Is blockchain a risky business?

It depends who you ask.

New technologies transition at different paces from conception to maturity and widespread adoption, according to Gartner’s Technology Hype Cycle. Blockchain – or Distributed Ledger Technology (DLT) – has been cruising the hype cycle at high speed, popping out of nowhere directly into the cycle’s Peak of Inflated Expectations in 2016 and quickly reaching its Trough of Disillusionment by the end of 2017. While Gartner’s Technology Hype Cycle for 2018 has not been published yet, it would be difficult to deny that blockchain technology will soon enter the so-called Slope of Enlightenment, in which the technology becomes more widely understood and second generation iterations of initial pilots and prototypes emerge in those areas in which experimentation delivered value.

From synchronization and automation…

Most blockchain efforts among multinational corporations (MNCs) and incumbents across industries – ranging from supply chain management to energy or financial services – have focused on operational improvements and building ecosystems of value. These efforts are about synchronization and the automation of contractual relationships in semi-trusted enterprise networks.

They are usually driven by consortia or company alliances, in which various – well-established – corporations leverage blockchain-inspired, shared, and sometimes even relational databases, to increase transparency and efficiency in their interactions. Using DLT distributed ledger technology to automate complex value chains, involving multiple parties with conflicts of interest, has become the most widespread and explored blockchain use case among enterprises.

The medium- to long-term innovation impact of blockchain or DLT will be disruptive rather than incremental.

For insurers, these efforts include exploring industry utilities that use blockchain to simplify subrogation, or prototypes like Codex1, which was developed by insurance consortium B3i to increase efficiency in handling reinsurance contracts. Some of these solutions are estimated to deliver efficiency gains of up to 30%.

Fully automating certain types of insurance policies—mostly parametric insurance—using smart contracts has also been explored. Indeed, self-executing smart contracts have the ability to automate very simple risks and insurance policies, from issue to claims processing. The first distributed and smart contract enabled insurance product was flight delay insurance –that has now been replicated by several start-ups. Other potential uses being explored include crop and catastrophe insurance, weather and index-based insurance products, and even pilots issuing life microinsurance policies that are fully running on smart contracts.

The cases above are delivering incremental innovation by mostly automating existing processes and increasing efficiency around current business models. Conversely, the blockchain infrastructure that is being built by the wider blockchain start-up ecosystem makes use of some of this technology’s attributes that go beyond the idea of simply delivering automation. Indeed, blockchain was never meant to deliver automation, but decentralization and disintermediation instead.

Therefore, the medium- to long-term innovation impact of blockchain or DLT will be disruptive rather than incremental, since it aims to modify most industries’ business models.

… to autonomous peer-to-peer solutions

So, what are blockchain’s most disruptive attributes? Immutability and transparency or auditability are two of its most advertised features. These attributes though, reflect a blockchain’s need to be fully decentralized, cryptographically secure and an autonomous, censorship-resistant system among non-trusted partners. Initially, the idea behind the first blockchain was to enable the existence of a cryptocurrency – Bitcoin – without the need of a central bank or any type of central authority to govern its supply or a market that housed such transactions. This ultimately created a shared, decentralized ledger.

A tool that empowers peer-to-peer networks among non-trusted parties to transact any type of value is extremely powerful.

Gradually, we realized that a tool that empowers peer-to-peer networks among non-trusted parties to transact any type of value was extremely powerful. Blockchain started as the enabler of Bitcoin – a digital asset that came to existence and was transacted only virtually – and evolved into a solution that replicated this trustless market for other digital assets and later even for physical assets. What used to be a way of storing one’s cryptocurrency coins, evolved into wallets and identity solutions that now can store our interaction with financial service providers, our medical records, our DNA code and even our behavior. These solutions are built on the principle of data self-sovereignty and will transform how companies access, interrogate and store individual data in the future. They probably will also increase the granularity of data that can be interrogated by service providers – banks, insurers, hospitals – and the transparency and fungibility of risk. By overcoming the lack of data and financial inclusion of a great share of the world’s population, underserved markets will be accessed. To truly move the needle, most of these solutions will need further development, scope and scale. But once that’s achieved, their impact on personal lines insurance will be significant.

These solutions mean that smart contracts will access and interrogate various types of data sources – identity solutions, prediction markets, public data, connected devices and wearables, and more – to assess and price risks, pool them into financial vehicles and match those risky instruments to investors with an adequate risk appetite. This vision not only implies that risk could be achieved in an autonomous organization of non-trusted peers, but even more, that risk could be placed in decentralized capital markets as well.

How risky is this brave new world?

No matter how dystopian some of these blockchain enabled worlds may seem to the traditional insurance industry, it is undeniable that new high-stakes technologies like artificial intelligence and blockchain are here to stay and that they are introducing a myriad of new risks, as well as transferring old risks to new places. Even in blockchain-enabled solutions that are about the mere automation of certain insurance products and processes there are new risks being generated.

Let’s consider a parametric insurance product that is coded into a smart contract – say an annual catastrophe microinsurance policy that pays out $3,000 if there is an earthquake of magnitude 6.5 or higher and its epicenter is registered less than 50 miles away from a policyholder’s property. The automated product allows a customer to buy the insurance policy by only giving access to data about the property owned, e.g., property address and proof of ownership. The premium is then deposited into an escrow account governed by a smart contract. So are the premiums of other policyholders. The smart contract will constantly check a predefined source of data – for example, the European Mediterranean Seismological Centre (EMSC) – and establish if during the policy’s duration, the triggering conditions are met. If an earthquake of a pre-established magnitude happens within the pre-established miles of radius from a property, $3,000 will automatically be deposited into the policyholder’s account. Otherwise, if during the duration of the policy the conditions are not met, the policy will automatically end. This smart-contract-enabled insurance policy is automated and more efficient, but most importantly, it is unstoppable.

This “mere” automation introduces several risks. Firstly, the way in which the smart contract is coded may be flawed, i.e., have bugs, or may not reflect the pre-established contractual relationship in the way it should. Secondly, depending on the type of blockchain ledger where the coding is housed, the contract itself may be subject to cybersecurity concerns. Thirdly, even in the case in which the code is flawless and the ledger on which it sits has state-of-the-art encryption, the source of information, or so-called Oracle, triggering the contract could be corrupted (or prone to human error). If, for example, the data of the EMSC is hacked, this could result in smart contracts executing irreversible payments to policyholders. Finally, these types of products also have implications on capital solvency, because, among other things, they imply unbreakable escrow.

Some of the current applications of peer-to-peer insurance protocols – go even a step further, since they are able to execute the product above without the existence of an underwriter. Customers pool their premiums into a common escrow account that is governed by a smart contract, which will also govern the way in which the assets in that account are managed and deployed, and which would guarantee the network’s solvency. In essence, it’s underwriting without an underwriter. While this is not a new concept – it looks very much like mutual insurance in the late seventeenth century – until now, peer-to-peer insurance happened within smaller communities and communities of trust. With blockchain, though, this P2P risk model could expand into trustless networks and scale to systemically important autonomous risk sharing platforms with no liable organization to regulate or be responsible in the case of failure precipitated by a black swan or simply bad underwriting. sharing platforms with no liable organization to regulate or be responsible in the case of failure precipitated by a black swan or simply bad underwriting.

In a future in which blockchain-enabled portable and individual data solutions are fully developed, and in which data self-sovereignty and selective data sharing are a day-to-day reality, many more risks arise. This starts with the obsolescence of most of our predictive analytics engines – designed to generate insights from centralized data – to the obsolescence of regulation and absence of governance mechanisms to protect people from the “dark side” of analytics. Are these risks imminent? Obviously not. Many variables – from regulation to data literacy and consumer behavior – need to evolve in certain directions for these risks to materialize. Still, it is important to be aware that the blockchain ecosystem is well capitalized, believes in new ways of distributed social interaction and is ready to build the plumbing to enable their long-term vision.

