Warren Buffett has been among the world’s richest individuals for decades now. He’s so far ahead of the curve that it seems to bend because he says it will. Cyber security has been a concern to him for a long while now, and he seems to be using his public visibility to place more emphasis on finding solutions for the issues it presents. When he speaks, people listen and there’s hope that this will include the government.
In his most recent annual general meeting, he did not hesitate to say how underwriting the cyber insurance industry was a fool’s errand. “Cyber is in uncharted territory and it’s going to get a whole lot worse before it gets better”. His estimates were that there’s a 2% chance of a $400 billion “super cat event” happening per year. We aren’t talking your run-of-the-mill $300 ransomware or even $20,000 BEC attack. He’s referring to a catastrophic cyber incident.
The 2% per year chance that there will be a “Cyber Pearl Harbor” is frightening. “There’s a very material risk which did not exist 10 or 15 years ago and will be much more intense as the years go along,” he said. Further worrisome for the cyber security community in general, he’s been consistent on his views over the past 4 or so years. Last year he stated the biggest threat to humanity wasn’t nuclear or conventional WMDs – cyber was the number one problem.
Interestingly, Buffet launched a cyber insurance program back in 2015. Why is the Oracle of Omaha involved in an industry that he says no one understands? His justification was that while the underwriting is a fool’s errand, it is a necessary competitive position in the insurance industry – one the biggest components of his holdings. He, one of the sharpest, most successful and influential business minds of all time, doesn’t want to be a leader in the business of insuring against a cyber attack. He instead wants to avoid being over-exposed to it as much as is possible. He’s more comfortable predicting earthquakes. If that doesn’t put the magnitude (pun intended?) of cyber security risks into perspective, we don’t know what does.
But here’s what this really means to us. Cyber insurance might not be a good business for Warren because the odds of a “Black Swan” type catastrophic event are pretty high. In a nascent industry with only a recent track record against the latest threats, it can be easy for many to naively assume things will only gradually improve without more disruptive change taking hold. The application of machine learning to the massive amount of data generated in the cyber security industry is rapidly improving our ability to defend against the latest threats. The best insurance is in fact protection – along with proactive training of the users within your organization to help them root out the obvious threats and recognize the more subtle and difficult to detect social engineered threats.
Valuewalk put together a note form transcript of the Berkshire meeting. Check out Q5 on Page 3 for notes on Cyber security views.
If you’d like to watch the video of the whole meeting, you do so here (starts at roughly 1:19:00)
A more general look at Cyber Insurance