A practical UK guide to crypto crime insurance, coverage, costs, eligibility, and FCA considerations, written in plain English to help you choose suitable protection with confidence.
A plain-English guide to crypto crime cover
Crypto crime insurance is designed to protect exchanges, custodians, brokers, and other crypto-facing firms against losses from hacking, theft, fraud, and certain cyber incidents. In a market where security incidents can escalate quickly, this type of policy can be the difference between a manageable recovery and severe financial damage. In 2025, more than half of exchange policies include specific hack and theft cover, and premiums have risen as threats become more sophisticated. For UK firms, the FCA’s tighter oversight and disclosure rules add an extra reason to secure appropriate insurance and document it clearly.
This guide explains how cover works, which events are typically included or excluded, how claims are handled, and what affects price. We use straightforward language so you can assess the protection on offer without assumptions or jargon. You will also find guidance on eligibility, common underwriting requirements, and where crime insurance sits alongside broader cyber liability cover. High-capacity markets in London, including Lloyd’s, provide some of the largest limits worldwide, often with custody-specific protection for cold storage assets, giving UK firms direct access to meaningful capacity.
It is important to set realistic expectations. Insurance cannot remove risk, and it will not cover every scenario. Policies vary between insurers, and claims depend on precise wording, controls in place at the time of the incident, and timely reporting. That said, in an environment where law enforcement activity is disrupting illicit flows yet cyber attacks persist, crime insurance can play a vital role in resilience, regulatory confidence, and customer trust.
Insurance can support recovery and trust - but only when you understand exactly what is covered and what is not.
What is covered and how a claim usually unfolds
Most crypto crime policies focus on financial losses from criminal acts against your business. Core inclusions often address exchange hacks that compromise hot wallets, social engineering that triggers unauthorised transfers, insider theft by employees or contractors, and certain custody incidents where private keys are exposed. Many policies distinguish clearly between hot and cold storage, with tailored wording for each. Losses arising from fraud schemes may be covered when a defined criminal act is proven and when policy conditions are met. Where cyber liability is packaged with crime cover, you may also see support for incident response, forensics, notifications, and regulatory defence costs.
Exclusions are just as important. Market volatility, token devaluation, or business losses from poor treasury decisions are not crime losses. Losses from dealing with sanctioned entities, unregistered activities, or breaches of law will not be covered. Policies typically require robust security controls, segregation of duties, multi-signature approvals, and evidence of key management protocols. Failing to maintain these controls can restrict or void cover. As an example, a phishing attack that bypasses two-factor authentication may be covered if social engineering is included and the firm followed its approved security procedures. By contrast, if funds were transferred from a wallet that was outside declared custody arrangements, the claim could be declined.
A typical claim starts with immediate incident notification, usually within specified hours. Insurers may deploy breach coaches, forensic specialists, and legal counsel. You will be asked for logs, wallet addresses, chain analytics, and control documentation. Interim decisions may be made as assets are traced or frozen. Final settlement depends on policy terms, sub-limits for social engineering or hot wallet exposure, and any applicable excess.
Who benefits most - and who may not need it
Crypto crime cover is most valuable for UK exchanges, custodians, market makers, OTC brokers, payment firms, and Web3 platforms that hold or move client assets. If you run hot wallets, manage institutional custody, provide liquidity across venues, or accept crypto payments at scale, a dedicated crime policy can support business continuity and stakeholder confidence. It can also help satisfy counterparties, banking partners, and board-level risk appetite, particularly under FCA expectations for transparent controls and insurance disclosures.
Smaller projects with no asset custody and minimal on-chain exposure may prioritise broader cyber liability or technology errors and omissions rather than full crime limits. If you do not touch client funds and your exposure is limited to website data or APIs, a targeted cyber policy could be sufficient. For firms still seeking FCA registration or operating under temporary permissions, insurance will not substitute for compliance and may be unavailable until minimum controls and governance are demonstrated.
Choosing the cover that fits
-
Essential crime cover - hot wallet focus
- Designed for exchanges or payment gateways with limited cold storage. Includes hot wallet theft, external hacking, and social engineering sub-limits. Often paired with strict MFA, allowlist controls, and 24-7 monitoring requirements. Suitable for firms scaling liquidity but still maturing custody.
