our customers could be subject to bankruptcy proceedings and such customers could be treated as our general unsecured creditors. This may result in customers finding our custodial services more risky and less attractive and any failure to increase our customer base, discontinuation or reduction in use of our platform and products by existing customers as a result could adversely impact our business, operating results, and financial condition.’
It is alleged that following the disclosure Coinbase Class A common shares fell $19.27 per share (26.4%) on 11 May 2022. Coinbase’s CEO then tweeted on the disclosure, stating that ‘We should have updated our retail terms sooner, and we didn’t communicate proactively when this risk disclosure was added. My deepest apologies, and a good learning moment for us as we make future changes.’
Unfortunately for Coinbase, the next few days also contained some unfavourable announcements. On 12 May 2022, a professor of law at Georgetown University Law Centre published a draft of an article arguing that in the event a cryptocurrency exchange bankruptcy, custodial holdings of cryptocurrencies may be property of the bankrupt exchange and not property of its customers. On 25 July 2022, the Bloomberg news outlet reported that Coinbase was facing an SEC investigation as to whether it allowed users to trade digital assets that should have been registered as securities.
Coinbase Class A shares allegedly fell again by $14.14 per share (21.08%) on 26 July 2022.
Securities class actions are not new but the novel issues raised by the Coinbase securities class action highlight the potential risks that are unique to companies operating in Web 3.0. In this case, the uncertain treatment of crypto held in custody by Coinbase in the event of its bankruptcy is an issue not yet considered. It is likely there other issues that may have a similar character due to technological issues not yet identified or legal issues that have not yet come up.
While legal uncertainty remains in respect of the characterisation of crypto assets, listed companies operating in Web 3.0 must employ prudent practices in relation to disclosure, even if this means disclosure of the legal uncertainty and potential legal characterisation in order comply with continuous disclosure obligations. This is perhaps a greater issue for companies operating in Web 3.0 than traditional companies not only because of the current legal uncertainty around characterisation of crypto assets, but as more cases and regulations emerge, the legal position can rapidly evolve for one or many of these crypto assets.
Click here to read Part 3: Securities Class Actions involving Crypto
Tim Chan is an insurance & insurtech lawyer at global law firm Norton Rose Fulbright and Founder of The InsurTech Lawyer blog. He regularly advises insurers and startups on emerging legal issues affecting the industry. Follow Tim on Twitter: @timinsydney
 Corporations Act 2001 (Cth) ss 181-183; Also see Ray Giblett, ‘A Fresh Look at Directors Duties – Taking into Account Social and Moral Responsibilities’ (2006) Presentation for NSW College of Law at p 1.
 Governance Institute of Australia, ‘Cyber-security class actions a ‘ticking time’ bomb for directors’ Vol 73(10) Journal: Governance Directions.
 Christopher Burgess, ‘SolarWinds breach lawsuits: 6 takeaways for CISOs’ (Web Page, 25 April 2022) <https://www.csoonline.com/article/3657874/solarwinds-breach-lawsuits-6-takeaways-for-cisos.html>.
 Josh Taylor, ‘Optus faces potential class action and pledges free credit monitoring to data-breach customers’ (Web Page, 26 September 2022) <https://www.theguardian.com/business/2022/sep/26/optus-faces-potential-class-action-and-pledges-free-credit-monitoring-to-data-breach-customers>.
 While the ASIC re-issued INFO 225 (October 2021) contains more guidance, earlier versions of the information sheet did not contain much detail. INFO 225 is also guidance only and is not legally binding. See <https://asic.gov.au/regulatory-resources/digital-transformation/crypto-assets/>.
 Josh Taylor, ‘Cryptocurrency ‘no passing fad’: minister warns against Australia being left behind’ (Web Page, 22 November 2021) < https://www.theguardian.com/technology/2021/nov/22/cryptocurrency-no-passing-fad-minister-warns-against-australia-being-left-behind>.
 Mackenzie Sigalos, ‘CRYPTO WORLD
From $25 billion to $167 million: How a major crypto lender collapsed and dragged many investors down with it’ (Web Page, 17 July 2022) <https://www.cnbc.com/2022/07/17/how-the-fall-of-celsius-dragged-down-crypto-investors.html> and Ben Butler, ‘The search is on for $50m in lost cryptocurrency after two Australian exchanges collapse’ (Web Page, 12 December 2021) <https://www.theguardian.com/technology/2021/dec/12/the-search-is-on-for-50m-in-lost-cryptocurrency-after-two-australian-exchanges-collapse>.
 Michael Mendelson, From Initial Coin Offering to Security Tokens: A U.S. Federal Securities Law Analysis, 22 Stanford Technology Law Review (2019).
 U.S. Securities and Exchange Commission v. Kik Interactive Inc., No. 1:2019cv05244 (S.D.N.Y. 2020).
 U.S. Securities and Exchange Commission, ‘SEC Charges Ripple and Two Executives with Conducting $1.3 Billion Unregistered Securities Offering’ (Web Page, 22 December 2020) < https://www.sec.gov/news/press-release/2020-338>.
 Coffey v. Ripple Labs Inc., 333 F. Supp. 3d 952 (N.D. Cal. 2018) (No. 18-566271), which was dismissed, but other class action proceedings are on foot. See Zakinov v. Ripple Labs, Inc., 369 F. Supp. 3d 950 (2019) https://cointelegraph.com/news/florida-class-action-lawsuit-alleges-ripple-violated-securities-laws
 See the Strike Order in SEC v Ripple Labs, Inc. available at < https://www.nysd.uscourts.gov/sites/default/files/2022-03/Ripple%20Strike%20Order.pdf>. Also see Stu Alderoty, ‘SEC Update – Preliminary Ripple Response’ (Web Page, 29 January 2021) <https://ripple.com/insights/sec-update-preliminary-ripple-response/>.
 Timmy Shen, ‘SEC, Ripple seek summary judgment in attempt to speed up XRP lawsuit’ (Web Page, 19 September 2022) <https://forkast.news/sec-ripple-seek-summary-judgment-in-attempt-to-speed-up-xrp-lawsuit/>.
 Blockspot, ‘List of Cryptocurrency Exchanges’ (Web Page) <https://blockspot.io/exchange/>.
 See in the United States District Court, Northern District of California, Manish Aggarwal and Others Similarly Situated v Coinbase, Inc.. and Coinbase Global, Inc. (Complaint) Also see Khristopher Brooks, ‘Coinbase exposed user accounts to thieves, lawsuit claims’ (Web Page, 25 August 2022) <https://www.cbsnews.com/news/coinbase-lawsuit-george-kattula-hacker-georgia/>.
 See Division 2 Subdivision BA of the Australian Securities and Investments Commission Act 2001 (Cth) and Chapter 2 Part 2-3 of the Competition and Consumer Act 2010 sch 2.
 Corporations Act 2001 (Cth) s 912A.
 Corporations Act 2001 (Cth) s 961B.
 Chris Dastoor, ‘At capacity: Another major insurer exit further shrinks PI market’ (Web Page, 11 April 2022) <https://www.professionalplanner.com.au/2022/04/at-capacity-another-major-insurer-exit-further-shrinks-pi-market/>.
 Ibid. Also see Aon, ‘Professional Indemnity Insurance Market Insights – Q3 2018’ (Web Page) <https://www.aon.com/australia/insights/insurance-market-updates/2018/professional-indemnity-insurance-market-insights-q.jsp>.
 Judicial guidance is limited and is developing in cases where crypto assets have been the subject matter of otherwise usual legal proceedings. For example, in Bitcoin AA v Persons Unknown and others  EWHC 3556 (Comm), the English High Court concluded that bitcoin can constitute property under English law and is capable of being subject to proprietary injunction. In this case, the insurer was seeking an injunction to recover bitcoins it had paid on behalf of an insured in a ransomware attack. In Commodity Futures Trading Commission v. McDonnell, 287 F. Supp.3d 213 (E.D.N.Y. 2018), it was held that virtual currencies were commodities and subject to regulatory protections of the Commodity Futures Trading Commission because they were captured by the broad definition of a commodity as it was a ‘good exchanged in a market for a uniform quality and value’. In another case, Kimmelman v. Wayne Ins. Group Case No 18 CV 1041 (Ohio Com.Pl. 25 September 2018), it was held that for the purposes of a homeowners insurance policy, bitcoin was property and not money, and so was not subject to the sub-limit for money within the policy. This case was influenced by guidance from the IRS that for federal tax purposes virtual currency is treated as property.