Warren Buffett is worried about potential for ‘huge losses’ in booming, but still tiny insurance market
One of the messages that Warren Buffett and Berkshire Hathaway’s top insurance executive, Ajit Jain, sent to investors during the company’s annual shareholder meeting in Omaha last month was that cyber insurance, while currently profitable, still has too many unknowns and risks for Berkshire, a huge player in the insurance market, to be fully comfortable underwriting.
Cyber insurance has become “a very fashionable product,” Jain said at the annual meeting. And it’s been a money maker for insurers, at least to date. He described current profitability as “fairly high” — at least 20% of the total premium ending up in the pockets of insurers. But at Berkshire, the message being sent to agents is one of caution. A primary reason is the difficulty in assessing how losses from a single occurrence don’t spiral into an aggregation of potential cyber losses. Jain gave the hypothetical example of when a major cloud provider’s platform “comes to a standstill.”
“That aggregation potential can be huge, and not being able to have a worst-case gap on it is what scares us,” he said.
“There’s no place where that kind of a dilemma enters into more than cyber,” Buffett said. “You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”
Berkshire is in the cyber insurance business
Industry analysts generally say while some of Berkshire’s caution is warranted, the general state of the cybersecurity insurance marketplace is stabilizing as it becomes profitable. And Gerald Glombicki, a senior director in Fitch Rating’s U.S. insurance group, points out that Berkshire Hathaway is issuing cybersecurity policies despite Buffett’s caution. According to Fitch’s analysis, Berkshire Hathaway is the sixth-largest issuer of such policies. Chubb, which Berkshire recently revealed a big investment in, and AIG are the largest.
“Right now [cybersecurity insurance] is still a viable business model for many insurers,” Glombicki said. It is still a tiny market, representing only one percent of all policies issued, according to Glombicki. Because the cybersecurity business is so small, it gives insurance companies latitude to implement various policies to see what is working, and what isn’t, without a tremendous amount of exposure.
Berkshire, as well as Chubb and AIG, declined to comment.
“There is an element of unpredictability that is very unsettling, and I understand where [Buffett] is coming from, but I think it is really hard to avoid cyber risk entirely,” Glombicki said. He added though that there has still been no significant litigation that assigns culpability or tests the boundaries of the policies, and until the courts hear some culpability cases, some insurers may proceed more cautiously.
‘Could break the company’ Buffett says
Top Berkshire executives Warren Buffett (L), Greg Abel (C) and Ajit Jain (R) during the Berkshire Hathaway Annual Shareholders Meeting in Omaha, Nebraska on May 4, 2024.
CNBC
The problem with writing many policies, even with a $1 million limit per policy, is if a “single event” turns out to affect 1,000 policies. “You’ve written something that in no way we’re getting the proper price for, and could break the company,” Buffett said.
While some notable leaders, like former Homeland Security chief Michael Chertoff — who now runs a global security risk management firm — have called for a government cybersecurity backstop of some sort, most experts don’t believe that is needed right now. Glombicki says that while the feds are looking at what role they can play, intervention likely won’t happen until an incident prompts it.
Any government involvement “will probably happen after a big, expensive cyber-incident,” he said. “After September 11, the government put together a terrorist risk program. In cyber, we have not yet seen an attack of that scale. We are still in the stage of thinking about possible approaches.”
Cyber insurance data shows growth and market confidence
While the number of cybersecurity policies being written is small now, analysts don’t expect it to stay that way.
“Rates are declining, which shows stability in the market,” said Mark Friedlander, a spokesman for the Insurance Information Institute. According to its data, cyber premiums are estimated to double over the next decade. In 2022, premiums totaled $11.9 billion. By 2025, Friedlander says, they are expected to double to $22.5 billion and increase to $33.3 billion by 2027.
“This is clearly one of the fastest-growing segments of insurance. More companies are writing cybersecurity policies than ever before,” Friedlander said, attributing confidence among insurers to more sophisticated underwriting and stabilizing rates. He cited a 6% decline in cybersecurity insurance rates in the first quarter of 2024, following a 3% decline in 2024, as a clear signal that insurers feel more confident about jumping into the business.
“Most commercial insurance like auto, home, and life insurance have all been increasing, so the decline is significant. It is a sign of stability and a decline in claims severity,” Friedlander said.
And more insurers are entering the market because they have the tools and data to price the risk. “If you can do it at sound rates, you will write that coverage,” Friedlander said.
