Warren Buffett is worried about potential for ‘huge losses’ in booming, but still tiny insurance market

Warren Buffett and Berkshire Hathaway’s top insurance executive, Ajit Jain, told investors at the company’s recent annual shareholder meeting in Omaha that, while cyber insurance is currently profitable, there are still too many unknowns and risks for Berkshire, a major player in the insurance market, to be completely comfortable underwriting.

Cyber insurance has become “a very fashionable product,” Jain stated at the annual meeting. And, so far, it has proven profitable for insurers. He estimated current profitability as “fairly high” – at least 20% of all premiums wind up in insurer pockets. But at Berkshire, the message to agents is one of caution.

One major factor is the challenge in determining how losses from a single incidence do not compound into an aggregate of prospective cyber losses. Jain used the hypothetical example of a large cloud provider’s platform “comes to a standstill.”

“That aggregation potential can be huge, and not being able to have a worst-case gap on it is what scares us,” he stated.

“There’s no place where that kind of a dilemma enters into more than cyber,” Buffett stated. “You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”

Berkshire operates in the cyber insurance market.
According to industry analysts, while part of Berkshire’s caution is justified, the overall state of the cybersecurity insurance sector is stabilizing as it becomes profitable. Gerald Glombicki, a senior director in Fitch Ratings’ U.S. insurance group, points out that Berkshire Hathaway is issuing cybersecurity coverage despite Buffett’s warnings. According to Fitch Ratings, Berkshire Hathaway is the sixth-largest issuer of such products. Chubb, in which Berkshire recently announced a significant investment, and AIG are the largest.

“Right now [cybersecurity insurance] is still a viable business model for many insurers,” Glombicki stated. It is still a small market, accounting for about one percent of all policies issued, according to Glombicki. Because the cybersecurity industry is so small, insurance firms can experiment with different policies to evaluate what works and what doesn’t without exposing themselves to too much risk.

Berkshire, Chubb, and AIG declined to comment.

“There is an element of unpredictability that is very unsettling, and I understand where [Buffett] is coming from, but I think it is really hard to avoid cyber risk entirely,” Glombicki stated. He said, however, that there has yet to be significant litigation that assigns blame or tests the bounds of the policies, and that until the courts hear some culpability cases, some insurers may proceed with caution.

‘Could break the company.’ Buffett says:
The issue with establishing several policies, even with a $1 million cap per policy, is that a “single event” can affect 1,000 policies. “You’ve written something that in no way we’re getting the proper price for, and could break the company,” stated Buffett.

While some famous leaders, such as former Homeland Security Secretary Michael Chertoff, who now operates a global security risk management firm, have advocated for some form of government cybersecurity backstop, most experts believe it is unnecessary at this time. According to Glombicki, while the feds are considering what role they can play, intervention is unlikely to occur unless an incident prompts it.

Any government participation “will probably happen after a big, expensive cyber-incident,” he warned. “After 9/11, the government implemented a terrorist risk program. We have yet to see a cyber attack of that magnitude. We are still thinking about various options.”

Cyber insurance data demonstrates increase and market confidence.

While the quantity of cybersecurity policies being drafted is currently minimal, analysts do not expect this to continue.

“Rates are declining, indicating market stability,” said Mark Friedlander, spokesman for the Insurance Information Institute. According to the data, cyber premiums are expected to treble over the next decade. Premiums in 2022 were $11.9 billion. Friedlander predicts that they will quadruple to $22.5 billion by 2025 and $33.3 billion by 2027.


“This is undoubtedly one of the insurance industry’s fastest-growing categories. “More companies are writing cybersecurity policies than ever before,” Friedlander added, citing insurers’ confidence in more sophisticated underwriting and pricing stability. He noted a 6% drop in cybersecurity insurance prices in the first quarter of 2024, following a 3% drop in 2024, as evidence that insurers are increasingly confident about entering the market.

“Most commercial insurance, including auto, home, and life insurance, has been increasing, so the drop is considerable. “It is a sign of stability and a decrease in claim severity,” Friedlander explained.

