One of the messages Warren Buffett and Berkshire Hathaway’s top insurance executive Ajit Jain sent to investors during the company’s shareholder meeting annual general meeting A conference held in Omaha last month suggested that although online insurance is currently profitable, there are still too many unknowns and risks for insurance market giant Berkshire Hathaway to underwrite with complete confidence.
Jain said at the annual meeting that online insurance has become “a very fashionable product.” At least until now, it has been a moneymaker for insurance companies. He described current profitability as “pretty high” – with at least 20% of total premiums ending up in the pockets of insurance companies. But in Berkshire, the message to agents is cautious. The main reason is the difficulty in assessing how damage from a single incident does not translate into the sum of potential network losses. Jain gave a hypothetical example of when a major cloud provider’s platform “stagnates.”
“The aggregation potential could be huge, and the worst-case disparity scares us,” he said.
“Nowhere is it easier to get caught up in this than on the Internet,” Buffett said. “You could have a gathering of risks you never dreamed of, and it could even be worse than an earthquake somewhere.”
Berkshire enters online insurance business
Industry analysts generally say that while some of Berkshire’s caution is warranted, the overall situation in the cybersecurity insurance market is stabilizing as it begins to profit. Gerald Glombicki, senior director of Fitch Ratings’ U.S. insurance group, pointed out that despite Buffett’s caution, Berkshire Hathaway is still issuing cybersecurity policies. Berkshire Hathaway is the sixth-largest issuer of such policies, according to Fitch’s analysis. Berkshire recently disclosed a large investment in Chubb, with AIG being the largest investment.
“Right now (cybersecurity insurance) is still a viable business model for many insurance companies,” Glombicki said. According to Glombicki, this is still a small market, accounting for only one percent of all policies issued. Because the cybersecurity business is so small, insurance companies have the freedom to implement a variety of policies to see what works and what doesn’t without taking on a lot of risk.
Berkshire Hathaway, Chubb and AIG declined to comment.
“The element of unpredictability is very unsettling, and I understand where (Buffett) is coming from, but I think it’s really hard to completely avoid cyber risk,” Glombicki said, adding that although there are no major lawsuits yet to determine Liability or testing the boundaries of a policy, but until some liability cases are heard in the courts, some insurers may proceed with more caution.
Buffett says ‘it could destroy the company’
Berkshire Hathaway executives Warren Buffett (left), Greg Abel (center) and Ajit Jain (right) on May 4, 2024 in Omaha, Nebraska (center) and Ajit Jain (right) at Berkshire Hathaway’s annual shareholder meeting on May 4, 2024 in Omaha, Nebraska.
CNBC
Even with a limit of $1 million per policy, the problem with writing many policies is whether a “single event” affects 1,000 policies. “There’s no way we can get the right price for what you’re writing, and it could destroy the company,” Buffett said.
While some prominent leaders, such as former Homeland Security Secretary Michael Chertoff, who now runs a global security risk management firm, have called for some form of government cybersecurity support, most experts believe it is not necessary yet. Glombicki said that while the federal government is looking at what role they could play, intervention may not happen until an incident prompts it.
He said any government intervention “could come after a large and costly cyber incident.” “After September 11, the government developed a terrorist risk plan. On the cyber side, we have not seen an attack of this scale. We are still in the stage of considering possible approaches.”
Cyber insurance data shows growth and market confidence
While the number of cybersecurity policies currently being developed is small, analysts do not expect this to continue.
“Rates are falling, which indicates a stable market,” said Mark Friedlander, a spokesman for the Insurance Information Institute, which says online premiums are expected to double over the next decade. In 2022, premiums will total $11.9 billion. That number is expected to double to $22.5 billion by 2025 and rise to $33.3 billion by 2027, Friedlander said.
“This is clearly one of the fastest-growing areas of insurance. More and more companies are writing cyber security policies,” Friedlander said. He attributed insurers’ confidence to more sophisticated underwriting and stability. rates. He pointed out that the 6% drop in cybersecurity insurance rates in the first quarter of 2024, following a 3% drop in 2024, is a clear signal that insurance companies are more confident about entering the industry. .
