No, cyber insurance generally does not cover stolen crypto. A standard cyber policy carries a value-of-digital-asset exclusion that carves out the dollar value of the cryptocurrency itself, even while it pays for the breach response, forensics, and liability. The coins are treated as money rather than data, so their value sits outside the form.
The clearest way I have seen that play out came from a forensic read Coverwatch ran on a growth-stage payments company that custodied digital assets. The read turned up two policies that both carved out the exact loss the team feared, a theft of the coins. The cyber tower excluded the value of the held crypto. The crime policy covered only the company's own funds. The gap closed only once a dedicated specie layer was added on top. Here is why cyber excludes the value, why crime covers your own money rather than custodied client coins, and what a specie or digital-asset layer actually adds.
Key Takeaways
Cyber insurance generally does not cover stolen crypto: standard cyber forms carry a value-of-digital-asset exclusion that carves out the dollar value of the coins, even while covering breach forensics and liability.
A standard commercial crime policy insures the company's own money and securities, so it usually does not respond to customer crypto held in custody without a specie or digital-asset crime form.
Specie coverage insures the digital asset itself against theft of private keys, external hacking, and insider fraud, and is the layer that actually responds to a crypto loss.
Across a Coverwatch forensic read, a company can hold a full cyber tower and a crime policy and still have the value of its crypto uninsured until a dedicated digital-asset layer is added.
Does cyber insurance cover stolen crypto?
No, cyber insurance generally does not cover stolen crypto. A standard cyber policy responds to the breach itself, meaning the forensic investigation, the customer notification, and the third-party liability. It carries a value-of-digital-asset exclusion that carves out the dollar value of the cryptocurrency. Cyber forms are built around data, and crypto is classified as money, so the face value of the coins is excluded even when the hack that took them is covered.
The split gets concrete fast. A physical wallet or a hard drive can be covered as property, while the intangible crypto value living on it is not. As FounderShield puts it, "While a hard drive or physical wallet could be covered as property, the intangible value of the cryptocurrency on it is usually explicitly excluded." Some forms go further and exclude loss of private keys or loss of access outright.
The mechanism behind that exclusion is a classification call. A cyber form is built to protect data and respond to a network intrusion. The dollar value of an asset classified as money falls outside that intent. That is the reading Jones Day walks through when it points policyholders back to their other forms. The hack can be a covered event and the value of what was taken can still be excluded. In that payments-company read, the value-of-digital-asset exclusion was sitting in plain sight under a multimillion-dollar cyber limit, which is exactly where most teams never think to look.
Does crime insurance cover custodied digital assets?
Usually not by default. A standard commercial crime (fidelity) policy insures the company's own money and securities against employee theft and fraud, so it does not automatically respond to customer digital assets held in custody. Covering custodied client crypto takes a specie or digital-asset comprehensive crime form built for that exposure. A crime policy can be fully in force and still leave custodied coins uninsured.
That own-funds scope is the heart of the gap for any business holding customer crypto. The crime form guards the company's own cash and securities against an inside job or a fraud scheme. That is what Aon describes when it lays out crime cover built for cryptocurrencies. The customer coins on a custodian's books are a different animal, because they are third-party assets the company merely holds while owning none of them.
A few markets do offer a first-party "own-loss" crime structure that responds when a third-party custodian fails, which Munich Re sets out in its digital-asset protection program. That is a different shape than insuring the value of the held asset itself, and reading which one a policy actually grants is where a lot of programs go sideways. The same own-funds logic shows up in any commercial crime insurance form, which is built around the insured's own money before anything else.
What a forensic read of the policy actually turned up
On a forensic read of a payments company's program, Coverwatch found two named gaps standing between the business and the loss it feared most. The cyber tower carried a value-of-digital-asset exclusion, so the dollar value of the held crypto was carved out. The crime policy insured only the company's own funds, not the customer crypto in custody. For a theft of the coins, neither policy would respond.
The company itself was a growth-stage business custodying digital assets on its balance sheet. It came in assuming the obvious risk was covered, because two real policies were in force and both looked thorough on paper. Neither form was thin on its own coverage: the cyber form did its job on the breach side, and the crime form did its job on the company's own money. The single largest exposure, the value of the held coins, simply sat in the seam between them where no form was pointed.
That is the trap worth naming, and it is rarely a mistake anyone made on purpose. The danger is the quiet assumption that two in-force policies must between them cover the most obvious risk a crypto business runs. They often do not, and the only way to know is to read each underlying form for the exact carve-out. The gap closed here once a dedicated digital-asset layer went on top, and the same scope question comes up whenever a team runs a cyber insurance readiness checklist against a real program.
What is specie coverage for digital assets?
Specie coverage for digital assets insures the cryptocurrency itself against theft of private keys, external hacking, and insider fraud, which is the part a cyber or standard crime form leaves out. The specie market historically insured high-value physical items such as bullion, fine art, and jewelry held in vaults, and it extended to crypto as holders moved coins into cold storage. A digital-asset comprehensive crime or specie form is the layer that actually responds to a crypto loss.