Furthermore, more insurers are entering the market since they have the necessary tools and data to price risk. “If you can do it at a reasonable rate, you will write that coverage,” Friedlander stated.

You’re losing money.
Buffett and his senior insurance lieutenant disagree. The insurance “loss cost” — what the cost of goods sold may possibly be — has Berkshire on the fence about making a larger foray into cyberinsurance. Losses have been “fairly well contained” to yet, not exceeding 40 cents on the insurance dollar during the last four to five years, according to Jain, but “there’s not enough data to be able to hang your hat on and say what your true loss cost is.”

According to Jain, Berkshire agents are generally discouraged from offering cyber insurance unless it is necessary to meet specific client needs. Even if they do, Jain leaves them with the following message: “No matter how much you charge, believe yourself that every time you issue a cyber insurance policy, you’re losing money. We may dispute about how much money you’re losing, but the main point is that you’re not making money. And then we should proceed from there.”

Google Cloud says the threats are overblown.

Monica Shokrai, head of business risk and insurance at Google Cloud, believes that cyber risk is continually evolving and thus too unpredictable to underwrite in a systematic fashion. However, she said that perception does not reflect reality, and that the danger can be largely handled.

“We don’t hold the same view as Warren Buffet on the topic,” she stated. According to Google, the majority of cyber damages may be prevented or mitigated by practicing basic cyber hygiene.

“By understanding security, you can get to a place where your controls are in a much better place, where the risk is more manageable,” Shokrai stated. Devastating attacks by nation-states, on the other hand, represent a distinct category and have been rare. Insurers are already protecting themselves against potential risk by excluding some catastrophic situations. Many cybersecurity policies make exceptions for nation-state assaults.

“What they are trying to do is remain resilient and solvent in the event of a widespread event; what they have done to manage that is put in exclusions,” Shokrai explained, citing vital infrastructure, cyber war, and other widespread disruptive events.

Ambiguities and subjectivities persist. What if someone is the victim of a cyberattack by a foreign-based gang that isn’t officially affiliated with a nation-state but may have received some logistical assistance? Can an insurance firm use a nation-state exclusion? According to Shokrai, insurance companies are deeply divided on how to categorize an event. “That is a big debate between insurance companies; it is an important distinction that needs clarity,” Shokrai stated.

Some experts believe that the unpredictability around the industry’s margins has investors like Buffett and insurance companies like Berkshire Hathaway concerned. However, the company has proven to be financially stable thus far. “It is still a viable business model for many insurers,” said Josephine Wolff, an associate professor of cybersecurity policy at The Fletcher School at Tufts University who has been researching the changing market for several years. However, she added that believing the business is viable does not mean that things are not constantly changing, citing the recent ransomware surge over the last few years, which resulted in large payouts by insurance companies — albeit not enough to make the business unprofitable for most issuers.

According to Steve Griffin, co-founder of L3 Networks, a cybersecurity-focused managed services firm based in California, cyber insurance contributes to the overall security of the ecosystem. Policies demand firms to comply to specific cyber criteria in order to obtain coverage, and the more organizations that sign up for coverage, the safer the overall system becomes. And if a business knows it would be rejected a claim if it does not have some basic cybersecurity precautions in place, it will be more likely to implement them.

Berkshire does believe the company will grow, but it is unsure at what cost. “My guess is at some point it might become a huge business, but it might be associated with huge losses,” Jain stated.

“When it comes to writing insurance, the majority of individuals want to be in anything stylish. “And cyber is a simple issue,” Buffett remarked. “You can write a lot about it. The agents enjoy it. They receive a commission for every insurance they write. I believe that human nature is such that most insurance firms and their agents will become quite enthused, and it is extremely fashionable and interesting, and as Charlie [Munger] would say, it may be rat poison.”

While Griffin appreciates Buffett’s concern, he sees a generational split in risk perception and is enthusiastic about the cybersecurity insurance industry.

“Probably Warren Buffet would have called cybersecurity insurance an opportunity when he was younger,” when he said.