One of the messages that Ajit Jain, chief insurance officer at Warren Buffett and Berkshire Hathaway, sent to investors during the company's annual shareholders meeting in Omaha last month was that cyber insurance, while currently profitable, still involves a lot of unknowns and risks. For Berkshire, a huge player in the insurance market, the underwriting would be quite convenient.
Jin said at the annual meeting that cyber insurance has become a “very modern product.” This has been a source of income for insurance companies, at least so far. He described current profitability as “fairly high” – at least 20% of total premiums end up in the pockets of insurers. But at Berkshire, the message being sent to agents is one of warning. The main reason is the difficulty in assessing how losses from a single event do not turn into a set of potential cyber losses. Jain gave a hypothetical example when a major cloud provider's platform “stalled.”
“This pooling potential could be huge, and the inability to have a gap in the worst case is what scares us,” he said.
“Nowhere does this kind of dilemma come into play more than the Internet,” Buffett said. “You may face a range of risks you never dreamed of, perhaps worse than an earthquake somewhere.”
Berkshire is in the cyber insurance business
Overall, while some caution on Berkshire's part is warranted, the overall state of the cybersecurity insurance market is stabilizing as it becomes profitable, industry analysts say. Gerald Glombicki, a senior director at Fitch Ratings' US Insurance Group, points out that Berkshire Hathaway is issuing cybersecurity policies despite Buffett's caution. According to Fitch's analysis, Berkshire Hathaway is the sixth largest issuer of these policies. Chubb, in which Berkshire recently revealed a major investment, and AIG, are the largest companies.
“Right now, (cybersecurity insurance) is still a viable business model for many insurers,” Glombicki said. It is still a small market, accounting for only one percent of all policies issued, according to Glombicki. Because cybersecurity businesses are so small, it gives insurers the freedom to implement different policies to see what works and what doesn't, without a huge amount of exposure.
Berkshire, as well as Chubb and AIG, declined to comment.
“There's an element of unpredictability that's very concerning, and I understand where (Buffett) is coming from, but I think it's really difficult to completely avoid cyber risk,” Glombicki said. However, he added, there is not yet any significant lawsuit establishing liability or testing the limits of policies, and until the courts hear some liability cases, some insurers may act more cautiously.
“It could destroy the company,” Buffett says.
Berkshire senior executives Warren Buffett (left), Greg Appel (center) and Ajit Jain (right) during Berkshire Hathaway's annual shareholders meeting in Omaha, Nebraska on May 4, 2024.
CNBC
The problem with writing many policies, even with a limit of $1 million per policy, is if “one event” turns out to affect 1,000 policies. “I've written something that we'll never get at the right price, and it could bring down the company,” Buffett said.
While some prominent leaders, such as former Homeland Security chief Michael Chertoff — who now runs a global security risk management firm — have called for government support for cybersecurity of some kind, most experts don't believe it's needed right now. As the feds look into what role they could play, intervention likely won't happen unless an accident leads to it, Glombicki says.
He added that any government intervention “would likely occur after a major and costly cyber incident.” “After September 11, the government put in place a program to confront terrorist risks. In the cyber sphere, we have not yet witnessed an attack of this scale. We are still in the stage of thinking about possible methods.”
Cyber insurance data shows growth and market confidence
While the number of cybersecurity policies being written is small now, analysts don't expect it to stay that way.
“Prices are falling, which shows stability in the market,” said Mark Friedlander, spokesman for the Insurance Information Institute. According to its data, cyber insurance premiums are expected to double over the next decade. In 2022, insurance premiums totaled $11.9 billion. Friedlander says these investments are expected to double by 2025 to $22.5 billion, then increase to $33.3 billion by 2027.
“This is clearly one of the fastest-growing insurance sectors. More companies are writing cybersecurity policies than ever before,” Friedlander said, attributing confidence among insurers to more sophisticated underwriting and price stability. He pointed to a 6% decline in cybersecurity insurance rates in the first quarter of 2024, after a 3% decline in 2024, as a clear signal that insurers are feeling more confident about jumping into the business.