‘You’re losing money’
Buffett and his top insurance lieutenant don’t agree. It’s the insurance “loss cost” — what the cost of goods sold could potentially be — that has Berkshire on the fence with a bigger move into cyber insurance. Jain said losses have been “fairly well contained” to date — not exceeding 40 cents on the policy dollar over the past four to five years — but he added, “there’s not enough data to be able to hang your hat on and say what your true loss cost is.”
Jain said that in most cases agents are Berkshire are discouraged from writing cyber insurance, unless they need to write it to satisfy specific client needs. And even if they do, Jain leaves them with this message: “No matter how much you charge, you should tell yourself that each time you write a cyber insurance policy, you’re losing money. We can argue about how much money you’re losing, but the mindset should be you’re not making money on it. … And then we should go from there.”
Google Cloud says the risks are being overstated
There is a perception that cyber risk is rapidly changing and, therefore, too unpredictable to underwrite in a systematic way, says Monica Shokrai, head of business risk and insurance at Google Cloud. But she added that the perception doesn’t match reality, and that the risk can largely be managed.
“We don’t hold the same view as Warren Buffet on the topic,” she said. In Google’s view, the majority of cyber losses can be prevented or mitigated through basic cyber hygiene.
“By understanding security, you can get to a place where your controls are in a much better place, where the risk is more manageable,” Shokrai said. Devastating attacks from nation-states, meanwhile, are in a separate category and have been rare. Insurers are already inoculating themselves from potential risk by making exclusions for certain catastrophic events. Many cybersecurity policies have coverage exemptions for nation-state attacks.
“What they are trying to do is remain resilient and solvent in the event of a widespread event; what they have done to manage that is put in exclusions,” Shokrai said, and those include critical infrastructure, cyber war, and other widespread disruptive events.
Ambiguities and subjectivities remain. What if someone is the victim of a cyberattack from a foreign-based gang that isn’t officially tied to a nation-state but may have received some ancillary logistical support? Can an insurance company invoke a nation-state exclusion? Shokrai says categorizing how to attribute an event is the topic of much debate between insurance companies. “That is a big debate between insurance companies; it is an important distinction that needs clarity,” Shokrai said.
Some experts say it is the ambiguity surrounding the industry’s margins that has investors like Buffett and insurance players like Berkshire spooked. But so far, the business has proven to be sound overall. “It is still a viable business model for many insurers,” said Josephine Wolff, an associate professor of cybersecurity policy at The Fletcher School at Tufts University, who has been studying the evolving market for the past several years. But she added that a belief that the business is viable doesn’t mean things are not constantly changing, pointing to the recent ransomware surge over the past couple of years that saw large payouts by insurance companies — though notably still not enough to make the business unprofitable for most issuers.
Cyber insurance helps make the entire ecosystem safer, according to Steve Griffin, co-founder of L3 Networks, a California-based managed services provider that specializes in cybersecurity. Policies require companies to adhere to certain cyber standards to attain coverage, and the more businesses that sign up for coverage, the safer the entire system becomes. And if a business knows they’ll be denied a claim if they don’t have some basic cybersecurity safeguards in place, that acts as an incentive to put them in place.
Berkshire does believe the business will grow, it just isn’t sure at what cost. “My guess is at some point it might become a huge business, but it might be associated with huge losses,” Jain said.
“I will tell you that most people want to be in anything that’s fashionable when they write insurance. And cyber’s an easy issue,” Buffett said. “You can write a lot of it. The agents like it. They’re getting the commission on every policy they write. … I would say that human nature is such that most insurance companies will get very excited and their agents will get very excited, and it’s very fashionable and it’s kind of interesting, and as Charlie [Munger] would say, it may be rat poison.”
While Griffin understands Buffett’s caution, he sees a generational divide over the risk outlook, and is optimistic about the cybersecurity insurance sector.
“Probably Warren Buffet would have called cybersecurity insurance an opportunity when he was younger,” he said.
Dado Ruvic | Reuters
If TikTok does indeed go dark on Sunday for Americans, there may be a tool for them to continue accessing the popular social app: VPNs.
The Chinese-owned app is set to be removed from mobile app stores and the web for U.S. users on Sunday as a result of a law signed by President Joe Biden in April 2024 requiring that the app be sold to a qualified buyer before the deadline.
Barring a last-minute sale or reprieve from the Supreme Court, the app will almost certainly vanish from the app stores for iPhones and Android phones. It won’t be removed from people’s phones, but the app could stop working.
TikTok plans to shut its service for Americans on Sunday, meaning that even those who already have the app downloaded won’t be able to continue using it, according to reports this week from Reuters and The Information. Apple and Google didn’t comment on their plans for taking down the apps from their app stores on Sunday.
“Basically, an app or a website can check where users came from,” said Justas Palekas, a head of product at IProyal.com, a proxy service. “Based on that, then they can impose restrictions based on their location.”
Masking your physical internet access point
That may stop most users, but for the particularly driven Americans, using VPNs might allow them to continue using the app.
VPNs and a related business-to-business technology called proxies work by tunneling a user’s internet traffic through a server in another country, making it look like they are accessing the internet from a location different than the one they are physically in.
This works because every time a computer connects to the internet, it is identified through an IP number, which is a 12-digit number that is different for every single computer. The first six digits of the number identifies the network, which also includes information about the physical region the request came from.
In China, people have used VPNs for years to get around the country’s firewall, which blocks U.S. websites such as Google and Facebook. VPNs saw big spikes in traffic when India banned TikTok in 2020, and people often use VPNs to watch sporting events from countries where official broadcasts aren’t available.
As of 2022, the VPN market was worth nearly $38 billion, according to the VPN Trust Initiative, a lobbying group.
“We consistently see significant spikes in VPN demand when access to online platforms is restricted, and this situation is no different,” said Lauren Hendry Parsons, privacy advocate at ExpressVPN, a VPN provider that costs $5 per month to use.
“We’re not here to endorse TikTok, but the looming U.S. ban highlights why VPNs matter— millions rely on them for secure, private, and unrestricted access to the internet,” ProtonVPN posted on social media earlier this week. ProtonVPN offers its service for $10 a month.
The price of VPNs
Both ExpressVPN and ProtonVPN allow users to set their internet-access location.
Most VPN services charge a monthly fee to pay for their servers and traffic, but some use a business model where they collect user data or traffic trends, such as when Meta offered a free VPN so it could keep an eye on which competitors’ apps were growing quickly.
A key tradeoff for those who use VPN is speed due to requests having to flow through a middleman computer to mask a users’ physical location.
And although VPNs have worked in the past when governments have banned apps, that doesn’t ensure that VPNs will work if TikTok goes dark. It won’t be clear if ExpressVPN would be able to access TikTok until after the ban takes place, Parsons told CNBC in an email. It’s also possible that TikTok may be able to determine Americans who try to use VPNs to access the app.
(L-R) Sarah Baus of Charleston, S.C., holds a sign that reads “Keep TikTok” as she and other content creators Sallye Miley of Jackson, Mississippi, and Callie Goodwin of Columbia, S.C., stand outside the U.S. Supreme Court Building as the court hears oral arguments on whether to overturn or delay a law that could lead to a ban of TikTok in the U.S., on January 10, 2025 in Washington, DC.
Andrew Harnik | Getty Images
VPNs and proxies to evade regional restrictions have been part of the internet’s landscape for decades, but their use is increasing as governments seek to ban certain services or apps.
Apps are removed by government request all the time. Nearly 1500 apps were removed in regions due to government takedown demands in 2023, according to Apple, with over 1,000 of them in China. Most of them are fringe apps that break laws such as those against gambling, or Chinese video game rules, but increasingly, countries are banning apps for national security or economic development reasons.
Now, the U.S. is poised to ban one of the most popular apps in the country — with 115 million users, it was the second most downloaded app of 2024 across both iOS and Android, according to an estimate provided to CNBC from Sensor Tower, a market intelligence firm.
“As we witness increasing attempts to fragment and censor the internet, the role of VPNs in upholding internet freedom is becoming increasingly critical,” Parsons said.
Technology
YouTube donating $15 million in LA wildfire relief, support for creators days before TikTok ban
Charred remains of buildings are pictured following the Palisades Fire in the Pacific Palisades neighborhood in Los Angeles, California, U.S. Jan. 15, 2025.
Mike Blake | Reuters
Google and YouTube will donate $15 million to support the Los Angeles community and content creators impacted by wildfires, YouTube CEO Neal Mohan announced in a blog post Wednesday.
