PLUS Podcast

PLUS podcasts feature industry experts and content contributors throughout the professional liability insurance talking about timely industry topics.

All Episodes

PLUS Podcast

Demystifying NFTs Episode 5

October 05, 2023 • PLUS • Season 1 • Episode 5

In Demystifying NFTs Episode 5, Alice Budge, Jennifer Stivrins and Vito Marzano welcome guest contributor, Kieran Quigley of Mosaic Insurance to the podcast. At the top of the podcast, Jennifer and Vito share updates on the SEC's latest enforcement actions against Impact Theory and Stoner Cats. Kieran then leads the group in a spirited discussion on underwriting of companies with NFT risks from the viewpoint of a cyber and technology liability underwriter.

Special thanks goes to Liam Thau of Kissel Straton & Wilmer for support and research for the episode.

If you'd like to send a question to the speakers, you can email them to NFTLiabilityPodcast@gmail.com.

For the best experience, it is recommended you update the “Auto-lock” setting on your mobile device to “Never” so that the podcast doesn’t pause while you are listening.

PLUS Staff: [00:00:00] Welcome to this PLUS Podcast: Demystifying NFTs, Episode 5. We would like to remind everyone that the information and opinions expressed by our speakers today are their own, and do not necessarily represent the views of their employers, or of PLUS. The contents of these materials may not be relied upon as legal or financial advice.

And now I'd like to turn it over to our host, Alice Budge.

Alice Budge: Thanks so much, Tyla. Hi, everyone, and welcome back. I'm Alice Budge from Specialist Risk Group, a London market insurance broker in the Web3 space. Thank you for joining us all again for our fifth episode of Demystifying NFTs. We're very pleased to bring you today's episode, which will focus on the underwriting of NFTs.

I am joined by our usual co-hosts, Jenni Stivrins and Vito Marzano of KSW's Emerging Tech Team. They are US attorneys representing insurers with clients in the Web3 space. And we are very happy to be joined by our up-and-coming cyber and technology underwriter with a particular interest in the [00:01:00] Web3 space, Kieran Quigley.

Kieran is joining us from his new shop at Mosaic Insurance and is also founder and chair of the Lloyds Cyber Under 35s group. Welcome, Kieran.

Kieran Quigley: Thank you all for having me. I'm super excited to chat today.

Alice Budge: Before we jump into underwriting though, and to set the stage a bit concerning the NFT landscape in the US, we've had some very exciting updates from the SEC in recent weeks, haven't we?

Vito John Marzano: We have. You might remember that in Episode 3, we spoke with our colleague Merri Challender about regulation, or the lack thereof, here in the States. The SEC seems to have woken up. In the last month, the SEC has announced two enforcement actions against NFT platforms, Impact Theory and Stoner Cats.

Alice Budge: Stoner Cats, Vito. Tell us more.

Jennifer Stivrins: Our listeners will remember that in Episode 3, we talked about the Howey Test for determining whether something was a security. And again, that's where if an asset is, [00:02:00] “investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others,” then it's considered a security.

So, in both actions against Impact Theory and Stoner Cats, the SEC determined that the NFTs were in fact securities under the Howey Test. With respect to Impact Theory, the SEC found that Impact Theory marketed the NFTs as investments, including implications that investors would profit if Impact Theory succeeded.

So, Impact Theory and the SEC ended up entering into a consent decree, settling the allegations for an aggregate payment of approximately $6 million US in disgorgement, interest, and civil monetary penalties. In Stoner Cats, it was a similar finding. Vito?

Vito John Marzano: That's right. The Action concerned a July 2021 offering by Stoner Cats of over 10,000 NFTs for sale for about $800 [00:03:00] each, which sold out in about 35 minutes.

If you’ve got your math brain on, that generated proceeds of approximately $8.2 million. The SEC here also found that there were investments and that the sale of the NFTs could have been registered with the SEC. Stoner Cats agreed to pay about a million as a civil penalty and to destroy all of the Stoner Cats in its possession, custody, or control. Poor cats.

Alice Budge: So, despite the Howey Test outcome being the same, these NFT offerings were different in style, were they not?

Jennifer Stivrins: Yeah, I think that's right. And a lot of legal minds in the space have opined on this. So, I'm certainly not the first to say so. But I think that the consensus is that while Impact Theory was pretty clearly an example of an entrepreneur selling essentially shares in the business or in the company by way of an investment contract, Stoner Cats was something a little bit different.

