CASP insurance · Article 75 + DORA · 2026 market
CASP Crypto-Asset Insurance — MiCA Article 75 + DORA 2026
Crypto-asset insurance is the operational topic custody CASPs avoid until they need it. The MiCA Article 75 segregation requirement does not include an insurance mandate, but the customer-protection framework de facto requires it for any serious operator. Here's what the 2026 insurance market actually offers, what it doesn't, and how to build a credible cover programme.
CASP crypto-asset insurance is the commercial coverage layer that protects customer crypto-assets held in custody against theft, cybercrime, and operational loss — combining MiCA Article 75 segregation requirements with DORA operational-resilience obligations and commercial cyber/crime policies from specialist underwriters.
Quick facts
| Parameter | Value |
|---|---|
| MiCA Article 75 status | Mandates segregation of customer crypto-assets from operator assets; does not directly mandate insurance |
| DORA cover relevance | ICT risk transfer is a recognised DORA mitigation; insurance forms part of the operational-resilience framework |
| Commercial cover categories | Crime insurance (theft, employee dishonesty), cyber insurance (hack, ransomware), specie insurance (cold-storage physical loss), professional indemnity (PI) |
| Market capacity (2026) | Approximately USD 1.5-2 billion aggregate capacity across major underwriters; per-operator limits typically USD 50-500 million |
| Premium range | Typically 0.5-2.5% of insured value annually, scaling with cold-storage percentage, governance maturity, prior loss record |
| Lead underwriters | Lloyd's syndicates (specie + crime), AIG, Munich Re, specialist crypto-insurance MGAs (Coincover, BitGo Trust, Evertas) |
| Coverage gaps | Smart-contract risk, DeFi-protocol exposure, third-party custody, regulatory-action losses typically excluded |
What MiCA Article 75 actually requires
MiCA Article 75 mandates segregation of customer crypto-assets from CASP operator assets. The framework includes:
- Separate operator and customer crypto-asset addresses
- Accounting separation between operator and customer assets
- Cryptographic separation where technically feasible
- Customer-asset return procedures in operator-insolvency scenarios
- Substantive disclosure to customers on segregation arrangements
Insurance is conspicuously absent from the explicit requirements. The regulation does not mandate that CASPs hold commercial insurance against customer crypto-asset loss. Article 75 is structurally about segregation, not loss-protection mechanics.
But customer-protection framework and broader operational-resilience expectations create a de facto insurance requirement for any serious custody operator. NCAs review insurance arrangements as part of operational-risk assessment during authorisation review. The largest customers (institutional investors, fund-of-fund allocators, regulated counterparties) require demonstrable insurance cover as a condition of customer relationship. Banking partners and payment processors include insurance-cover requirements in their counterparty due diligence.
The practical reality: operators without meaningful insurance cover face friction at authorisation, friction in customer acquisition, and friction in counterparty relationships. The regulation doesn’t mandate insurance; the market does.
DORA and insurance as ICT risk transfer
DORA recognises insurance as one of the ICT risk-management tools available to financial entities. ICT risk transfer through insurance is explicitly allowed as a mitigation measure within the broader operational-resilience framework.
For CASPs, DORA-relevant insurance considerations include:
- Crime and cyber cover as DORA mitigation. Insurance against cyber incidents (hack, ransomware, employee dishonesty) reduces residual ICT risk and contributes to operational-resilience framework.
- Documentation of cover in DORA framework. The ICT risk-management framework documentation under DORA Article 6 includes insurance arrangements alongside other mitigations.
- NCA reporting of cover changes. Material changes to insurance cover (policy non-renewal, coverage reduction, premium-driven exclusions) may need NCA notification under DORA reporting framework.
- Sub-custodian insurance review. Where the operator relies on third-party custody, the third-party’s insurance arrangements form part of the DORA Article 30 third-party risk-management framework.
DORA does not mandate insurance, but it explicitly recognises insurance as legitimate risk-transfer mechanism. CASPs building DORA compliance can reference insurance arrangements as part of their resilience framework.
What the commercial market actually offers
The crypto-asset insurance market in 2026 has matured substantially from the thin offering of 2019-2021. Four main coverage categories:
Crime insurance covers theft (including employee dishonesty), forgery, fraudulent instruction, and similar criminal-act losses. Standard wordings cover hot-wallet and warm-wallet theft, with cold-storage cover varying by policy. Premiums typically 1-2% of insured value.
