In brief
- In their annual meeting remarks, Warren Buffett and Berkshire Hathaway’s top insurance executive, Ajit Jain, warned of “huge losses” in cybersecurity insurance.
- Buffett called the surge Charlie Munger’s “rat poison” and worried about agents signing up cyber insurance clients without actuarial data and risk assessments.
- Contrary to Buffett’s criticism, Berkshire Hathaway is Fitch Ratings’ sixth-largest cybersecurity policy issuer in the U.S., although it’s still a small but rising market, accounting for only 1% of all policies.
During the recent annual shareholder meeting in Omaha, Warren Buffett and Berkshire Hathaway’s top insurance executive, Ajit Jain, emphasised the cautious approach towards cyber insurance. They acknowledged that although it is currently profitable, the complexities and uncertainties associated with cyber insurance make Berkshire, a major player in the insurance market, hesitant to fully embrace underwriting in this area.
Cyber insurance has gained significant popularity in recent times, as highlighted by Jain during the annual meeting. And it has proven to be a profitable venture for insurers, at least so far. He characterised the current profitability as “quite high,” with insurers pocketing at least 20% of the total premium. However, at Berkshire, agents are being advised to proceed with caution. One of the main challenges is determining how to prevent losses from a single incident from escalating into a series of potential cyber losses. Jain provided an illustrative example of a situation where a prominent cloud provider’s platform experiences a complete halt.
“The potential for aggregation in this case is significant, and the lack of a worst-case scenario plan is a major concern,” he expressed.
“There’s no place where that kind of dilemma is more prevalent than in the realm of cybersecurity,” Buffett remarked. There is a possibility of encountering a multitude of risks that one may not have anticipated, potentially surpassing the impact of a localised earthquake.
Berkshire operates in the cyber insurance industry.
According to industry analysts, there is a growing consensus that the cybersecurity insurance marketplace is stabilising and becoming profitable. While Berkshire’s caution is understandable, it is important to note that the overall state of the industry is improving. Additionally, Gerald Glombicki, a senior director in Fitch Rating’s U.S. insurance group, highlights the fact that Berkshire Hathaway is actively issuing cybersecurity policies, despite Warren Buffett’s initial reservations. Based on Fitch’s analysis, Berkshire Hathaway ranks as the sixth-largest issuer of these policies. Chubb and AIG are the largest, as Berkshire recently disclosed a significant investment in Chubb.
“Currently, cybersecurity insurance remains a profitable business model for numerous insurers,” Glombicki stated. According to Glombicki, the market is still relatively small, accounting for just one percent of all policies issued. Due to the relatively small size of the cybersecurity industry, insurance companies have the flexibility to experiment with different policies and assess their effectiveness without significant risk.
Berkshire, Chubb, and AIG have chosen not to provide any comments.
“There is a certain level of uncertainty that can be quite unsettling, and I empathise with [Buffett]’s perspective. However, completely eliminating cyber risk is an extremely challenging task,” expressed Glombicki. However, he mentioned that there hasn’t been any notable legal action that determines responsibility or challenges the limits of the policies. As a result, some insurers may exercise more caution until the courts address such cases.
Potentially catastrophic for the organisation. Buffett states
One issue that arises when writing numerous policies, even with a $1 million limit per policy, is the potential impact of a “single event” on a thousand policies. Buffett expressed concern about the potential financial impact of the written content, emphasising the need for a more favourable valuation and the potential risks it poses to the company.
While some prominent figures, such as former Homeland Security chief Michael Chertoff, who currently heads a global security risk management firm, have advocated for a government cybersecurity backstop, most experts do not currently see it as necessary. According to Glombicki, the federal authorities are currently considering their potential involvement, but it is unlikely that they will take action unless there is a specific incident that prompts them to do so.
According to the expert, government intervention is likely to occur only in the aftermath of a significant and costly cyber incident. Following the events of September 11, the government established a comprehensive programme to address the risks posed by terrorists. In the realm of cybersecurity, attacks of such magnitude have yet to be witnessed. We are currently in the brainstorming phase, considering various approaches.
Market confidence and growth are seen in cyber insurance data.
Analysts anticipate a significant increase in the number of cybersecurity policies being written in the near future.
“Rates are declining, indicating a sense of stability in the market,” stated Mark Friedlander, a spokesperson for the Insurance Information Institute. Based on the available data, it is projected that cyber premiums will experience a significant increase over the next ten years. In 2022, the total premiums amounted to $11.9 billion. According to Friedlander, the projected figures for 2025 are set to double, reaching $22.5 billion, and are expected to further increase to $33.3 billion by 2027.
This segment of insurance is experiencing rapid growth. There has been a significant increase in the number of companies implementing cybersecurity policies. This can be attributed to the growing confidence among insurers, who have become more adept at assessing risks and stabilising rates. He emphasized that there was a 6% decrease in cybersecurity insurance rates in the first quarter of 2024, which came after a 3% decrease in 2024. This indicates that insurers are becoming more confident in entering the business.
Financial losses are occurring.
Buffett and his top insurance lieutenant have differing opinions. The insurance “loss cost” is a crucial factor that has Berkshire considering its options before making a significant expansion into the realm of cyber insurance. Jain stated that losses have been relatively controlled so far, not surpassing 40 cents on the policy dollar in the past four to five years. However, he also mentioned that there is insufficient data to accurately determine the true loss cost.
Jain mentioned that typically, agents at Berkshire are not inclined to write cyber insurance unless it is necessary to meet specific client requirements. Furthermore, Jain emphasises the importance of recognising that every time a cyber insurance policy is written, it results in a financial loss, regardless of the amount charged. We can discuss the financial implications, but it is important to adopt the perspective that this is not a profitable endeavour. And then we can proceed accordingly.
Google Cloud’ stipulates the concerns are being exaggerated.
According to Monica Shokrai, head of business risk and insurance at Google Cloud, there is a common belief that cyber risk is constantly evolving and difficult to predict, making it challenging to underwrite in a consistent manner. However, she emphasised that the common perception does not align with the actual facts and that the potential risks can be effectively mitigated.
“Our perspective differs from that of Warren Buffet,” she stated. According to Google, most cyber losses can be avoided or reduced by practicing basic cyber hygiene.
According to Shokrai, having a solid grasp of security allows for improved control and better risk management. Devastating attacks from nation-states, on the other hand, are in a distinct category and have been infrequent. Insurers are proactively safeguarding themselves against potential risk by implementing exclusions for specific catastrophic events. Several cybersecurity policies include coverage exemptions for attacks carried out by nation-states.
“Their objective is to ensure their resilience and financial stability in the face of a potential large-scale event. To achieve this, they have implemented exclusions,” Shokrai explained. These exclusions encompass critical infrastructure, cyber warfare, and other types of widespread disruptive events.
There are still some uncertainties and subjective aspects that need to be addressed. Imagine a scenario where an individual falls prey to a cyberattack orchestrated by a non-affiliated group with potential external assistance. Is it possible for an insurance company to invoke a nation-state exclusion? Shokrai highlights the ongoing debate among insurance companies regarding the categorization and attribution of events. “That is a significant debate among insurance companies; it is a crucial distinction that requires clarity,” Shokrai stated.
According to some industry insiders, the lack of clarity regarding the industry’s profit margins is causing concern among investors like Buffett and insurance companies such as Berkshire. However, thus far, the business has demonstrated overall stability and success. “It remains a viable business model for many insurers,” commented Josephine Wolff, an associate professor of cybersecurity policy at The Fletcher School at Tufts University. She has extensively researched the evolving market for several years. However, it should be noted that even if one believes the business is viable, it is important to recognise that things are constantly evolving. A prime example of this is the recent surge in ransomware attacks, which have resulted in significant payouts by insurance companies. It is worth mentioning that these payouts have not yet reached a level that would render the business unprofitable for most issuers.
According to Steve Gryphon, co-founder of L3 Networks, a California-based managed services provider specialising in cybersecurity, cyber insurance plays a crucial role in enhancing the overall safety of the ecosystem. Companies must comply with specific cyber standards in order to obtain coverage, and when more businesses enrol in coverage, the overall system becomes more secure. Furthermore, businesses are motivated to implement basic cybersecurity safeguards when they become aware that failure to do so will result in claim denial.
Berkshire is confident in the potential growth of the business but remains uncertain about the associated costs. “In my opinion, it has the potential to become a significant business in the future, but there is also a risk of incurring substantial losses,” Jain expressed.
It’s common for people to gravitate towards trendy insurance options. “And cybersecurity is a straightforward matter,” Buffett stated. You have the ability to write a significant amount of it. The agents are quite fond of it. They receive a commission for every policy they write. In my opinion, the enthusiasm of insurance companies and their agents towards certain trends is quite remarkable. It’s a popular and intriguing topic, which can be quite fascinating. As Charlie Munger would put it, it might have some negative consequences.
Gryphon acknowledges Buffett’s cautious stance, but he observes a difference in risk perception between generations and remains hopeful about the cybersecurity insurance industry.
“Cybersecurity insurance could have been seen as a lucrative opportunity by someone like Warren Buffet in his younger days,” he remarked.
Source : CNBC News