“Most commercial insurance like auto, home and life insurance is increasing, so the decline is significant. It's a sign of stability and declining severity of claims,” Friedlander said.
More insurance companies are entering the market because they have the tools and data to price risks. “If you can do that at good rates, you'll write that coverage,” Friedlander said.
“You're losing money”
Buffett and his top insurance aides disagree. It's the insurance “loss cost” — what the cost of goods sold could be — that has kept Berkshire on the sidelines with a larger move toward cyber insurance. Jain said the losses had been “fairly well contained” so far — never exceeding 40 cents on the political dollar over the past four to five years — but added: “There's not enough data to be able to hang your hat and say what you want.” The real cost of loss is.”
In most cases, Berkshire agents are not encouraged to write cyber insurance, unless they need to write it to meet specific customer needs, Jain said. And even if they do, Jain leaves them with this message: “No matter how much you charge, you have to tell yourself that every time you write a cyber insurance policy, you're losing money. We can argue about how much money you're paying.” We're losing, but we should The mentality is that you're not making money from this…and then we have to go from there.”
Google Cloud says the risks are exaggerated
There is a perception that cyber risks change quickly and, therefore, are too unpredictable to be systematically underwritten, says Monica Chokray, head of business risk and insurance at Google Cloud. But she added that perception does not match reality, and that risks can largely be managed.
“We don't have the same view as Warren Buffet on this subject,” she said. In Google's view, the majority of cyber losses can be prevented or mitigated through basic cyber hygiene.
“By understanding security, you can get to a place where your controls are in a much better place, where the risks are more manageable,” Shukri said. Meanwhile, devastating attacks by nation-states fall into a separate category and have been rare. Insurance companies already protect themselves from potential risks by making exceptions for certain catastrophic events. Many cybersecurity policies have coverage exemptions for nation-state attacks.
“What they are trying to do is maintain flexibility and the ability to pay in the event of a large-scale event; what they have done to manage that is put into exceptions,” Shukri said. These exceptions include critical infrastructure, cyber warfare, and other large-scale disruptive events. .
Ambiguity and objectivity remain. What if someone is the victim of a cyberattack from a foreign-based gang that is not officially linked to a nation-state but may have received some additional logistical support? Can an insurance company invoke the nation-state exclusion? Classification of how to attribute an event is a topic of great debate among insurers, says Shaqri. “This is a major debate among insurance companies, and it is an important distinction that needs to be clarified,” Shukri said.
Some experts say it's the uncertainty surrounding industry margins that has spooked investors like Buffett and insurers like Berkshire. But so far, the business has proven to be generally sound. “It's still a viable business model for many insurers,” said Josephine Wolfe, an assistant professor of cybersecurity policy at Tufts University's Fletcher School, who has been studying the evolving market for the past several years. But she added that believing a business is viable doesn't mean things aren't constantly changing, pointing to the recent surge in ransomware over the past couple of years that has seen significant payouts by insurance companies — though it's still not particularly sufficient for businesses to succeed. Unprofitable for most exporters.
Cyber insurance helps make the entire ecosystem more secure, according to Steve Griffin, co-founder of L3 Networks, a California-based managed services provider that specializes in cybersecurity. Policies require companies to adhere to certain cyber standards to achieve coverage, and the more companies sign up for coverage, the more secure the entire system becomes. If a company knows that its claim will be denied if it does not have some basic cybersecurity safeguards in place, that serves as an incentive to put them into practice.
Berkshire believes its business will grow, but is unsure about the cost. “I think at some point it may become a huge business, but it may be associated with huge losses,” Jin said.
“I'll tell you that most people want to be into something trendy when they write insurance. The Internet is easy,” Buffett said. “You can write a lot of it. Insurance agents love it. They get a commission on every policy they write. … I would say human nature makes most insurance companies very excited and their agents will feel good. He's very enthusiastic, and he's very trendy and kind of interesting “What, as Charlie (Munger) said, might be rat poison.”
While Griffin understands Buffett's caution, he sees a generational divide over risk expectations, and is bullish on the cybersecurity insurance sector.
“Warren Buffett probably would have described cybersecurity insurance as an opportunity when he was younger,” he said.