In summary, blockchain in the insurance industry introduces risks into three conceptual buckets:

• Risks of disintermediation – related to the governance, liability and solvency of distributed autonomous organizations or blockchain-enabled peer-to-peer networks.
• Risks of automation – related to the safety of oracles; increased cyber risk exposure; new cyber risks and old cyber risks are transferred to new places; increased business interruption risks; scalability and platform stability; and several contractual and governance risks.
• Risks of business model disruption – including the sustainability of product personalization and hyper-segmented markets; the societal risks associated with the dark side of analytics; the fact that individuals will be fully responsible for protecting their data and the obsolescence of business models, regulation and software based on centralized data principles.

So, what is the good news?

Well, first of all, none of the above risks are exclusive to the insurance industry. Indeed, they apply to most industries exploring blockchain—industries that the insurance industry insures. So the key question becomes – Are these blockchain-related risks insurable? A question not asked enough by the insurance industry.

Let’s use some history as an analogy to highlight the prospects of insuring blockchain risk. Back in 1997, the first cyber insurance policies written were essentially third-party liability policies that covered external hacking events. They ignored or did not fully address the fact that most risks were originated inside a company by poor processes or disengaged employees. They also had a simplistic approach to defining price and coverage: revenue-based rather than exposure-based. Well, for blockchain risk insurance, it is probably still 1996. While there is great need for insurance solutions that provide stability and scalability to the ecosystem, there is almost no appetite to cover blockchain and cryptocurrency-associated risks and those very customized policies covering some cryptocurrency risks – e.g., the expensive and very restrictive coverage for cold storage.

The lack of a model that assesses and prices blockchain and cryptocurrency-related risks is the source of this finicky appetite. Since “the” blockchain does not exist, many of these risks are directly related to the way in which a DLT is designed. To understand some of the risks introduced by using a DLT, one has to assess the design and characteristics of all the different layers in a DLT’s stack.

Appetite comes with eating

The risks of a blockchain-enabled use depends on how DLT’s access is designed – e.g., permission-less vs. permission-ed, the way in which data is handled and stored, the way in which consensus is reached, and DLT’s encryption, privacy and security features. If the DLT used has a native cryptocurrency, that adds risks associated with that crypto currency’s design and hence its volatility, its long-term sustainability, its scalability and its cost-efficiency.

Then there also are risks associated with application layers and those that provide smart contract functionality. These can stem from a variety of sources including the programming language used, the degree of proficiency of the DLT’s developer community, the protocols followed to minimize bugs and the constant check for vulnerabilities.

Finally, all these attributes affect different risks in different ways. While consensus design has a direct impact on risk-like business interruption and the system’s vulnerability to ransom or denial of service attacks, encryption and data handling are more relevant to determine the risk of a data breach, and application layers are those mainly affecting operational and contractual risks.

By defining which part of risks are insurable and developing a blockchain risk quantification model, the industry will develop the appetite to insure them.

Blockchain and DLTs are still in their early days, and we are still in an experimental phase that has seen an intense proliferation of different types of blockchain and DLT designs. Most of these new designs will not survive. It’s analogous to when internet protocols were discussed and then one protocol emerged and became the accepted standard. A lot of the uncertainty driven by different DLT designs will fade away, once the market consolidates behind one or a few of these blockchain protocols. Still, we will need more blockchain risk awareness until we get there. For instance, current policies around business interruption or third-party risk may be covering silent blockchain risks, if the insured is testing or implementing blockchain-based solutions.

As the saying goes, l’appétit vient en mangeant, and it is by starting to define which part of these risks are insurable and develop a blockchain risk quantification model, that the industry will generate the appetite to insure them. Let us hope that it does not take us 20 years to get there.