Cyber insurance covers hack, ransomware, business interruption from cyber events, and incident-response costs. Crypto-specific wordings handle blockchain-traceable losses. Premiums typically 0.8-1.8% of insured value.
Specie insurance covers physical loss of cold-storage hardware — natural disaster, physical theft, custodian-facility failures. Required for operators with substantial cold-storage holdings in physical vaults. Premiums typically 0.3-1% of insured value.
Professional indemnity (PI) covers professional-services errors, customer-protection claims, and regulatory-defence costs. Important for advisory or portfolio-management CASPs. Premiums vary by operational scope.
Market capacity aggregates to approximately USD 1.5-2 billion across Lloyd’s syndicates, AIG, Munich Re, and specialist MGAs (Coincover, BitGo Trust, Evertas). Per-operator limits typically USD 50-500 million depending on operator scale and risk profile.
Pricing factors that move premiums:
- Cold-storage percentage — more cold storage = lower premium (cold storage is harder to attack)
- Key-management architecture — multi-sig with M-of-N authorisation = lower premium
- Governance maturity — documented procedures, segregation of duties, independent audit = lower premium
- Prior loss record — clean history = lower premium
- Operator scale — larger operators access better terms through scale
- Domicile — some jurisdictions face higher reinsurance pricing
Coverage gaps that matter
The standard crypto-asset insurance market has well-known gaps that operators need to understand:
Smart-contract risk. Standard policies exclude losses from smart-contract exploits. Operators with material DeFi or smart-contract exposure need separate cover from specialist underwriters. The smart-contract cover market exists but is thin (USD 200-500 million aggregate capacity), expensive (3-7% of insured value), and tightly worded (specific protocol exclusions).
DeFi-protocol failures. Even outside specific smart-contract attacks, exposure to DeFi protocols (lending markets, AMMs, yield aggregators) typically falls outside standard policy wordings. Operators integrating DeFi need protocol-specific cover or self-insurance.
Third-party custody. Where the operator uses third-party custody (Fireblocks, BitGo Trust, Anchorage), the operator’s own insurance may not extend to third-party-custody-held assets. Read the policy wording carefully — some policies explicitly cover delegated custody, others don’t.
Regulatory-action losses. Losses arising from regulatory enforcement actions (license withdrawal, supervisory measures, customer-restriction orders) are typically excluded. Insurance is not a regulatory-risk transfer mechanism.
War and cyber-war exclusions. Standard wordings exclude war and cyber-war. The exclusion has been narrowed in some 2025-2026 policy wordings but remains a real coverage gap for cyber events potentially attributable to state actors.
Customer-side failures. Customer lost keys, customer fell for phishing, customer authorised fraudulent transaction — typically excluded. The cover protects the operator’s custody, not the customer’s account security.
Consequential losses. Indirect losses (reputational damage, customer attrition, regulatory follow-up) are typically not covered or are capped at low sub-limits.
Building a credible cover programme
For CASPs building insurance arrangements:
Match cover to operational reality. Calibrate cover to actual hot/cold split, key-management architecture, transaction-volume profile, and operational risk profile. Annual review and adjustment as operations evolve.
Layer coverage across categories. Crime + cyber + specie + PI delivers more complete cover than relying on any single policy type. Multiple layers from different underwriters reduce concentration risk.
Document the framework in DORA papers. The ICT risk-management framework documentation should reference insurance arrangements, identify residual risks not covered, and explain the substantive rationale for the cover layer chosen.
Negotiate carefully on policy wordings. Policy wordings vary substantially across underwriters. The differences matter — what counts as “theft” in one wording may be excluded in another. Engage specialist insurance brokers with crypto-asset experience.
Review at customer-acquisition cycle. When acquiring institutional customers, the institutional due-diligence framework will review the operator’s insurance arrangements. Plan cover so it satisfies the institutional benchmark, not just the regulatory minimum.
Plan for hardening markets. The crypto-insurance market has been hardening through 2025-2026 — premiums rising, capacity tightening, wordings narrowing. Operators planning multi-year cover horizon should lock in terms during softer windows rather than betting on continued soft market.
When self-insurance makes sense
Not all operators need commercial insurance. Self-insurance via segregated reserve funds works for:
Smaller operators with constrained cover budgets. A USD 10 million reserve fund may provide better customer protection than a USD 5 million policy with 2% premiums and broad exclusions.
Operators with overwhelming cold-storage profile. Operators with 95%+ cold-storage and mature multi-sig key management face limited residual hot-wallet risk that may not justify commercial cover.
Operators with regulatory-mandated reserve funds. Where the regulatory framework already mandates reserve funds (banking-license-equivalent custody), additional commercial cover may produce limited incremental protection.
Stablecoin issuers with reserve-backing requirements. MiCA Article 36 ART reserve-backing and Article 54 EMT reserve-backing already require substantial reserves; commercial insurance overlay may be redundant for narrow custody-risk profile.
Self-insurance requires documented framework — reserve fund segregated from operator capital, governance arrangements for fund administration, claim-handling procedures, periodic actuarial review. Reserve fund treated as risk-management tool requires the same discipline as commercial cover.
The operational discipline
Crypto-asset insurance is not the operational priority that gets the attention it deserves. Operators that build serious cover programmes — appropriate to operational risk, documented in DORA framework, reviewed annually — handle losses cleanly when they occur. Operators that under-invest face higher friction at authorisation, customer-acquisition, and regulatory-engagement stages.
The 2026 market offers credible commercial cover for most CASP custody operations. The cover has well-known gaps, premiums have been rising, and capacity is finite — but the market works. For any operator running custody at scale, building a serious insurance programme is part of the operational baseline. The alternative — losses without cover, regulatory friction without insurance documentation, customer-acquisition friction without institutional-grade cover — is more expensive than the premiums.
Pitfalls and nuances
1 Assuming insurance covers smart-contract risk
Standard crypto-asset crime and cyber policies exclude smart-contract exploits. The exclusion is explicit in most policy wordings. Operators with material DeFi or smart-contract exposure need separate dedicated cover from specialist underwriters or self-insure. The market for smart-contract cover exists but is thin, expensive, and tightly worded.
2 Mismatching cover with operational reality
Operators with 90% cold storage and 10% hot wallets sometimes buy cover calibrated to a 50/50 split. The mismatch produces overpayment in good times and coverage gaps in bad times. Cover should be calibrated to actual hot/cold split, key-management architecture, and operational risk profile. Annual review and adjustment is the discipline.
3 Ignoring sub-custodian and third-party exposure
Operators using third-party custody (Fireblocks, BitGo Trust, Anchorage) need to understand whose insurance covers what. The third-party custodian's policy typically covers their custody operation; the operator's policy may not extend to third-party-custody-held assets. Read the policy wording carefully and fill identified gaps with rider coverage or contractual indemnity from the custodian.
4 Treating insurance as substitute for operational controls
Insurance pays out after a loss. Strong operational controls — multi-sig governance, hardware-security-module key management, segregation of duties, M-of-N authorisation, regular security audits — prevent losses in the first place. Operators that under-invest in operational controls relying on insurance face higher premiums, more exclusions, and lower payouts when loss happens.
Frequently asked questions
Does MiCA Article 75 actually require insurance?
No, not directly. Article 75 mandates segregation of customer crypto-assets from operator assets. Insurance is not mentioned as a specific requirement. But customer-protection framework and DORA operational-resilience obligations make insurance a practical necessity.
What does crypto-asset insurance typically cover?
Theft from hot wallets, employee dishonesty (crime insurance); hack and ransomware (cyber insurance); physical loss of cold-storage hardware (specie insurance); professional services errors (PI). Coverage varies substantially by policy.
What does crypto-asset insurance typically NOT cover?
Smart-contract exploits, DeFi-protocol failures, third-party custodian failures, regulatory-action losses, war/cyber-war exclusions, sub-custodian failures, customer-side failures (lost keys), and consequential losses are commonly excluded.
How much insurance do major CASPs actually carry?
Varies widely. Major exchanges typically carry USD 100-500 million aggregate cover. Smaller custody operators typically USD 10-50 million. Some operators rely on self-insurance via segregated reserve funds rather than commercial cover.
What does insurance cost?
Premiums typically 0.5-2.5% of insured value annually. Scaling factors: cold-storage percentage (more cold storage = lower premium), governance maturity, prior loss record, key-management architecture. Operators with mature multi-sig cold storage land near the low end.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →