Crypto Custody Insurance Comparison: Coverage, Limits, Exclusions

Custody Insurance Overview

Crypto custody insurance protects digital assets held by a custodian against theft, cyberattacks, and insider fraud. Unlike traditional bank deposits, crypto holdings are not covered by FDIC or SIPC protection: if a custodian is hacked or an employee steals funds, insurance is the only financial backstop. For institutions allocating to digital assets, understanding what a custodian's policy actually covers (and what it excludes) is as important as evaluating the custodian's security architecture itself.

The crypto insurance market remains severely underpenetrated. Roughly 89% of global crypto holders have no insurance coverage at all, and total insured value represents a fraction of the roughly $3 trillion crypto market. The February 2025 Bybit hack, which resulted in approximately $1.5 billion in stolen ETH, underscored the gap between assets under custody and assets under coverage. This guide compares insurance across five major institutional custodians: Fireblocks, BitGo, Anchorage Digital, Coinbase Custody, and Copper.

For a broader comparison of custody platforms including features, supported assets, and pricing, see our crypto custody comparison tool.

Insurance Coverage Comparison

The following table summarizes the publicly disclosed insurance coverage for each custodian. Coverage amounts, underwriters, and policy structures vary significantly.

Note: Coverage amounts are based on publicly available disclosures. Institutional clients often negotiate bespoke excess coverage beyond the base policy. Anchorage Digital does not publicly disclose its coverage limit.

What Custody Insurance Covers

Crypto custody insurance typically protects against a narrow set of perils directly related to the custodian's operations. The specific covered events vary by policy, but most institutional policies include some combination of the following:

• Theft of private keys through external cyberattacks or hacking
• Insider theft or dishonest acts by custodian employees
• Fraudulent transfer of digital assets from custodian wallets
• Physical destruction of private key material (cold storage devices)
• Loss of assets during transfer between hot and cold storage

BitGo's policy, for example, explicitly covers copying or theft of private keys, insider theft by employees, and destruction of keys due to physical perils. BitGo also covers all deductibles, meaning clients bear no out-of-pocket cost on covered claims. Coinbase describes its $320 million policy as the largest commercial crime policy covering hot wallets of any digital asset exchange or custodian. Anchorage Digital's crime policy is notable for covering digital assets throughout their entire lifecycle: in hot wallets, in cold storage, and in transit between the two.

Common Exclusions

Understanding what custody insurance does not cover is critical. Exclusions represent the risks that remain with the asset owner regardless of the custodian's insurance policy. Based on publicly available policy documentation across these custodians, the following exclusions are common:

• Market losses or price volatility of the underlying asset
• User credential compromise: phishing, social engineering, or loss of login credentials by the asset owner
• Protocol-level failures on the underlying blockchain network
• Key mismanagement by the asset owner (sending to wrong address, losing personal keys in multi-sig setups)
• War, acts of foreign enemies, terrorism, and radioactive contamination
• Regulatory or government seizure of assets
• Inventory computation or accounting errors
• Breach of contract disputes between custodian and client
• Losses when the custodian does not hold all keys exclusively (shared-key arrangements)

The Coinbase data breach of May 2025 illustrates a gray area in coverage. Rogue overseas support agents were bribed to steal data for approximately 70,000 customers, with estimated costs between $180 million and $400 million. While Coinbase's crime policy covers employee dishonesty, social engineering attacks that exploit support staff rather than cryptographic systems test the boundaries of standard policy language. Coinbase chose to reimburse affected customers directly rather than rely solely on insurance recovery.

For institutions using MPC wallets or threshold signature schemes where key material is distributed, the exclusion for non-exclusively-custodied keys is particularly important. If the client holds one key shard and the custodian holds two, the policy may or may not apply depending on exact wording.

Lloyd's of London and Crypto Insurance

Lloyd's of London syndicates are the backbone of institutional crypto custody insurance. Approximately 10 syndicates at Lloyd's have indicated willingness to evaluate crypto exposures, with roughly five possessing deep enough expertise to lead underwriting. The remainder participate as followers in insurance "towers."

A tower is the standard structure for large crypto custody policies. The lead underwriter (such as Canopius for Copper, or Arch Insurance for Evertas) takes the first portion of any loss. Additional syndicates stack above the lead, each covering a layer of excess exposure at progressively lower premiums. BitGo's policy structure exemplifies this: it has previously operated a $700 million tower consisting of $100 million in BitGo's name plus $600 million in excess coverage available on a loss-payee basis for dedicated client limits.

