That was one of the messages Warren Buffett and Berkshire Hathaway’s chief insurance officer Ajit Jain sent to investors at the company’s recent shareholder meeting. Annual General Meeting The argument in Omaha was that cyber insurance, while currently profitable, presents too many unknowns and risks for Berkshire, a market giant, to feel comfortable underwriting it.
Cyber insurance has become a “very trendy product,” Jain said at the annual meeting. And, at least so far, it has become a way for insurers to make money. He said the current profitability is “fairly high,” with at least 20% of total premiums going into the insurer’s pocket. But Berkshire is sending a warning message to agents. The main reason is that it’s difficult to assess whether losses from a single event can escalate into an accumulation of potential cyber losses. Jain gave the example of a major cloud provider’s platform going “down.”
“That aggregation potential could be very large and what scares us is that we can’t tolerate the worst-case gap,” he said.
“Nowhere are these dilemmas more prevalent than in cyber,” Buffett said. “Unthinkable risks are converging to create something worse than an earthquake somewhere.”
Berkshire is getting into the cyber insurance business
Industry analysts generally say Berkshire’s caution is justified to some extent, but that the cybersecurity insurance market is generally stabilizing as profits come in. And Gerald Grombicki, senior director in Fitch Ratings’ U.S. insurance group, notes that Berkshire Hathaway is writing cybersecurity insurance despite Buffett’s caution. Berkshire Hathaway is the sixth-largest company to write such insurance, according to Fitch’s analysis. Chubb, in which Berkshire recently disclosed a major investment, and AIG are the largest.
“right now [cybersecurity insurance] “Cybersecurity is still a viable business model for many insurance companies,” Grombicki said. The cybersecurity market is still small, accounting for just 1% of all insurance policies issued, Grombicki said. Because the cybersecurity business is so small, insurers have the freedom to implement different policies to see what works and what doesn’t without taking on too much risk.
Berkshire, Chubb and AIG declined to comment.
“There is an element of unpredictability that is very disturbing. [Buffett] “We know where cyber risk comes from, but I think it’s really hard to completely avoid,” Grombicki said, adding that there have been no significant cases yet that would hold companies responsible for liability or test the limits of insurance policies, and some insurers may tread more cautiously until the courts hear a few liability cases.
“It could bankrupt the company,” Buffett said.
The problem with buying a lot of policies is that even with a $1 million cap per policy, “one event” turns out to affect 1,000 policies. “You’re not going to get a fair price and you’ve written a policy that could potentially bankrupt your company,” Buffett said.
Some prominent leaders, including former Secretary of Homeland Security Michael Chertoff, who now runs a global security risk management firm, have called for some kind of government cybersecurity backup, but most experts don’t think it’s needed right now. Grombicki said the federal government is considering what role it could play, but that intervention likely won’t happen until an incident occurs.
Government involvement “will probably come after a major, costly cyber incident,” he said. “After 9/11, the government developed a counterterrorism program. We haven’t seen an attack of that magnitude in the cyber world yet. We’re still in the process of considering possible responses.”
Cyber Insurance Data Shows Growth and Market Confidence
Currently, the number of cybersecurity policies being written is low, but analysts do not expect this to continue.
“Premiums are coming down, which shows the market is stabilizing,” said Mark Friedlander, a spokesman for the Insurance Information Institute. Cyber insurance premiums are expected to double over the next decade, according to the institute’s data. Total premiums in 2022 were $11.9 billion. By 2025, premiums are expected to double to $22.5 billion and grow to $33.3 billion by 2027, Friedlander said.
“This is clearly one of the fastest-growing segments of the insurance industry. More companies than ever before are buying cybersecurity insurance,” Friedlander said, attributing insurers’ confidence to more sophisticated underwriting and stabilizing premiums. He pointed to a 6% decline in cybersecurity premiums in the first quarter of 2024, following a 3% decline in 2023, as a clear sign that insurers are becoming more confident about getting into the business.
“The decline is significant because most commercial insurance, such as auto and property insurance, are on the rise. This is a sign of stabilization and declining claims,” Friedlander said.
And more insurers are entering the market because they have the tools and data to price risk. “If you can get insurance at the right rate, people are going to buy it,” Friedlander said.
“You’re losing money.”
Buffett and his top insurance executives don’t agree. One thing holding Berkshire back from moving further into cyber is the question of what the “loss cost” of the insurance, or the cost of goods sold, could be. Jain said losses have been “fairly contained” so far, never exceeding 40 cents of an insured amount over the past four or five years, but added that “we don’t have enough data to say with any confidence what the true loss cost is.”
Jain says Berkshire agents are, for the most part, encouraged to refrain from writing cyber insurance unless it’s necessary to meet a specific client’s needs. And even if they do, Jain has this message for them: “You should tell yourself that no matter how much you charge, you’re losing money every time you write a cyber insurance policy. How much you’re losing money is up for debate, but you should have the mindset that you’re not making money on it. … And go from there.”
Google Cloud says risks are overstated
There’s a perception that cyber risk is rapidly evolving and too difficult to predict to systematically underwrite, says Monica Shoklai, head of business risk and insurance at Google Cloud. But that perception doesn’t match reality, and the risks are largely manageable, she adds.
“We don’t share Warren Buffett’s views on this issue,” she said. Google’s view is that the vast majority of cyber harm can be prevented or mitigated through basic cyber hygiene.
“Understanding security gives you much better control and makes risk much more manageable,” Shokrai said. Catastrophic attacks by nation states, on the other hand, are in a different category and rare. Insurers already protect themselves against potential risks by excluding certain catastrophic events. Many cybersecurity insurance policies exclude coverage for nation-state attacks.
“What they’re trying to do is remain resilient and solvent in the event of a widespread event. What they’ve done to manage that is laid out in the exclusions,” Shokrai said, including for critical infrastructure, cyberwarfare and other events that would cause widespread disruption.
Ambiguity and subjectivity remain. What if someone is the victim of a cyberattack from a foreign-based gang that is not officially linked to a state but may have some auxiliary logistical support? Can insurers claim state immunity? Shokrai says how to classify the case is a topic of great debate among insurers. “This is a big debate among insurers. It’s an important distinction that needs to be made clear,” he said.
Some experts say it’s the ambiguity around the industry’s margins that’s scaring investors like Buffett and insurers like Berkshire. But so far, the business has proven to be overall healthy. “For many insurers, this is still a viable business model,” says Josephine Wolff, an associate professor of cybersecurity policy at the Fletcher School of Cybersecurity at Tufts University, who has been studying the evolving market for the past few years. But believing the business is viable doesn’t mean things aren’t constantly changing, she adds, pointing out that the recent ransomware surge in the past few years has seen insurers pay out huge amounts in damages. Notably, though, it’s not enough to make the business unprofitable for most insurers.
Cyber insurance helps make the entire ecosystem safer, says Steve Griffin, co-founder of L3 Networks, a California-based managed-services provider that specializes in cybersecurity. Insurance policies require companies to adhere to certain cyber standards to receive coverage, and the more companies that sign up for coverage, the safer the system as a whole will be. And if companies know that their claims will be denied if they don’t take basic cybersecurity measures, it gives them an incentive to take those measures.
Berkshire is confident the business will grow, but it’s unclear how much it will cost. “My guess is that at some point this business could be huge, but it could also involve huge losses,” Jain said.
“When you sell insurance, most people want to have whatever’s hot. Cyber is an easy one,” Buffett said. “You can sell a lot of it. Agents love it. They get a commission for every policy they sell. … Human nature is such that most insurance companies get very excited, and agents get very excited. It’s very hot, it’s interesting. As Charlie says, [Munger] “It could be rat poison,” they’d say.
Griffin understands Buffett’s caution but sees a generational divide in risk outlook and is optimistic about the cybersecurity insurance sector.
“Maybe Warren Buffett, when he was younger, would have called cybersecurity insurance an opportunity,” he said.
Correction: Cybersecurity premiums fell 6% in the first quarter of 2024, following a 3% drop in 2023. An earlier version of this article incorrectly stated the 2023 decline.
