Warren Buffett & Ajit Jain on Cyber Insurance Market: a Bad Bet? | Berkshire Hathaway 2024
[Transcript]
BECKY QUICK: This question comes from Carol de Gend (PH) in Switzerland, in Europe, and this is for both Mr. Buffett and Mr. Jain. As political instability in the world is growing with a rise in the number of armed conflicts and trade tension, there is also increasing risk of cyberattacks. What are your views on cybersecurity insurance? Asking this question in general, for retail, small businesses, and large companies, including critical key infrastructure such as power plants, harbors, airports, nuclear plants, etc. Do you see a potential for profit-making in cybersecurity insurance, and what are the key challenges?
AJIT JAIN: Okay, let me start. Cyber insurance has become a very fashionable product these days over these last few years. It is at least a $10 billion market right now globally, and profitability has also been fairly high. I think profitability is at least 20% of the total premium has ended up as profit in the pockets of the insurance bearers.
Now, having said that, we at Berkshire tend to be very, very careful when it comes to taking on cyber insurance liabilities. Actually, for two reasons. One is it’s very difficult to know what is the quantum of losses that can be subject to a single occurrence, and the aggregation potential of cyber losses, especially if some cloud operation comes to a standstill. You know that aggregation potential can be huge, and not being able to have a worst-case cap on it is what scares us.
Secondly, it’s also very difficult to have some sense of what we call loss cost, or the cost of goods sold could potentially be. It’s not just for a single loss, but for losses across over time. They have been fairly well contained. Out of 100 cents of the dollar, the premium losses over the last four or five years, I think, have not been beyond 40 cents of the dollar, leaving a decent profit margin.
But having said that, there’s not enough data to be able to hang your hat on and say what your true loss cost is. So in our insurance operations, I have told the people running the operations, I’ve discouraged them from writing cyber insurance. To the extent they need to write it so as to satisfy certain client needs, I have told them, no matter how much you charge, you should tell yourself that each time you write a cyber insurance policy, you're losing money. We can argue about how much money you’re losing, but the mindset should be you’re not making money on it, you’re losing money. And then we should go from there.
So it is projected to be a huge business. My guess is at some point it might become a huge business, but it might be associated with huge losses. And our approach is to sort of stay away from it right now until we can have access to some meaningful data and hang our hat on data.
WARREN BUFFETT: Well, you've just made—you’ve just heard why Ajit is invaluable. Because when you insure something, you really want to think of how much you can lose. And the question—I remember the first time it happened, I think in 1968, when there were the riots in various cities, because I think it was the Bobby Kennedy death that set it off, or the Martin Luther King death. I’m not sure which one.
But in any event, when you write a policy, you have a limit in that policy. But the question is, what is one event? So if somebody is assassinated in some town and that causes losses at thousands of businesses all over the country, if you’ve written all those thousands of policies, do you have one event, or do you have a thousand events? And there’s no place where that kind of a dilemma enters into more than cyber.
Because if you think about it, let’s say you’re writing $10 million of limit per risk, and decide that's fine, and if you lose $10 million for some event, you can take it. But the problem is if that one event turns out to affect 1,000 policies, and somehow they’re all linked together in some way and the courts decide that way, you’ve written something that in no way we’re getting the proper price for and could break the company.
And I will tell you that most people want to be in anything that’s fashionable when they write insurance. And cyber’s an easy issue. You can write a lot of it. The agents like it. You know, they’re getting the commission on every policy they write. And you’ve got to have somebody in charge of things that understands that you may get an aggregation of risks that you never dreamt of, and maybe worse as some earthquake happening someplace just because you have a whole bunch of policies with a million-dollar limit.
And I would say that human nature is such that most insurance companies will get very excited, and their agents will get very excited, and it’s very fashionable, and it’s kind of interesting, and as Charlie would say, it may be rat poison. (Laughs)
Source: https://buffett.cnbc.com/2024-berkshire-hathaway-annual-meeting/
[YAPSS Takeaway]
Always think about the worst that could happen. If you don’t know how bad it could be or can’t handle the results, don’t go for it. The idea of "high risk, high reward" doesn't work; it's better to choose low-risk options.