Key Lloyd's participants in crypto insurance include:

• Arch Insurance: backs Evertas, the first Lloyd's coverholder specifically for crypto, offering up to $420 million per policy
• Canopius: leads Copper's $500 million cold storage program
• Atrium: created a liability policy specifically for theft from hot wallets
• Beazley: participates in crypto risk underwriting across multiple syndicates

Most policies use the "specie" coverage form: first-party property insurance for valuable items in your care, custody, and control. This is the same form used for insuring gold bullion, fine art, and bearer instruments, adapted to digital assets.

Captive Insurance in Crypto

Captive insurance is a self-insurance mechanism where a company forms its own insurance subsidiary rather than purchasing coverage entirely from commercial markets. In crypto, captive structures have emerged because traditional insurers either cannot offer adequate coverage limits or charge premiums that erode custody economics.

Relm Insurance, based in Bermuda and regulated by the Bermuda Monetary Authority, is the leading specialty insurer offering captive solutions for digital asset companies. Relm provides a bankruptcy-protected, turnkey captive option that allows companies to participate in underwriting profits while maintaining regulatory compliance. In 2024, Relm launched Relm II, the first fully regulated collateralized reinsurance business that accepts both fiat and crypto as collateral.

Favorable regulatory domiciles for crypto captive insurance include Vermont (the top US captive domicile with a regulatory sandbox supporting blockchain experimentation), Wyoming (which allows insurers to hold digital assets in portfolios and recognizes DAOs as legal entities), and Bermuda. The advantage of captive insurance is customization: firms can tailor coverage to their specific risk profile, retain underwriting profits in low-loss years, and layer captive coverage with commercial policies to extend total protection.

SOC 2 Compliance and Insurability

SOC 2 (System and Organization Controls 2) certification demonstrates that a custodian maintains effective security controls. There are two levels: Type 1 evaluates control design at a single point in time, while Type 2 evaluates whether those controls operated effectively over a sustained period (typically 6 to 12 months). Type 2 is the standard insurers look for when underwriting crypto custody policies, as it provides evidence of sustained operational security rather than a snapshot.

Copper's SOC 2 status deserves a closer look. While the company states it "adheres to the Trust Principles set out in the SOC 2 framework," this language is weaker than the explicit certification claims made by Fireblocks, BitGo, Anchorage, and Coinbase. Adherence to a framework and completion of a formal Type 2 audit are different things. Institutions should request evidence of the actual audit report.

For custodians holding assets in HD wallet structures or managing key management across multiple environments, SOC 2 Type 2 provides assurance that controls around key generation, storage, and signing are consistently enforced. Insurers increasingly require SOC 2 Type 2 as a prerequisite for favorable terms.

How to Evaluate a Custodian's Insurance

When assessing a custodian's insurance coverage, focus on these factors:

Coverage scope and limits:

• What is the per-incident limit versus the aggregate limit?
• Does coverage apply to both hot and cold wallets, or only cold storage?
• Does the policy cover assets in transit between storage environments?
• Are there sub-limits for specific risk categories (insider theft versus external hack)?

Policy structure:

• Is the coverage a blanket policy for all clients, or do individual clients have allocated limits?
• Who pays the deductible: the custodian or the client?
• Can clients purchase excess coverage beyond the base policy?
• Is the insurer rated (A.M. Best, S&P) and are the underwriters named?

Exclusions and key-holding arrangements:

• Does the policy cover assets where the client holds one or more key shards?
• Are smart contract exploits or DeFi protocol failures excluded?
• What happens if the custodian itself becomes insolvent: does the policy survive?

Institutions using self-custody solutions or hybrid models should verify whether their specific key-holding arrangement falls within the policy's coverage scope. For a deeper look at the tradeoffs between custodial and non-custodial approaches, see our research on self-custodial vs. custodial wallets.

