This post builds on our previous exploration of indemnification for smart contract risks. Today, we suggest three tools to address these risks: (1) cybersecurity insurance policies, (2) indemnification agreements with outside vendors, and (3) “make whole” agreements among the smart contract parties themselves. Collectively speaking, insurers, vendors, and other contract parties can provide the best source of indemnification, assuming that the proper contractual arrangements are put in place.
Cybersecurity Insurance Policies
Many businesses are uninsured or underinsured when it comes to cybersecurity risks, but some analysts are predicting significant growth in the next few years. The decision whether to procure coverage for a smart contract system (or expand existing coverage) depends on factors such as the industry, the type of smart contract system, and the associated risks—all of which will vary from business to business.
One issue worthy of particular attention is the employee exclusion. These exclusions in the policy language should be scrutinized to determine the level of coverage for losses caused by employee errors, which are likely to be a significant source of risk in a smart contract system.
Also, cybersecurity policies may contain contractual exclusions that essentially prevent the insured from seeking indemnification for losses that arise from its own breach of contractual obligations. Here, the issue is one of scope—it may be fine for an insurer to exclude coverage that could incentivize the insured not to perform the underlying contract, but at the same time, the insured may have a legitimate need for coverage in situations where the insured’s own contract breach results from a system malfunction or a security breach. For example, the loss of data (whether by malfunction or theft) arguably warrants coverage, even if the insured breached its own contractual obligation to keep the data secure.
Vendor Indemnification Agreements
These days, blockchain platforms and enterprise applications are readily available from a variety of vendors. Established tech giants such as IBM (through its Bluemix platform) and Microsoft (through its Azure platform) are developing ways to offer blockchain-as-a-service (BaaS) to customers, and Blockchain startups abound.
In this competitive environment, customers may be able to negotiate indemnification from their chosen vendors in the event of a smart contract system malfunction or security breach. This strategy is important when a smart contract system replaces a conventional intermediary that otherwise would have served as a source of indemnification. Examples include where a smart payment system eliminates the intermediary bank or other payment processor, or where a smart supply chain eliminates the need to outsource supply chain management functions. In all likelihood, the new smart contract system will require a new vendor agreement with its own set of warranties, disclaimers, and limitations of liability to be reviewed.
Agreements among the Parties
In the insurance industry, there is a concept called the “made whole doctrine” which essentially permits an insured to be made whole when it suffers losses above and beyond the limits of its insurance policy. Thus, if the insured suffers a $1 million dollar loss and receives half that amount from its insurer, it may seek to recover the other half from the wrongdoer before the insurer’s subrogation rights are triggered.
In the blockchain industry, there may be creative ways to permit an injured party to be “made whole.” One example is the DAO hack where the Ethereum community implemented a hard fork to return approximately 3.6 million Ether (worth around $70 million at the time) taken from the DAO. This effort to make the DAO’s investors whole was not without controversy—and led to the creation of a competing Ethereum blockchain (Ethereum classic)—but it illustrates the potential for parties to cooperate when a loss occurs.
A “make whole” agreement between the parties may be best suited for losses not covered by insurance or vendor indemnification. An example is an overpayment by a smart contract, which can be corrected if the parties have agreed to a procedure for reimbursing the injured party. The practice of reviewing prior transactions and correcting mistakes is not new to commercial dealings, but remember that smart contracts are executed by computers and code, which means that the system will need to be programmed to permit correction of mistakes. Another option is for the parties to establish a procedure that allows human beings to correct mistakes independent of the smart contract system.
Properly implemented, a smart contract system should reduce mistakes, increase efficiency, and improve the profitability of the underlying business. This article is not an argument to the contrary, but rather an acknowledgment that effective risk management is critical to the successful integration of smart contract systems into daily business operations.