What Happens If An Insured Custodian Is Hacked?
The word “insured” attached to a custodian sounds reassuring, but insurance in crypto custody rarely means what it means at a bank, and the gap between the two is where a lot of confusion starts after a breach.
The short answer
When an insured crypto custodian is hacked, the insurance policy usually covers only a defined slice of assets, up to a stated limit, and typically applies to specific causes like theft of private keys rather than every possible loss. Payouts are not instant — claims go through an investigation and adjustment process that can take months, and many policies cap total payouts well below the full value of assets held.
What “insured” actually covers
Custodian insurance policies are usually purchased from private insurers, not a government program, and they’re built more like a commercial crime or theft policy than deposit insurance. Coverage generally names specific triggers — external hacking, employee theft, or physical loss of private keys, for example — and excludes others, including client-side mistakes, phishing aimed at the end user rather than the custodian, and ordinary market losses. It’s worth understanding what private insurance on an exchange actually protects before assuming a policy covers a given scenario, since the details vary a great deal between providers.
Why coverage limits matter more than the word “insured”
- Aggregate caps. Many policies cap the total payout across all claims in a policy period, meaning a large-scale hack could exceed available coverage even if every claim is valid.
- Per-incident sublimits. Some policies apply lower limits to specific causes of loss, such as private key theft, than to the overall policy limit.
- Hot wallet vs. cold storage splits. Coverage often differs sharply between funds held in actively connected “hot” wallets and funds held offline, since hot wallets are the more common attack surface.
How a claim actually plays out
After a breach, the custodian typically has to document the incident, work with the insurer’s investigators to confirm the cause fits a covered event, and only then begin the claims process. That’s a materially different timeline from what many customers imagine — funds aren’t automatically replaced the day a hack is disclosed. Investigations into how a breach occurred, whether it matches a covered peril, and how much was actually lost can stretch on for months, and if the loss exceeds the policy’s limits, remaining customers may be paid on a pro-rata basis rather than made whole.
Why this differs from bank or brokerage protection
Crypto held with a custodian doesn’t carry FDIC insurance the way a bank deposit does, and it generally doesn’t carry SIPC coverage the way assets at a securities brokerage do, even when a policy uses the word “insured.” Those government-backed programs have statutory limits and a well-defined claims process; private crime insurance for a custodian is a commercial contract between two private parties, and its terms can be far narrower than customers assume.
The bottom line
Anyone relying on a custodian’s insurance as a safety net is generally better off reading the actual policy summary, if the custodian publishes one, rather than trusting the word “insured” alone — checking whether the policy covers external hacks specifically, what the aggregate limit is relative to total assets held, and how claims have historically played out. Custody arrangements are also shaped by how private keys are actually held and secured, since who controls the keys often determines who bears a loss first. “Insured” does not mean “made whole no matter what,” and a hack at an insured custodian can still leave account holders waiting months for a partial recovery rather than an immediate, full one.