Warren Buffett is worried about potential for ‘huge losses’ in booming, but still tiny insurance market
One of the messages that Warren Buffett and Berkshire Hathaway’s top insurance executive, Ajit Jain, sent to investors during the company’s annual shareholder meeting in Omaha last month was that cyber insurance, while currently profitable, still has too many unknowns and risks for Berkshire, a huge player in the insurance market, to be fully comfortable underwriting.
Cyber insurance has become “a very fashionable product,” Jain said at the annual meeting. And it’s been a money maker for insurers, at least to date. He described current profitability as “fairly high” — at least 20% of the total premium ending up in the pockets of insurers. But at Berkshire, the message being sent to agents is one of caution. A primary reason is the difficulty in assessing how losses from a single occurrence don’t spiral into an aggregation of potential cyber losses. Jain gave the hypothetical example of when a major cloud provider’s platform “comes to a standstill.”
“That aggregation potential can be huge, and not being able to have a worst-case gap on it is what scares us,” he said.
“There’s no place where that kind of a dilemma enters into more than cyber,” Buffett said. “You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”
Berkshire is in the cyber insurance business
Industry analysts generally say while some of Berkshire’s caution is warranted, the general state of the cybersecurity insurance marketplace is stabilizing as it becomes profitable. And Gerald Glombicki, a senior director in Fitch Rating’s U.S. insurance group, points out that Berkshire Hathaway is issuing cybersecurity policies despite Buffett’s caution. According to Fitch’s analysis, Berkshire Hathaway is the sixth-largest issuer of such policies. Chubb, which Berkshire recently revealed a big investment in, and AIG are the largest.
“Right now [cybersecurity insurance] is still a viable business model for many insurers,” Glombicki said. It is still a tiny market, representing only one percent of all policies issued, according to Glombicki. Because the cybersecurity business is so small, it gives insurance companies latitude to implement various policies to see what is working, and what isn’t, without a tremendous amount of exposure.
Berkshire, as well as Chubb and AIG, declined to comment.
“There is an element of unpredictability that is very unsettling, and I understand where [Buffett] is coming from, but I think it is really hard to avoid cyber risk entirely,” Glombicki said. He added though that there has still been no significant litigation that assigns culpability or tests the boundaries of the policies, and until the courts hear some culpability cases, some insurers may proceed more cautiously.
‘Could break the company’ Buffett says
Top Berkshire executives Warren Buffett (L), Greg Abel (C) and Ajit Jain (R) during the Berkshire Hathaway Annual Shareholders Meeting in Omaha, Nebraska on May 4, 2024.
CNBC
The problem with writing many policies, even with a $1 million limit per policy, is if a “single event” turns out to affect 1,000 policies. “You’ve written something that in no way we’re getting the proper price for, and could break the company,” Buffett said.
While some notable leaders, like former Homeland Security chief Michael Chertoff — who now runs a global security risk management firm — have called for a government cybersecurity backstop of some sort, most experts don’t believe that is needed right now. Glombicki says that while the feds are looking at what role they can play, intervention likely won’t happen until an incident prompts it.
Any government involvement “will probably happen after a big, expensive cyber-incident,” he said. “After September 11, the government put together a terrorist risk program. In cyber, we have not yet seen an attack of that scale. We are still in the stage of thinking about possible approaches.”
Cyber insurance data shows growth and market confidence
While the number of cybersecurity policies being written is small now, analysts don’t expect it to stay that way.
“Rates are declining, which shows stability in the market,” said Mark Friedlander, a spokesman for the Insurance Information Institute. According to its data, cyber premiums are estimated to double over the next decade. In 2022, premiums totaled $11.9 billion. By 2025, Friedlander says, they are expected to double to $22.5 billion and increase to $33.3 billion by 2027.
“This is clearly one of the fastest-growing segments of insurance. More companies are writing cybersecurity policies than ever before,” Friedlander said, attributing confidence among insurers to more sophisticated underwriting and stabilizing rates. He cited a 6% decline in cybersecurity insurance rates in the first quarter of 2024, following a 3% decline in 2024, as a clear signal that insurers feel more confident about jumping into the business.
“Most commercial insurance like auto, home, and life insurance have all been increasing, so the decline is significant. It is a sign of stability and a decline in claims severity,” Friedlander said.
And more insurers are entering the market because they have the tools and data to price the risk. “If you can do it at sound rates, you will write that coverage,” Friedlander said.
‘You’re losing money’
Buffett and his top insurance lieutenant don’t agree. It’s the insurance “loss cost” — what the cost of goods sold could potentially be — that has Berkshire on the fence with a bigger move into cyber insurance. Jain said losses have been “fairly well contained” to date — not exceeding 40 cents on the policy dollar over the past four to five years — but he added, “there’s not enough data to be able to hang your hat on and say what your true loss cost is.”
Jain said that in most cases agents are Berkshire are discouraged from writing cyber insurance, unless they need to write it to satisfy specific client needs. And even if they do, Jain leaves them with this message: “No matter how much you charge, you should tell yourself that each time you write a cyber insurance policy, you’re losing money. We can argue about how much money you’re losing, but the mindset should be you’re not making money on it. … And then we should go from there.”
Google Cloud says the risks are being overstated
There is a perception that cyber risk is rapidly changing and, therefore, too unpredictable to underwrite in a systematic way, says Monica Shokrai, head of business risk and insurance at Google Cloud. But she added that the perception doesn’t match reality, and that the risk can largely be managed.
“We don’t hold the same view as Warren Buffet on the topic,” she said. In Google’s view, the majority of cyber losses can be prevented or mitigated through basic cyber hygiene.
“By understanding security, you can get to a place where your controls are in a much better place, where the risk is more manageable,” Shokrai said. Devastating attacks from nation-states, meanwhile, are in a separate category and have been rare. Insurers are already inoculating themselves from potential risk by making exclusions for certain catastrophic events. Many cybersecurity policies have coverage exemptions for nation-state attacks.
“What they are trying to do is remain resilient and solvent in the event of a widespread event; what they have done to manage that is put in exclusions,” Shokrai said, and those include critical infrastructure, cyber war, and other widespread disruptive events.
Ambiguities and subjectivities remain. What if someone is the victim of a cyberattack from a foreign-based gang that isn’t officially tied to a nation-state but may have received some ancillary logistical support? Can an insurance company invoke a nation-state exclusion? Shokrai says categorizing how to attribute an event is the topic of much debate between insurance companies. “That is a big debate between insurance companies; it is an important distinction that needs clarity,” Shokrai said.
Some experts say it is the ambiguity surrounding the industry’s margins that has investors like Buffett and insurance players like Berkshire spooked. But so far, the business has proven to be sound overall. “It is still a viable business model for many insurers,” said Josephine Wolff, an associate professor of cybersecurity policy at The Fletcher School at Tufts University, who has been studying the evolving market for the past several years. But she added that a belief that the business is viable doesn’t mean things are not constantly changing, pointing to the recent ransomware surge over the past couple of years that saw large payouts by insurance companies — though notably still not enough to make the business unprofitable for most issuers.
Cyber insurance helps make the entire ecosystem safer, according to Steve Griffin, co-founder of L3 Networks, a California-based managed services provider that specializes in cybersecurity. Policies require companies to adhere to certain cyber standards to attain coverage, and the more businesses that sign up for coverage, the safer the entire system becomes. And if a business knows they’ll be denied a claim if they don’t have some basic cybersecurity safeguards in place, that acts as an incentive to put them in place.
Berkshire does believe the business will grow, it just isn’t sure at what cost. “My guess is at some point it might become a huge business, but it might be associated with huge losses,” Jain said.
“I will tell you that most people want to be in anything that’s fashionable when they write insurance. And cyber’s an easy issue,” Buffett said. “You can write a lot of it. The agents like it. They’re getting the commission on every policy they write. … I would say that human nature is such that most insurance companies will get very excited and their agents will get very excited, and it’s very fashionable and it’s kind of interesting, and as Charlie [Munger] would say, it may be rat poison.”
While Griffin understands Buffett’s caution, he sees a generational divide over the risk outlook, and is optimistic about the cybersecurity insurance sector.
“Probably Warren Buffet would have called cybersecurity insurance an opportunity when he was younger,” he said.
Technology
Tesla stock pops 8% in premarket after report Trump wants to relax U.S. self-driving rules
Technology
European tech CEOs urge ‘Europe-first’ mentality to counter U.S. dominance after Trump victory
Thomas Plantenga, CEO of used fashion resale app Vinted, on center stage during Web Summit 2024 in Lisbon, Portugal.
Harry Murphy | Sportsfile for Web Summit Getty Images
LISBON, Portugal — Tech CEOs in Europe are urging region al countries to take bolder action to tackle Big Tech’s dominance and counter reliance on the U.S. for critical technologies like artificial intelligence after Donald Trump’s electoral win.
The Republican politician’s victory was a key topic among prominent tech bosses at the Web Summit conference in Lisbon, Portugal. Many attendants said they’re unsure of what to expect from the U.S. president-elect, citing this unpredictability as a core challenge at present.
Andy Yen, CEO of Swiss VPN developer Proton, says Europe should echo American protectionism and adopt a more “Europe-first” approach to technology — in part to reverse the trend of the last two decades, during which much of the Western world’s most important technologies, from web browsing to smartphones, have become dominated by a handful of large U.S. tech firms.
VPNs, or virtual private networks, are services that encrypt data and mask a user’s IP address to hide browsing activity and bypass censorship.
“It’s time for Europe to step up,” Yen told CNBC on the sidelines of Web Summit. “It’s time to be bold. It’s time to be more aggressive. And the time is now, because we now have a leader in the U.S. that is ‘America-first,’ so I think our European leaders should be ‘Europe-first.'”
One key push for the past decade from the European Union has been to take legal action and introduce tough new regulations to tackle the dominance of large technology players, such as Google, Apple, Amazon, Microsoft and Meta.
As Trump prepares to come into power for a second mandate, concerns have now mounted that Europe might reel in its tough approach to tech giants out of fear of retaliation from the new administration.
US Big Tech playing ‘extremely unfairly’
Proton’s Yen, for one, urged the EU not to water down its attempts to rein in America’s tech giants.
“Europe has been thinking in a very globalist mindset. They’re thinking we need to be fair to everybody, we need to open our market to everybody, we need to play fair, because we believe in fairness,” he told CNBC.
“Well, guess what? The Americans and the Chinese didn’t get the memo. They have been playing extremely unfairly for the last 20 years. And now they have a president that is extremely ‘America-first.'”
Mitchell Baker, former CEO of American open internet non-profit Mozilla Foundation, said the EU’s DMA has led to meaningful changes for the Firefox browser, with activity increasing since Google implemented a “choice screen” on Android phones that enables users to select their search engine.
“The change in Firefox new users and market share on Android is noticeable,” Baker said. “That’s nice for us — but it’s also an indicator of how much power and centralized distribution that these companies have.”
She added, “This change in usage because of one choice screen isn’t the full picture. But it is an indicator of the kind of things that consumers can’t choose and that businesses can’t build successfully because of the way the tech industry is structured right now.”
Thomas Plantenga, CEO of Lithuania-headquartered used clothing resale app Vinted, urged Europe to take the “right choices” to ensure the continent can “fend for ourselves” and does not get “left behind.”
“If you look very realistically at what countries do, they try to take care of themselves and they try to form coalitions to be stronger themselves, and as a coalition be stronger,” Plantenga told CNBC in an interview. “We have a lot of very talented, well-educated people.”
“We need [to] ensure that we can take care of our own safety, that we can take care of our own energy, that we ensure to keep on investing in our education and innovation so that we can keep up with the rest [of the world],” he stressed. “If we don’t, then we’ll be left behind. In every collaboration, it’s always a trade. And if we don’t have much to trade, we become weaker.”
‘AI sovereignty’ now a key battleground
Another theme that attracted much chatter on the ground at Web Summit was the idea of “AI sovereignty” — which refers to countries and regions localizing critical computing infrastructure behind AI services, so that these systems become more reflective of regional languages, cultures and values.
With Microsoft becoming a key player in AI, concerns have surfaced that the maker of the Windows operating system and Office productivity tools suite has secured a dominant position when it comes to foundational AI tools.
The tech giant is a key backer behind ChatGPT maker OpenAI, whose technology it also heavily uses in its own products.
For some startups, Microsoft’s decision to embrace AI has resulted in harmful, anti-competitive effects.
Last year, Microsoft hiked the fees it charges search engines to use its Bing Search APIs, which allow developers access to the tech giant’s backend search infrastructure — in part because of higher costs attached to its AI-powered search features.
“They’re gradually reducing our revenue — we’re still relying on them — and that reduces our capacity to do things,” Christian Kroll, CEO of sustainability-focused search engine Ecosia, told CNBC. “Microsoft is a very fierce competitor.”
CNBC has reached out to Microsoft for comment.
Ecosia recently partnered with fellow search provider Qwant to build a European search index and reduce dependence on U.S. Big Tech to deliver web browsing results.
Meanwhile, the European Union’s AI Act, a landmark artificial intelligence law with global implications, introduces new transparency requirements and restrictions on companies developing and using AI.
The laws are likely to have a big impact on predominantly U.S. tech firms, since they’re the ones doing much of the development of — and investment in — AI.
With Trump set to come into power, it’s unclear what that could mean for the global AI regulatory landscape.
Shelley McKinley, chief legal officer of code repository platform GitHub, said she can’t predict what Trump will do in his second term — but that businesses are planning for a range of different scenarios in the meantime.
“We will learn in the next few months what President-elect Trump will say, and in January we will start seeing some of what President Trump does in this area,” McKinley said during a CNBC-moderated panel earlier this week.
“I do think it is important that we all, as society, as businesses, as people, continue to think about the different scenarios,” she added. “I think, as with any political change, as with any world change, we’re still all thinking about what are all of the scenarios we might operate.”
Technology
European SpaceX rival raises $160 million for reusable capsule to carry astronauts, cargo to space
-
Sports2 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports8 months agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports1 year agoGame 1 of WS least-watched in recorded history
-
Environment1 year agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Sports3 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business2 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway