Warren Buffett worries about ‘huge losses’ in booming insurance market

One of the messages that Warren Buffett and Ajit Jain, Berkshire Hathaway’s chief insurance officer, sent to investors at the company’s recent annual shareholder meeting in Omaha was that cyber insurance, while currently profitable, still involves too many unknowns and risks for Berkshire, a huge player in the insurance market, to be fully comfortable underwriting.

Cyber ​​insurance has become “a very fashionable product,” Jain said at the annual meeting. And that has been a source of revenue for insurers, at least until now. He described current profitability as “quite high”: at least 20% of the total premium ends up in the pockets of insurers. But at Berkshire, the message sent to officers is one of caution. One of the main reasons is the difficulty in assessing how losses from a single event do not turn into an aggregation of potential cyber losses. Jain gave the hypothetical example of a time when a large cloud provider’s platform “goes down.”

“This potential for aggregation can be enormous, and what scares us is not being able to create a gap in the worst case scenario,” he said.

“There is no other area where this kind of dilemma comes into play than in cyberspace,” Buffett said. “You could face an aggregation of risks you never dreamed of, and perhaps worse than an earthquake happening somewhere.”

Berkshire is active in the cyber insurance sector

Industry analysts generally say that while Berkshire’s caution is warranted, the overall state of the cybersecurity insurance market is stabilizing as it becomes profitable. And Gerald Glombicki, senior director of Fitch Rating’s U.S. insurance group, points out that Berkshire Hathaway is publishing cybersecurity policies despite Buffett’s caution. Berkshire Hathaway is the sixth-largest issuer of such insurance policies, according to Fitch’s analysis. Chubb, in which Berkshire recently revealed a significant investment, and AIG are the largest.

“Right now (cybersecurity insurance) remains a viable business model for many insurers,” Glombicki said. It’s still a tiny market, accounting for just one percent of all policies issued, according to Glombicki. Because the cybersecurity industry is so small, it gives insurance companies plenty of room to implement various policies to see what works and what doesn’t, without huge exposure.

Berkshire, along with Chubb and AIG, declined to comment.

“There is an element of unpredictability that is very unsettling, and I understand where Buffett is coming from, but I think it’s really difficult to completely avoid cyber risk,” Glombicki said. He added, however, that there has still been no significant litigation that assigns culpability or tests policy limits, and that until the courts hear some culpability cases, some insurers may proceed with more caution.

“Could break the business,” says Buffett

The problem with writing many policies, even with a limit of $1 million per policy, is that a “single event” turns out to affect 1,000 policies. “You wrote something that we are in no way getting the appropriate price for and that could cause the company to fail,” Buffett said.

While some notable leaders, like former Homeland Security chief Michael Chertoff — who now runs a global security risk management firm — have called for some sort of government cybersecurity safety net, most experts don’t think this is necessary at the moment. Glombicki says that even as federal authorities consider what role they can play, intervention likely won’t happen until an incident triggers it.

Any government involvement “is likely to happen after a significant and costly cyber incident,” he said. “After September 11, the government implemented a terrorist risk program. In cyberspace, we have not yet seen an attack of this magnitude. We are still at the stage of considering possible approaches. “

Cyber ​​Insurance Data Shows Market Growth and Confidence

Although the number of cybersecurity policies being developed is now small, analysts don’t expect it to stay that way.

“Rates are falling, which shows stability in the market,” said Mark Friedlander, a spokesman for the Insurance Information Institute. According to its data, cyber bonuses are expected to double over the next decade. In 2022, premiums totaled $11.9 billion. According to Friedlander, they are expected to double to $22.5 billion by 2025 and reach $33.3 billion by 2027.

“This is clearly one of the fastest growing segments of insurance. More and more companies are writing cybersecurity policies like never before,” Friedlander said, crediting insurers’ confidence more sophisticated underwriting and price stabilization. He cited a 6% drop in cybersecurity insurance rates in the first quarter of 2024, following a 3% drop in 2024, as a clear signal that insurers are feeling more confident about jumping into this sector.

“Most commercial insurance like auto, home and life insurance have all increased, so the decline is significant. It’s a sign of stability and a decrease in the severity of claims,” ​​Friedlander said.

And more and more insurers are entering the market because they have the tools and data to assess risk. “If you can do it at reasonable rates, you’ll write that coverage,” Friedlander said.

“You are losing money”

Buffett and his top insurance lieutenant disagree. It’s the “loss cost” of insurance – what the cost of goods sold could potentially be – that puts Berkshire on the cusp of moving more into cyber insurance. Jain said losses have been “fairly well contained” so far – not exceeding 40 cents on the political dollar over the past four to five years – but he added: “there is not enough of data so you can hang your hat and say what you’re doing. the true cost of the loss is.”

Jain said that in most cases, Berkshire agents are discouraged from purchasing cyber insurance unless they need to purchase it to satisfy specific client needs. And even if they do, Jain leaves them this message: “No matter how much you charge, you have to realize that every time you take out a cyber insurance policy, you are losing money. We can discuss of the amount you spend. “You lose, but the mindset should be that you’re not making money from this…And then we should go from there.”

Google Cloud says risks are overestimated

There is a perception that cyber risks evolve quickly and are therefore too unpredictable to be underwritten systematically, says Monica Shokrai, head of commercial risk and insurance at Google Cloud. But she added that this perception does not correspond to reality and that the risk can be largely managed.

“We don’t have the same view as Warren Buffet on the subject,” she said. According to Google, the majority of cyber losses can be avoided or mitigated with basic cyber hygiene.

“By understanding security, you can get to a place where your controls are much better, where the risk is more manageable,” Shokrai said. Devastating attacks from nation-states, however, are in a league of their own and have been rare. Insurers already protect themselves against potential risks by excluding certain catastrophic events. Many cybersecurity policies provide coverage exemptions for attacks against nation states.

“What they’re trying to do is remain resilient and solvent in the event of a widespread event; what they’ve done to manage that is put into exclusions,” Shokrai said, and those include infrastructure criticism, cyber warfare and other widespread disruptive events. .

Ambiguities and subjectivities remain. What happens if someone is the victim of a cyberattack perpetrated by a foreign-based gang that is not officially linked to a nation-state but may have received ancillary logistical support? Can an insurance company claim a nation state exclusion? Shokrai says the categorization of how to attribute an event is the subject of much debate among insurance companies. “It’s a big debate among insurance companies; it’s an important distinction that needs to be clarified,” Shokrai said.

Some experts say it’s the ambiguity surrounding the industry’s margins that scares investors like Buffett and insurance players like Berkshire. But so far, the company has proven to be healthy overall. “It’s still a viable business model for many insurers,” said Josephine Wolff, an associate professor of cybersecurity policy at the Fletcher School at Tufts University who has studied market developments for several years. But she added that the belief that the business is viable doesn’t mean things aren’t constantly changing, pointing to the recent wave of ransomware over the past two years that resulted in large payouts by security companies. insurance – although it is still not enough to grow the business. unprofitable for most issuers.

Cyber ​​insurance helps make the entire ecosystem more secure, according to Steve Griffin, co-founder of L3 Networks, a California-based managed services provider specializing in cybersecurity. Policies require businesses to adhere to certain cyber standards to obtain coverage, and the more coverage businesses sign up for, the more secure the entire system becomes. And if a company knows it will be denied a claim if it doesn’t have basic cybersecurity measures in place, that gives it an incentive to put them in place.

Berkshire thinks the company will grow, but it just doesn’t know at what cost. “I think at some point it could become a huge business, but it could be associated with huge losses,” Jain said.

“I can tell you that most people want to buy into whatever’s hot when they buy insurance. And cybersecurity is an easy problem,” Buffett said. “You can write a lot of them. Agents like that. They get a commission on every insurance policy they write. … I would say human nature is such that most insurance companies will be very enthusiastic and that their agents will receive very excited, and it’s very fashionable and it’s quite interesting, and as Charlie (Munger) would say, it might be rat poison.”

While Griffin understands Buffett’s caution, he sees a generational gap in risk prospects and is optimistic about the cybersecurity insurance industry.

“It’s likely that Warren Buffet would have viewed cybersecurity insurance as an opportunity when he was younger,” he said.