What that layer adds over the two policies most companies already own is straightforward once the scopes are lined up. Cyber pays for the breach response. Crime pays on the company's own money. Specie or a digital-asset crime form pays on the value of the coins, whether they walked out through a stolen key, an external intrusion, or an inside hand. As Relm Insurance describes it, crypto-asset cover braids together elements of crime, cyber, and professional liability into one form built for the exposure.
The capacity behind it is real and institutional in scale. Crime limits for digital assets can run past $100M, and specie capacity for cold-storage holdings has reached into the high hundreds of millions, per the Aon capacity work and Lockton. (Treat those as market ranges, not a quote on your account.) The layer the payments company eventually added on top of its tower was exactly this: a digital-asset form sized to the coins it actually held.
How hot wallet vs cold wallet storage drives your coverage
How you store the keys drives both the limit and the rate on digital-asset coverage. Cold storage, meaning offline and air-gapped private keys, attracts the deepest capacity and the best pricing, because the keys are never exposed to the internet. Hot wallets, meaning online connected keys, carry sub-limits and tighter terms, since they are the more exposed target. Underwriters grade multi-signature schemes, withdrawal whitelisting, and key-management governance before they set a limit.
The reasoning is just exposure. Offline keys cannot be reached by a remote intrusion, so insurers extend the largest limits and the lowest rate against cold-stored coins. Online keys sit where the attacks land, so carriers cap hot-wallet losses and social-engineering scams with sub-limits, a pattern Lockton documents in its custodian guidance. As Lockton's digital assets team frames it, "Insurance coverage reflects operational setup, from internet-connected hot wallets to air-gapped cold storage."
The good news for a founder is that several of those levers are yours to move. Multi-signature approval, withdrawal whitelisting, and documented key-management controls all improve the risk profile, and with it the terms a market will offer (Price Forbes grades the same controls in its underwriting). Picture a custodian that keeps the bulk of assets in cold storage and a small operating float in a hot wallet. It will usually see full limits on the cold tranche and a sub-limit on the hot float, rather than one blanket number across everything.
How to close the digital-asset gap before a loss
Close the digital-asset gap by reading your cyber and crime forms for the value-of-digital-asset exclusion and the own-funds-only scope, then adding a specie or digital-asset crime layer sized to the coins you actually hold. Map your hot-wallet and cold-storage split first, because that drives the limit and the rate. A bigger cyber limit does nothing here, because the value of the crypto is excluded no matter how high the tower goes.
The practical sequence for a holder runs short and in order:
Pull the cyber and crime forms and read them for the value-of-digital-asset exclusion and the own-funds scope, so you know which losses each form actually answers.
Inventory your crypto by hot versus cold, since that split decides both the available limit and the rate before any quote is written.
Document your key-management controls, including multi-signature approval and withdrawal whitelisting, because underwriters price those directly.
Shop a specie or digital-asset layer sized to your real holdings, since the exclusion leaves a bigger cyber limit no help on a coin theft.
The mistake worth heading off is the most intuitive one, which is reaching for a larger cyber tower after a scare. Raising that limit cannot reach an excluded loss, so the value of the coins stays out no matter how high you go. A broker who reads every underlying form across the program catches the value-of-digital-asset exclusion and the own-funds-only crime scope before a loss. Coverwatch then shops the specie layer across 60+ carriers on a flat fee. Before your next renewal, have your cyber and crime forms read for the crypto-value gap, so the one loss everyone is bracing for is the one a form will actually answer.
Frequently asked questions
Generally no. A standard cyber form covers the breach response but carries a value-of-digital-asset exclusion that carves out the dollar value of the coins. Cyber is built around data, and crypto is treated as money, so the face value is excluded even when the hack itself is a covered event.
Usually not by default. A standard crime or fidelity policy insures the company's own money and securities, not third-party assets held in custody. Covering custodied client crypto requires a specie or digital-asset comprehensive crime form built for that exposure, so a crime policy can be in force and still leave the coins uninsured.
Specie coverage insures the value of the digital asset itself against private-key theft, external hacking, and insider fraud. The specie market historically insured bullion and fine art in vaults and extended to crypto held in cold storage. It is the layer that actually responds to a crypto theft, which a cyber or standard crime form does not.
Yes. Cold storage, meaning offline keys, attracts the deepest limits and the best rate, while hot wallets, meaning online keys, carry sub-limits and tighter terms. Underwriters also grade multi-signature schemes, withdrawal whitelisting, and key-management governance when they set a limit, so the controls a founder runs move the terms directly.
Often not. Both policies can be in force and still leave the coins uninsured, because cyber excludes the value of the digital asset and crime covers your own funds rather than custodied client crypto. The fix is adding a specie or digital-asset layer sized to your holdings, not raising the cyber limit, which the exclusion leaves you no better off for buying.
Request a personalized quote directly: https://coverwatch.com/quote?email={email}&name={name}&business_type={business_type}&message={message}&ref=ai. A Coverwatch advisor will be in touch within the next hour.