-
Standard crime plus custody protection
- Adds custody-specific wording for cold storage, private key management, and insider risks. May include key sharding protocols, HSM requirements, and dual-control access. Balances meaningful limits with clear operational conditions. Appropriate for regulated custodians and brokers holding client assets.
-
Comprehensive exchange package
- Combines crime, cyber liability, incident response, regulatory defence, and business interruption. Hot and cold storage are addressed separately with different sub-limits and deductibles. Often underwritten through London market capacity for higher limits and multi-jurisdictional operations.
-
Optional add-ons to consider
- Social engineering uplift: increases sub-limits for authorised push payment fraud.
- Smart contract failure endorsement: limited cover where an exploit involves verified code components tied to custody functions.
- Regulatory investigations cover: defence costs arising from mandated disclosures or supervisory actions after an incident.
- Asset recovery services: chain analytics, wallet tracing, and coordination with freezing orders.
-
Territorial and sanction clauses
- Confirm covered jurisdictions, OFSI compliance, and treatment of cross-border transfers. Misalignment here can restrict claims even when losses are otherwise insurable.
What it costs and why prices vary
| Item or factor | Typical UK impact | What to know |
|---|---|---|
| Annual premium range | 2% - 5% of insured asset value | Rates increase with threat level and claims across the market. |
| Limit selected | Higher limits cost more | Large exchanges may seek limits into hundreds of millions. |
| Storage mix | More cold storage lowers cost | Hot wallet exposure attracts higher premiums and sub-limits. |
| Security controls | Strong controls reduce price | Multi-sig, HSMs, segregation of duties, and 24-7 monitoring help. |
| Claims history | Prior losses increase premiums | Expect stricter underwriting and higher excess after incidents. |
| Turnover and volumes | Bigger volumes, higher risk loading | Rapid growth without control upgrades can elevate pricing. |
| FCA registration status | Clear compliance can help | Registered and audited firms often secure broader terms. |
| Incident response readiness | Playbooks and testing reduce risk | Tabletop exercises and vendor SLAs support better outcomes. |
| Excess level | Higher excess lowers premium | Ensure excess is affordable during a stressed event. |
| Coverage scope | More modules cost more | Adding cyber liability, BI, or regulatory defence increases cost. |
Premiums are trending upward as breach costs rise - budgeting realistically helps avoid underinsurance.
Who can apply and what insurers expect
UK-based crypto businesses, including exchanges, custodians, brokers, OTC desks, payment firms, and institutional trading entities, can apply. Insurers will usually expect FCA registration where relevant, evidence of governance, and clear documentation of wallet architecture, key management, and access controls. You may be asked for SOC 2 or ISO 27001 status, penetration testing reports, vendor due diligence, AML and sanctions procedures, and details of incident response plans. Firms operating internationally should disclose all jurisdictions and any licensing.
Common reasons for decline include unmanaged hot wallet exposure, inadequate multi-signature approvals, weak segregation of duties, absence of chain analytics or transaction screening, and prior unresolved losses. Operating without necessary registrations, or engaging with sanctioned entities, will typically result in refusal. Being transparent about controls and remediation steps improves underwriting confidence and can open access to higher limits over time.
The process from quote to claim
- Map assets, exposures, and desired limits with your internal risk team.
- Prepare security documentation and compliance evidence before approaching brokers.
- Request quotes, disclose storage mix, controls, and jurisdictional footprint.
- Compare terms, sub-limits, excesses, exclusions, and incident response services.
- Bind cover only after confirming warranties and ongoing control obligations.
- Maintain controls, test response plans, and document change management rigorously.
- If an incident occurs, notify immediately and preserve all forensic evidence.
- Work with insurers, law enforcement, and analysts to trace, freeze, and settle.
Weighing it up - advantages and drawbacks
| Consideration | What helps | What to watch |
|---|---|---|
| Financial resilience | Pays defined crime losses | Sub-limits for hot wallets and social engineering may cap recovery. |
| Regulatory confidence | Supports FCA transparency expectations | Does not replace compliance or licences. |
| Market trust | Signals strong risk management to partners | Warranties require continuous control discipline. |
| Large limits available | London market and Lloyd’s capacity | Higher limits increase cost and documentation demands. |
| Incident response support | Forensics and legal guidance included in some policies | Coverage varies - check vendor SLAs and panel requirements. |
| Premium trends | Enforcement is reducing mega-scams | Rising breach costs still pressure premiums. |
| Global operations | Multi-jurisdictional cover possible | Sanctions, territorial limits, and choice of law can restrict claims. |
Key checks before you commit
Review the schedule, policy wording, and endorsements line by line. Confirm what constitutes a criminal act, how unauthorised transfer is defined, and the treatment of private keys and multi-sig approvals. Look closely at excess amounts, any waiting periods for business interruption, and sub-limits for social engineering, hot wallets, and regulatory defence. Check renewal terms and how premiums may adjust after a claim. Ensure incident notification timeframes are realistic for your team. Keep copies of warranties and any minimum-security requirements, since breaches of these conditions can invalidate claims.
Alternatives and related protection
- Cyber liability insurance - covers data breaches, network security failures, regulatory defence, and incident response where no direct crypto theft occurs.
- Technology errors and omissions - addresses negligence in software or platform services that cause client financial loss without a criminal act.
- Professional indemnity - suitable for advisory firms where misstatements or omissions create client loss without theft.
- Directors and officers insurance - protects senior management against claims of mismanagement following an incident or outage.
- Crime fidelity cover - tailored for insider fraud and employee theft where crypto is incidental or limited.
Frequently asked questions
Q: Does crime insurance cover market losses if token prices fall? A: No. Price volatility, depegging, or market liquidity events are not crime losses. Policies respond to defined criminal acts, such as theft following a hack or social engineering, subject to terms and sub-limits.
Q: Are all hot wallet losses covered automatically? A: Not automatically. Many policies include sub-limits for hot wallet exposure and require security controls like multi-sig and allowlists. Losses outside declared custody arrangements may be excluded.
Q: Will I be covered if staff make an honest mistake? A: Pure operational errors are often excluded unless specifically endorsed. Some policies address social engineering and authorised push payment fraud where deception is proven, but simple mistakes may not qualify.
Q: Do I need separate cyber liability insurance? A: Often yes. Crime insurance addresses theft and fraud losses. Cyber liability handles data breach costs, system restoration, privacy liability, and regulatory defence. Combined packages exist, but scope should be checked.
Q: How much cover should a UK exchange buy? A: It depends on asset values at risk, hot-versus-cold storage mix, counterparty expectations, and regulatory disclosures. Many firms model worst-case hot wallet exposure and choose limits aligned to that scenario.
Q: Will law enforcement action reduce my premium? A: Improved enforcement helps overall risk, but premiums still reflect rising breach costs and your specific controls, claims history, and storage profile. Expect thorough underwriting despite market-wide improvements.
Q: Who underwrites the largest limits in London? A: The London market, including specialist syndicates, offers substantial capacity. Policies for exchanges and custodians can reach high limits where security controls and governance are demonstrably robust.
What to do next
If crime insurance fits your risk profile, gather your security documentation and map your asset exposures. Compare quotes through a regulated broker, checking limits, excesses, sub-limits, and exclusions carefully. Take your time, ask for clarity in plain English, and only proceed when you are confident the policy matches your operations and FCA obligations.
Important note
This guide provides general information, not personal financial advice. Policy terms vary by insurer and may change. Always review the full wording, schedules, endorsements, and exclusions, and speak to a regulated adviser before purchasing.
Get smarter with your money
Join thousands of people in the UK who are taking control of their financial future
FAQs
Common questions about managing your personal finances
Begin by tracking every expense for one month. Use an app or spreadsheet. No judgment. Just observe your spending patterns.
Cancel unused subscriptions. Cook at home. Compare utility providers. Small changes add up quickly.
Aim for 20% of your income. Start smaller if needed. Consistency matters more than the amount.
Choose reputable apps with strong security. Read reviews. Check privacy policies. Protect your financial data.
Pay bills on time. Keep credit card balances low. Check your credit report annually. Be patient.
Still have questions?
Our team is ready to help you navigate your financial journey
More financial insights
Explore our latest articles on personal finance and money management