Stoner Cats was essentially stills of a TV show, and the way [00:04:00] in which Stoner Cats told people those NFTs would gain value was essentially because they would become collectible. A collectible is not the same thing as an investment contract, or at least not yet anyway.

I think it’s also telling here that two of the SEC commissioners - Hester Peirce and Mark Uyeda - dissented. They both want to see more clarity in the laws for those who want to be in the space, or in other words, let's get the regulations clear first rather than regulating by these SEC enforcement actions.

Alice Budge: Very interesting. So, the SEC is perhaps making a press to clearer regulations here, then. With that as a backdrop, we're going to turn now to Kieran to talk underwriting.

Because who doesn't want to underwrite in a space which is rife with unclear regulations?

Kieran Quigley: Exciting times indeed, Alice.

Alice Budge: Kieran, orient us here a bit, please. What type of NFT risk submissions have you seen come across your [00:05:00] desk as a cyber and tech underwriter specifically?

Kieran Quigley: I guess from what I've seen, NFT insurance clients typically fall within the $1 to 50 million revenue range.

However, because most of them are startups, they often just have a year or two of operations. Resulting, most submissions come in well-below that $10 million revenue mark.

I think also in terms of coverage these clients usually opt for limits of at least a million, but larger ones sometimes do go for a higher limit. So, you can see three- or five-million-dollar limits being bought. Currently NFTs predominantly revolve around those micro-SME accounts. But given that this technology is still relatively new, rapidly expanding, it's no surprise that these risks remain in that small size range.

You definitely won't find the giants like Apple or Microsoft knocking on your door for NFT insurance just yet. However, I do believe that will change as digital assets gain more momentum. I think speaking of the types of NFT risks that I've [00:06:00] personally seen, they often relate to the more recreational or media focused businesses.

For instance, I've seen NFTs tied to baseball or sports cards, where player cards are minted, bought, and sold on marketplaces. Similarly, NFTs related to films and TV shows on platforms like Netflix and other well-known streaming services are becoming far more common. Now, there are two main categories of NFT businesses that I see seeking insurance.

Some focus on a single niche, like baseball cards. Others are far more diversified. They engage in NFTs, cryptocurrency wallets, cryptocurrency itself, Web3 marketing, you name it, they're a whole one-stop-shop.

Vito John Marzano: That seems a bit like a lot. Would you underwrite something like that?

Kieran Quigley: Yeah, well-put Vito. It is a lot.

And to be honest, those ones tend to not really be my favorite as there seems to be no direction to the business and skeptically, I think you can't be amazing at [00:07:00] all aspects of that. But if the risk management and the underwriting stacks up, I guess never say never. I think it's worth noting that the NFT industry has a remarkably low barrier to entry.

Anyone can really dive into this space and as a result, startups are popping up all over the place. And often with these startups, the usual formalities of running a business may not really be at the forefront of the founders’ minds. These businesses often prioritize creating exciting things in the NFT space, attracting their customers, or securing investment.

And sometimes their main motivation may be to simply turn a quick profit by getting in and out of the market swiftly. And personally, as an underwriter, all of these factors can pose challenges when it comes to risk selection for us as insurance carriers.

Jennifer Stivrins: Yeah, I think that's one aspect that Merri and I were talking about recently on a webinar with another London broker in this space.

These companies are often so [00:08:00] young, so excited about the technology, which is great, but they sometimes put their risk management on the back burner.

Kieran Quigley: Yeah, absolutely. I think it's our role on that insurance side of things to ensure that a company places that strong emphasis on both risk management and attention to detail before we proceed with any underwriting.

I think also to wrap up this topic, geographically speaking, I'd say that the majority of submissions do come from the US-based companies. Although some of them are located in perhaps more exotic paradises like the Cayman Islands. I think we all know the reasons for that, don't we?

Vito John Marzano: Beautiful sunny beaches, right? So, we now know what's coming across your desk. Can you let us into your brain a bit regarding what your thought process is once you have the submission in front of you?

Kieran Quigley: Of course, I guess that's the fun part, isn't it? But there are so many considerations that go into this, and I get to be a kind of detective of sorts by unraveling [00:09:00] the story of the company.

So, I like to dig into things like what is the company? How are they financed? What is their history? Their business plan? Who are the founders? And what is their experience? Given a lot of these companies are in that startup stage, the underwriting extends beyond simply understanding the business today, but also, what is the viability of them succeeding in the future? I guess in a way this is like underwriting director and officer, or D&O insurance, where the individuals leading the company play a critical role. So, I do often ask for the founder's CV to get a deeper insight into their qualifications and their capabilities.