The contributions will flow to local relief organizations including Emergency Network Los Angeles, the American Red Cross, the Center for Disaster Philanthropy and the Institute for Nonprofit News, the blog said. When the company’s LA offices can safely reopen, impacted creators will also be able to use YouTube’s production facilities “to recover and rebuild their businesses” as well as access community events.
“To all of our employees, the YouTube creator community, and everyone in LA, please stay safe and know we’re here to support,” Google CEO Sundar Pichai posted on X.
The move comes days before Sunday’s impending TikTok ban that has already seen content creators begin asking fans to follow them on other social platforms. YouTube Shorts, a short-form video platform within YouTube, is a competitor to TikTok, along with Meta’s Instagram Reels and the fast-growing Chinese app Rednote, otherwise known as Xiahongshu.
“In moments like these, we see the power of communities coming together to support each other — and the strength and resilience of the YouTube community is like no other,” Mohan wrote.
YouTube’s contributions are in line with a host of other LA companies pledging multi-million dollar donations aimed at assisting employees and residents impacted by the LA fires. Meta announced a $4 million donation split between CEO Mark Zuckerberg and the company while both Netflix and Comcast pledged $10 million donations to multiple aid groups.
Disclosure: Comcast owns NBCUniversal, the parent company of CNBC.
WATCH: TikTok: What creators would do if the short-form video app goes dark
Technology
TikTok’s U.S. operations could be worth as much as $50 billion if ByteDance decides to sell
Jakub Porzycki | Nurphoto | Getty Images
Business moguls such as Elon Musk should be prepared to spend tens of billions of dollars for TikTok’s U.S. operations should parent company ByteDance decide to sell.
TikTok is staring at a potential ban in the U.S. if the Supreme Court decides to uphold a national security law in which service providers such as Apple and Google would be penalized for hosting the app after the Sunday deadline. ByteDance has not indicated that it will sell the app’s U.S. unit, but the Chinese government has considered a plan in which X owner Musk would acquire the operations, as part of several scenarios in consideration, Bloomberg News reported Monday.
If ByteDance decides to sell, potential buyers may have to spend between $40 billion and $50 billion. That’s the valuation that CFRA Research Senior Vice President Angelo Zino has estimated for TikTok’s U.S. operations. Zino based his valuation on estimates of TikTok’s U.S. user base and revenue in comparison to rival apps.
TikTok has about 115 million monthly mobile users in the U.S., which is slightly behind Instagram’s 131 million, according to an estimate by market intelligence firm Sensor Tower. That puts TikTok ahead of Snapchat, Pinterest and Reddit, which have U.S. monthly mobile user bases of 96 million, 74 million and 32 million, according to Sensor Tower.
Zino’s estimate, however, is down from the more than $60 billion that he estimated for the unit in March 2024, when the House passed the initial national security bill that President Joe Biden signed into law the following month.
The lowered estimate is due to TikTok’s current geopolitical predicament and because “industry multiples have come in a bit” since March, Zino told CNBC in an email. Zino’s estimate doesn’t include TikTok’s valuable recommendation algorithms, which a U.S. acquirer would not obtain as part of a deal, with the algorithms and their alleged ties to China being central to the U.S. government’s case that TikTok poses a national security threat.
Analysts at Bloomberg Intelligence have their estimate for TikTok’s U.S. operations pegged in the range of $30 billion to $35 billion. That’s the estimate they published in July, saying at the time that the value of the unit would be “discounted due to it being a forced sale.”
Bloomberg Intelligence analysts noted that finding a buyer for TikTok’s U.S. operations that can both afford the transaction and deal with the accompanying regulatory scrutiny on data privacy makes a sale challenging. It could also make it difficult for a buyer to expand TikTok’s ads business, they wrote.
A consortium of businesspeople including billionaire Frank McCourt and O’Leary Ventures Chairman Kevin O’Leary put in a bid to buy TikTok from ByteDance. O’Leary has previously said the group would be willing to pay up to $20 billion to acquire the U.S. assets without the algorithm.
Unlike a Musk bid, O’Leary’s group’s bid would be free from regulatory scrutiny, O’Leary said in a Monday interview with Fox News.
O’Leary said that he’s “a huge Elon Musk fan,” but added “the idea that the regulator, even under Trump’s administration, would allow this is pretty slim.”
TikTok, X and O’Leary Ventures did not respond to requests for comment.
-
Sports2 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports9 months agoStory injured on diving stop, exits Red Sox game
-
Sports1 year agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports3 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business2 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway