Buffett expresses concern over potential significant losses in the rapidly growing yet small insurance industry.

• In an annual meeting, Ajit Jain, the top insurance executive of Warren Buffett and Berkshire Hathaway, cautioned about the possibility of significant losses in the cybersecurity insurance sector.
• Charlie Munger's "rat poison" phrase was used by Buffett to express concern about agents hastily signing up cyber insurance clients without proper actuarial data and risk analysis.
• Although Buffett criticized cybersecurity policies, Berkshire Hathaway ranks sixth in the US for issuing such policies, according to Fitch Ratings, but the market is still small and growing rapidly, accounting for only 1% of all policies written.

During Berkshire Hathaway's annual shareholder meeting in Omaha last month, Ajit Jain, the company's top insurance executive and a message bearer for Warren Buffett, conveyed to investors that cyber insurance, despite its current profitability, still harbors too many uncertainties and risks for Berkshire, a dominant player in the insurance industry, to fully embrace underwriting.

Cyber insurance has gained popularity as a fashionable product, with insurers profiting from it, at least up until now. Jain stated at the annual meeting that current profitability is high, with at least 20% of the total premium going to insurers. However, at Berkshire, agents are being cautioned about cyber insurance due to the difficulty in assessing potential losses from a single occurrence that could lead to an aggregation of potential cyber losses. Jain gave an example of a major cloud provider's platform coming to a standstill as a hypothetical scenario.

Not being able to have a worst-case gap on the aggregation potential is what scares us, he said.

"Buffett stated that no place experiences a dilemma like the one found in cybersecurity, where risks can accumulate and be even more severe than a natural disaster."

Berkshire is in the cyber insurance business

While some caution from industry analysts is justified, the cybersecurity insurance marketplace is stabilizing and becoming profitable. Despite Buffett's caution, Berkshire Hathaway is issuing cybersecurity policies, as pointed out by Gerald Glombicki, a senior director in Fitch Rating's U.S. insurance group. Fitch's analysis shows that Berkshire Hathaway is the sixth-largest issuer of cybersecurity policies, with Chubb and AIG being the largest.

Cybersecurity insurance remains a viable business model for many insurers, although it is still a small market, accounting for only one percent of all policies issued, according to Glombicki. The small size of the cybersecurity business allows insurance companies to experiment with different policies without significant exposure.

Berkshire, as well as Chubb and AIG, declined to comment.

Glombicki acknowledged the unpredictability of cyber risk, which he found unsettling, and understood Buffett's perspective. However, he believed it was challenging to completely avoid cyber risk. Although there had been no significant litigation assigning culpability or testing policy boundaries, insurers might proceed more cautiously until the courts heard some culpability cases.

'Could break the company' Buffett says

Buffett stated that writing numerous policies, even with a $1 million limit per policy, poses a problem if a "single event" affects 1,000 policies. This could result in the company being overcharged and potentially breaking.

While some notable leaders, such as former Homeland Security chief Michael Chertoff, have called for a government cybersecurity backstop, most experts believe it is not necessary at this time. Glombicki states that while the federal government is considering its role, intervention is unlikely to occur until a prompting incident arises.

The government's involvement in cybersecurity is likely to occur following a significant and costly cyber-incident, according to the expert. After the September 11 attacks, the government established a terrorist risk program. However, we have not yet experienced a cyber attack of that magnitude. We are still in the early stages of considering potential strategies.

Cyber insurance data shows growth and market confidence

The number of cybersecurity policies being written is currently low, but analysts predict it will increase in the future.

Mark Friedlander, a spokesman for the Insurance Information Institute, stated that rates are declining, indicating stability in the market. According to its data, cyber premiums are predicted to double over the next decade. In 2022, premiums totaled $11.9 billion. By 2025, Friedlander predicts that they will double to $22.5 billion and increase to $33.3 billion by 2027.

The cybersecurity insurance industry is experiencing rapid growth, with an increasing number of companies offering policies. Friedlander attributes this confidence among insurers to advanced underwriting techniques and stable rates. He noted a 6% decline in cybersecurity insurance rates in the first quarter of 2024, following a 3% decline in 2024, as a clear indication of insurers' growing confidence in the industry.

Commercial insurance, including auto, home, and life insurance, have been increasing, so the decline is significant. This indicates stability and a decrease in claims severity, according to Friedlander.

"If you can price the risk at competitive rates, you will secure that coverage," Friedlander said.

'You're losing money'

Berkshire Hathaway and its top insurance executive disagree on the potential cost of goods sold for cyber insurance. Jain stated that losses have been contained to 40 cents on the policy dollar over the past four to five years, but there isn't enough data to accurately determine the true cost of cyber insurance.

Jain advised that agents from Berkshire are generally discouraged from writing cyber insurance unless it is necessary to meet specific client requirements. Even if they do write it, Jain emphasizes that they should view each policy as a loss, regardless of the price they charge. The mindset should be that they are not making money on it, and they should then proceed accordingly.

Google Cloud says the risks are being overstated

Monica Shokrai, head of business risk and insurance at Google Cloud, stated that the perception of cyber risk being rapidly changing and unpredictable is not accurate. She emphasized that the risk can largely be managed.

"We differ from Warren Buffet's perspective on the topic," she stated.

"By comprehending security, you can improve your controls and manage risk more effectively," Shokrai stated. While devastating attacks from nation-states are a separate category and have been infrequent, insurers are already taking steps to protect themselves from potential risk by excluding coverage for certain catastrophic events. Many cybersecurity policies include exemptions for nation-state attacks.

Shokrai stated that their goal is to remain resilient and solvent during a widespread event, and they have implemented exclusions to manage this, which include critical infrastructure, cyber war, and other widespread disruptive events.

Can an insurance company exclude coverage for a cyberattack perpetrated by a foreign-based gang that may have received some ancillary logistical support, even if it is not officially tied to a nation-state? According to Shokrai, the topic of how to attribute an event is a significant debate among insurance companies, and clarity is necessary.

The ambiguity surrounding the insurance industry's margins has caused concern among investors like Buffett and insurance players like Berkshire. However, the business has proven to be sound overall, and experts believe it is still a viable business model for many insurers. Josephine Wolff, an associate professor of cybersecurity policy at The Fletcher School at Tufts University, who has been studying the evolving market for the past several years, said that while the business is viable, things are constantly changing. She pointed to the recent ransomware surge over the past couple of years that saw large payouts by insurance companies, though notably still not enough to make the business unprofitable for most issuers.

Cyber insurance enhances the safety of the entire ecosystem, as per Steve Griffin, co-founder of L3 Networks, a California-based managed services provider that specializes in cybersecurity. Policies necessitate companies to adhere to specific cyber standards to obtain coverage, and the more businesses that subscribe to insurance, the safer the entire system becomes. Moreover, if a business knows they'll be denied a claim if they don't have some basic cybersecurity safeguards in place, that serves as an impetus to implement them.

Jain stated that while Berkshire believes the business will grow, it is uncertain about the cost. He said, "My prediction is that at some point it could become a massive business, but it may also be linked to significant losses."

"Buffett stated that most people desire to be associated with fashionable insurance when writing policies, and cyber is an effortless issue to address. Agents enjoy it because it allows them to earn commissions on every policy they write. Buffett added that human nature drives insurance companies and agents to become excited about new trends, which can be both fascinating and potentially harmful, as Charlie Munger would say."

Although Griffin comprehends Buffett's warning, he perceives a generational difference in risk perception, and is hopeful about the future of the cybersecurity insurance industry.

"Warren Buffet likely viewed cybersecurity insurance as an opportunity when he was younger," he stated.