I guess with all of this, I'm looking for those indicators of stability and sustainability in the business. So absolutely, I will be looking to examine the three main financial statements. So, things like the profit and loss, the balance sheet, the cash flow statement. These are all a crucial part of evaluating if a company is stable and sustainable.

Alice Budge: Great. Thanks Kieran. And when you're [00:10:00] looking at these financial statements then what stands out to you where NFTs are concerned?

Kieran Quigley: There's quite a lot, but I'd say crucially in the context of NFTs, the business income and the value of the company cannot, I repeat, cannot just be on the value of the NFTs or the potential cash flow.

This is one of the biggest things that I see often overestimated. I think you guys spoke in earlier episodes about just how volatile and fickle really the valuation of NFTs can be. Therefore, having cold hard cash as assets and a steady stream of investment in what I like to call fiat assets provides stability and it mitigates risks throughout that full 12-month insurance policy period.

A well-managed insured will ensure that they have these tangible resources to support its operations. Even in the face of the wild NFT market fluctuations that we often see.

Jennifer Stivrins: And while that Web3 space has been growing exponentially and certainly [00:11:00] legitimizing itself along the way, we do still see some bad actors in the space, just like in any other space.

So, what are you doing as an underwriter to guard against those bad actors?

Kieran Quigley: You're absolutely right, Jenni. I think it's even more critical in the realm of digital assets to adhere to standard business practices. So, things such as, know your customer or KYC checks and sanction screens are super important.

These steps are vital to confirm both the legitimacy and the legality of the NFTs that we look to insure because we cannot and certainly do not want to provide cover for illegal activities. I think overall the traditional indicators of business confidence with things such as, years of operation, established industries and steady income may not always be readily available with NFTs.

Therefore, I think as underwriters, you need to adapt and develop alternative indicators of stability and legitimacy for these NFT type of risks.

Vito John Marzano: Does it help also to [00:12:00] try to figure out why they want insurance?

Kieran Quigley: Absolutely. I personally believe that understanding the why should always be a part of the underwriting process. While it might appear a bit redundant at times, I find it crucial to learn about the insured’s perspective on the risks they aim to transfer and what is the rationale driving their insurance purchase.

Nobody understands the business better than they do, and this insight really helps me fully grasp the details of risk transfer, and also appreciate the value that my cyber policy would bring to them as a client. I often come across companies purchasing insurance for contractual reasons. So, for instance, imagine a small NFT startup with 1 million revenue that mints NFTs.

For them, having insurance in place is a requirement when partnering with a giant like Netflix or any other type of streaming service. So, the insurance really safeguards the big guy's liability in the background. On the other hand, some companies buy insurance as a symbol of trust and quality. [00:13:00] Something that can attract future investment or boost their customer acquisition.

I found that the presence of insurance essentially de-risks the business, making it far more appealing. And of course, you also have those who just buy insurance as part of their regular risk management practices. So, they've got their professional indemnity policy, their property policy, and then they buy their cyber policy, amongst others.

So, I guess it really is a mixed landscape, but I always find it really valuable to understand the motivations behind their insurance purchase.

Alice Budge: Yeah, so once you know who these people are and why they're buying insurance, what are you specifically asking them in relating to the NFTs?

Kieran Quigley: I think with all of this in the context of NFTs, there's a lot, but very high-level considerations would be firstly, what is the [company’s] NFT activities?

I really aim to understand what is it they actually do in the NFT space? Are they operating an NFT marketplace for buying, selling and trading? Or do they [00:14:00] exclusively mint NFTs for commercial clients? Or are they offering their NFT services to the public? Some businesses also provide tools for clients to mint NFTs themselves, while others offer an out of the box solution without any individual involvement. And sometimes a client can even be doing all of this simultaneously. I think secondly, I'd also look to the NFT storage. So, I really like to know where they store these NFTs, whether it's on or off the chain. And I often look for those well-known sort of blockchain brand names that everyone knows, like Ethereum or Solana.

These indicators can provide insights into the trust, stability, and overall, the sustainability of the business. And I think lastly, you also need to consider the revenue generation. It's crucial to comprehend how they generate income from NFTs. Do they earn fees based on a percentage of sales, offer subscriptions to a marketplace, or do they have long term commercial arrangements [00:15:00] that span multiple years?

Understanding that revenue source is vital, especially in the context of cyber insurance. If a cyber-attack disrupts the business, it's essential to know what happens to those revenue streams and how detrimental the impact could be on the business, but ultimately on those claim costs.

Jennifer Stivrins: That's great.

Thanks for that. And we don't want to get too into the weeds on cybersecurity for NFTs as we've covered that off a bit in our prior episode, but we are interested in hearing your views on cybersecurity as it specifically impacts companies with NFT exposures.

Kieran Quigley: Yeah, so we'll try and keep this short and sweet.

Traditional cybersecurity application forms are typically a few pages long. And to be honest, they can be quite light-touch, but they were never originally designed for NFTs. They were always designed for more conventional businesses. So, for example, a common question on these forms is whether a company has any end-of-life software or systems.

So [00:16:00] if I'm looking at an NFT startup with three employees that are all using their brand-new personal Mac computers, and the rest of their business operations are hosted in the cloud or via other SaaS applications, that question just doesn't fit or make any sense. So, the current application forms can sometimes be very much a round-peg, square-hole situation.

Therefore, this means that the underwriting of NFTs often relies a lot more on open ended underwriter questions rather than simply yes or no checkboxes that we can see in generic cyber risk assessments of the Web2 world. I think as well, these NFT related companies may not have dedicated IT personnel or even experts in cyber security.

And that really poses a challenge and then to even be able to answer these application questions. I think it is important to remember that while these NFTs may seem new and technologically advanced, basic cyber security principles should not be forgotten. There's a lot of [00:17:00] excitement around NFTs, but we shouldn’t let this distract from these fundamentals.

Principles like MFA, safeguarding your crown jewel assets, continuity planning, backup and recovery, data privacy controls, and things like social engineering training, remain super relevant in the Web3 world, just as they do in the Web2. I think for NFTs specifically, it's really crucial to consider how are they stored and who has control?

Is it the insured or is it the end user? And importantly, where does liability lie should everything go wrong?

Vito John Marzano: What about contractual liability?

Is that something you have to be concerned about with companies taking on NFT risks?

Kieran Quigley: Yeah, absolutely Vito. I always ask to review a copy of the standard contract with clients. So, whether that be standard agreements for consumers or more custom contracts, their top commercial relationships. This really allows me to gauge the level of risk involved and understand the potential exposure if things go south.

I must admit [00:18:00] though, these contracts tend to heavily favor the big players like Netflix or other industry giants. So really as underwriters, it's crucial for us to grasp that language that's used in these contracts. It's no offense guys, but I have come across some rather slippery attorney language in my time.

Jennifer Stivrins: Slippery attorneys? Never!

Alice Budge: Kieran, what are the biggest issues then with these NFT submissions that you get in?

Kieran Quigley: Sure, there's definitely a few things that could put me off a risk straight away, and I would say those primarily revolve around the absence of general cybersecurity principles. So, they don't have things like employee awareness or training.

They're using their own devices but have no guidelines about what people can and can't do. They lack things like backups, content testing or planning, and they don't have good data privacy principles or access restrictions. I could go on and on, but I think these all scream to me that the business is very naive and ill-prepared, and that moral hazard of the risk is high due to cyber[security] not being really part [00:19:00] of the culture.

I think I'd also re-emphasize a point that I made earlier that these companies that attempt to operate [by doing everything] under the sun, from minting NFTs to operating marketplaces and wallet services can be a bit of a red flag. If you're a startup, you're in your first year, you don't really have much revenue, and you only have three employees, I think conquering the world and trying to do everything will be impossible.

So, whilst having that grand vision is great for the VC pitches, it's essential to keep your business model realistic, achievable, and sustainable in the underwriting world.

Jennifer Stivrins: Thanks. And again, we see you're wearing your cyber hat there. Is there anything NFT-specific that you see as the biggest risk?

Something that really gives you pause, particularly with cyber cover?

Kieran Quigley: Yeah, for sure. I think the most significant exposure with NFTs and where I'd say that potentially heavy claims environment definitely revolves around the trademark, copyright, and intellectual [00:20:00] property infringement, basically all the exciting aspects of media litigation.

Jennifer Stivrins: And you and I have very similar thoughts on whether or not media cover belongs as a non-underwritten freebie in a cyber policy, don't we?