Recent Developments

The crypto insurance market is evolving rapidly in response to major security incidents and regulatory changes:

• The February 2025 Bybit hack ($1.5 billion in ETH, attributed to North Korea's Lazarus Group) was the largest crypto theft in history and accelerated institutional demand for custody insurance
• Evertas, the first Lloyd's coverholder for crypto, raised its per-policy limit to $420 million, the highest in the industry
• Munich Re expanded into staking risk insurance (slashing protection for proof-of-stake validators) and smart contract risk coverage
• The FDIC proposed its first-ever custody and reserve standards for FDIC-supervised institutions providing crypto safekeeping (April 2026), though digital assets will not receive deposit insurance
• Coinbase launched revamped retail insurance tiers through Coinbase One, offering up to $250,000 in coverage for individual users

The overall crypto insurance market was estimated at $9.49 billion in 2025, projected to grow to roughly $193 billion by 2033 at an 18% compound annual growth rate. Despite this growth, the gap between assets held in crypto and assets insured against loss remains enormous.

For institutions looking at Bitcoin-native custody with Spark, the insurance landscape for Layer 2 assets is still developing. As Bitcoin custody solutions mature, expect insurance products to expand beyond mainchain-only coverage to include Layer 2 protocols and Lightning channels. Understanding how custody insurance intersects with Bitcoin custody architecture is essential for institutions entering the space.

Frequently Asked Questions

Is crypto covered by FDIC insurance?

No. Digital assets held by any custodian, including those with national bank charters like BitGo and Anchorage Digital, are not covered by FDIC or SIPC insurance. The FDIC's April 2026 proposed rulemaking explicitly states that crypto assets will not receive deposit insurance protections. Custody insurance from private insurers is the only financial backstop available for digital asset holdings.

What does crypto custody insurance actually cover?

Most policies cover theft of private keys through external cyberattacks, insider theft by custodian employees, fraudulent transfers from custodian wallets, and physical destruction of key material. Coverage does not extend to market losses, user-side credential compromise, blockchain protocol failures, or regulatory seizure. The exact scope varies by policy: some cover only cold storage, while others cover assets across hot wallets, cold storage, and in-transit movements.

Which crypto custodian has the most insurance coverage?

Based on publicly disclosed figures, Copper holds the largest base policy at $500 million for cold storage assets, followed by Coinbase at $320 million (commercial crime) and BitGo at $250 million (primary specie coverage). However, base policy amounts do not tell the full story: institutional clients can negotiate bespoke excess coverage, and tower structures can extend total protection significantly. BitGo has previously operated a $700 million tower structure.

What is specie insurance for crypto?

Specie insurance is a first-party property insurance form originally designed for valuable physical items: gold bullion, fine art, cash in transit, and bearer instruments. In crypto, specie policies cover digital assets in the custodian's care, custody, and control. They typically protect against theft, destruction, and disappearance of the insured property. Lloyd's of London syndicates use this form for most institutional crypto custody policies, including those held by BitGo and Copper.

Does custody insurance cover smart contract hacks?

Generally, no. Standard custody insurance policies exclude protocol-level failures and smart contract exploits. However, specialized products are emerging: Munich Re now offers smart contract risk coverage through partnerships with crypto-native insurers. If your assets interact with DeFi protocols or are held in smart-contract-based MPC wallets, verify whether the custodian's policy explicitly covers or excludes smart contract risk.

What is captive insurance in crypto?

Captive insurance is a self-insurance structure where a company forms its own insurance subsidiary instead of relying entirely on commercial markets. In crypto, captive structures address the shortage of traditional coverage at reasonable premiums. Companies like Relm Insurance (Bermuda) provide turnkey captive solutions that let crypto firms customize coverage, retain underwriting profits, and layer captive protection with commercial policies. Favorable regulatory domiciles include Vermont, Wyoming, and Bermuda.

How does SOC 2 Type 2 affect crypto insurance?

SOC 2 Type 2 certification demonstrates that a custodian maintained effective security controls over 6 to 12 months, not just at a single point in time. Insurers increasingly require SOC 2 Type 2 before providing coverage or offering favorable premium rates. Among major custodians, Fireblocks (audited by Ernst & Young), BitGo (audited by Deloitte), Anchorage Digital, and Coinbase all hold SOC 2 Type 2 certification. Copper claims adherence to the SOC 2 framework but has not confirmed formal certification.

This tool is for informational purposes only and does not constitute financial or insurance advice. Coverage amounts, policy terms, and regulatory statuses are based on publicly available information and change frequently. Insurance policies contain specific terms, conditions, and exclusions not fully detailed here. Always request the custodian's certificate of insurance and review actual policy documents before making custody decisions.