“Most commercial lines like auto, homeowners and life insurance are increasing, so the declines are significant. That’s a sign of stability and declining claim severity,” Friedlander said.
More and more insurance companies are entering the market because they have the tools and data to price risk. “If you can do it at a reasonable pace, you’re going to write stories like this,” Friedlander said.
“You are losing money”
Buffett and his top insurance lieutenants disagree. It’s the “cost of loss” of insurance—how much it might cost to sell goods—that has Berkshire Hathaway on the fence about bigger moves in cyber insurance. Jain said losses so far have been “pretty well contained” — no more than 40 cents on the policy value in the past four to five years — but added, “There’s not enough data to allow you to say for sure. What is your loss?
Jain said that in most cases, Berkshire discourages agents from purchasing cyber insurance unless they need it to meet a specific client need. Even if they do, Jayne leaves them with this message: “No matter how much you charge, you should tell yourself that every time you write a cyber insurance policy, you will lose money. We can argue How much did you spend.
Google Cloud says risks are exaggerated
Monica Shokrai, head of business risk and insurance at Google Cloud, said cyber risks are believed to be changing rapidly and are therefore difficult to predict and underwrite in a systematic way. But she added that this perception was inconsistent with reality and that the risks were largely manageable.
“Our views on this subject differ from Warren Buffett’s,” she said. Google believes that most network losses can be prevented or mitigated through basic network hygiene.
“By understanding security, you can better control risk and make it easier to control risk,” Shokrai said. Meanwhile, destructive attacks from nation-states are in a separate category and are rare. Insurers already try to avoid potential risks by excluding certain catastrophic events. Many cybersecurity policies provide immunity from nation-state attacks.
“What they are trying to do is remain resilient and solvent in the event of widespread events; their efforts to manage are excluded, including critical infrastructure, cyber warfare and other widespread disruptive events,” Shockley said. .
Ambiguity and subjectivity remain. What if someone is the victim of a cyber attack by a foreign group that has no formal ties to a nation-state but may have received some ancillary logistical support? Can an insurance company invoke the nation-state exclusion? Shokrai said how to classify incidents is the most debated topic among insurance companies. “This is a big debate among insurance companies; it’s an important distinction to make,” Shokrai said.
Some experts say it’s the ambiguity about the industry’s profit margins that spooks investors like Buffett and insurance companies like Berkshire Hathaway. But so far, the business is proving generally good. “This is still a viable business model for many insurance companies,” said Josephine Wolff, associate professor of cybersecurity policy at Tufts University’s Fletcher School. Over the past few years, she has Always studying the changing market. But she added that believing the business is viable doesn’t mean things aren’t constantly changing, noting that ransomware has proliferated over the past few years and insurance companies have paid out huge sums — though it’s worth noting that’s still not enough. Make this business grow.
Steve Griffin, co-founder of L3 Networks, a California-based managed services provider that specializes in cybersecurity, said cyber insurance can help improve the security of the entire ecosystem. The policy requires companies to adhere to certain cyber standards to gain coverage, and the more businesses that sign up for coverage, the more secure the entire system becomes. If businesses know that if they don’t take some basic cyber security measures, their claims will be denied, this can create an incentive to take these steps.
Berkshire does believe the business will grow, it just isn’t sure at what cost. “My guess is that at some point it could become a huge business, but it could come with huge losses,” Jain said.
“I will tell you, most people want to pick whatever is popular when it comes to insurance. And the Internet is a simple matter,” Buffett said. “You can write a lot. Agents love it. They get a commission on every policy they write…I would say, human nature being what it is, most insurance companies get very excited about their agents. People also get really excited about it, and it’s trendy and fun, and as Charlie (Munger) said, it’s probably rat poison.
While Griffin understands Buffett’s caution, he sees a generational divide in the risk landscape and is optimistic about the cybersecurity insurance industry.
“When Buffett was younger, he probably thought cyber security insurance was an opportunity,” he said.
About The Author