Kieran Quigley: Indeed, we do. As a cyber underwriter, I do find the inclusion of media liability in a cyber policy a bit of a struggle. To be honest, media liability, in my opinion, doesn't align well with a cyber trigger, and it shouldn't really be part of a cyber policy.

But it's one of those coverages that got thrown in ages ago and never really left. So, I kind of like to think of media liability in cyber policies as that one relative who just won't leave your family party, despite how many times you're flicking those lights, they just don't go. So, media liability, I love it, but it really is time to go.

But I guess for now, media liability is still in many cyber policies, if not all. So, I do have to deal with it, at least for the time being. And while I [00:21:00] don't believe that media is a cyber coverage, I also think that media liability is an exposure that is much better covered by a dedicated standalone media policy.

A standalone media policy will provide far more value, far more comprehensive cover than a cyber policy ever does, or in my opinion, more importantly, ever should.

Alice Budge: I couldn't agree more with you, Kieran, and perhaps in the future episodes we can invite a lovely media underwriter along to give their thoughts on the NFT cover as well.

You mentioned earlier though the issue of valuation. That's something we've talked about in prior episodes as well. What are the issues with valuation from an underwriting standpoint?

Kieran Quigley: Indeed, the values, whether they're perceived or real, of NFTs, can be highly volatile.

It's a bit like a game of musical chairs, so it can be difficult as an underwriter to know what I'd ultimately be responsible for in the event of a claim. Is it one million dollars? Is it one dollar? It's a real challenge and I think without the metrics of agreed value or appraisal that's [00:22:00] used in other types of insurance, like fine art and specie, it becomes nearly impossible to pin this value down.

I think you mentioned, Alice, in an earlier episode that Jack Dorsey, the Twitter founder, turned his first tweet into an NFT, and this sold for multiple millions, then resold for a mere $280. I think that kind of extreme fluctuation really highlights to me the unpredictable value of NFTs and why it can be a challenge.

Alice Budge: Yeah, I think the original sale price was like $2.9 million USD and as of this summer was less than $4, which is a very bad day.

Kieran Quigley: Yeah, exactly. So, if a business is built on NFTs, then it can be very volatile. And they could make massive profits or massive losses, have huge liability or no liability. And I think also where an entity's value can change by the second, the idea of a cyber policy being live for one whole year does seem a bit of an odd paradigm.

[00:23:00] Perhaps it's also time to reconsider those conventional aspects of insurance policies, such as the policy period, as they may not seamlessly align with these emerging digital risks.

Jennifer Stivrins: Perfect. I know the London market isn't classically seen as one who likes to shake things up, but we love an out of the box thinker.

Kieran Quigley: I'm hoping to change that perception, Jenni, but absolutely. NFTs and other Web3 assets are definitely poised to continue their emergence, and I think it's really important that as underwriters we remain vigilant, stay informed, and adapt to this evolving landscape. There is undeniable potential within the Web3 space, especially in the context of NFTs.

To fundamentally transfer not only the insurance industry, but the cyber market specifically, I think as underwriters generally as we navigate a shift in terrain, it's crucial to maintain flexibility in our underwriting practices, but also by maintaining a keen focus on those underlying risks that [00:24:00] come with these new innovative technologies.

But let's not forget, it's not all doom and gloom. This is an incredibly exciting space and I think we have merely skimmed the surface of the immense potential that NFTs and digital assets hold. I do believe the future is teeming with possibilities and I can't wait to see where this NFT journey takes us.

So, I would say to everyone to keep an open mind, look out for those indicators of competence that I mentioned earlier, and don't forget the cyber basics. I believe there's plenty more to come for NFTs, so I guess watch this space.

Vito John Marzano: Okay, I never thought I'd say this, but you've convinced me, I'm ready to start underwriting.

Jennifer Stivrins: I couldn't have said it better myself. Thank you so much for coming to chat with us today. And we're really excited to see what's in store for you and your underwriting in the future.

Kieran Quigley: My pleasure, guys. It's been really fun. Thank you.

Alice Budge: Thanks, Kieran. And thanks guys for joining again. It was a very [00:25:00] exciting and positive episode today and really helped us tie together an underwriter’s viewpoint of so many of the NFT aspects and risks that we've discussed leading up to this episode.

We'll see you soon.

PLUS Staff: Thank you to our speakers for sharing their insights with PLUS and thank you to our listeners for listening to this PLUS podcast. If you have ideas for a future PLUS podcast, you can share those by completing the Content Idea Form on the PLUS website.