Warren on writing insurance for cybersecurity incidents: Nobody “really knows what they’re doing”
Good morning. Warren, in your annual letter, you wrote about a potential for a $400 billion natural catastrophe event, something out in the tail of the loss distribution. I can think of another risk that could have a similar order of magnitude, and that would be cyberrisk.
I’m sure all your managers have taken steps against that potential, but in… out in the tail of the cyberrisk distribution, it could hit a lot of industries, a lot of your companies. So how do you think about and prepare for the big one in cyber?
Yeah. Well, I include, incidentally, in my… that part I wrote in the annual report where I said that roughly… nobody knows the answer on this. I mean, I could stick down two, and somebody else much smarter in insurance would stick down a different figure.
But I think it’s about a 2 percent risk of what I call a 400 billion super-cat of all time. And…
But cyber is in that equation. I mean, that’s not just earthquakes and that sort of thing. And frankly, I don’t think we, or anybody else, really knows what they’re doing when writing cyber. I mean, we… it is just very, very, very early in the game.
And we don’t know what the interpretations of the policies, necessarily, will be. We don’t know the degree to which they’ll be what… there’ll be correlated incidents, which we don’t really think are correlated now or haven’t had the imagination to come up with.
We know that every year when I go and hear these people from the CIA or wherever it may be, they tell me that the offense is ahead of the defense, and will continue that way.
And I can dream of a lot of cyber incidents, which I’m not going to spell out here, because people that have twisted minds may be… they’ve probably got more… way more… ideas than
I’ve got, but I don’t believe in feeding them any.
But it’s a business where we don’t… we have a pretty good idea of the probabilities of a quake in California, or the probabilities of a three or a four hurricane hitting Florida, or whatever it may be.
We don’t know what we’re doing in cyber, and we try to keep… we don’t want to be a pioneer on this. We do some business in that arena in Berkshire Hathaway Specialty.
But if you’re doing something for competitive reasons… which I’m OK with… but when I’m doing something where I… that people tell me is a competitive necessity, we are going to try not to have… we don’t want to be number one or number two or number three in exposures on it. And I don’t… and I am sure we are not in cyber. But I don’t…
I think anybody that tells you now that they think they know in some actuarial way, either what general experience is likely to be in the future, or what the worst case would be, I think, is kidding themselves.
And that’s one of the reasons that I say that a $400 billion event has a… I think has roughly a 2 percent probability per year of happening.
Cyber’s uncharted territory, and it’s going to get worse, not better. And then the question is whether, if we have a whole bunch of $25 billion commercial limits out there, whether there’s some aggregation that we didn’t foresee or that the courts interpret those policies differently, then you know… they are generally going to give the benefit of the doubt to the insured.
So you’re right in pointing that out as a very material risk, which didn’t exist 10 or 15 years ago and that… and will be much more intense as the years go along.
And all I can tell you, Gary, is that, that’s part of my 400 billion and my 2 percent. But if you’ve got a different guess, it’s just as likely that yours is right than mine on that.
Yeah, well, something that’s very much like cyber risk is, you’ve got computers programmed to do your security trading and your computer goes a little wild from some error.
And that’s already happened at least once where somebody just was fine one morning and by the afternoon they were broke because some computer went crazy. We don’t have any computers we allot… we allow to do big, automatically trading securities.
I think, generally, Berkshire is less likely than most other places to be careless in some really stupid way.
I do think if there’s a mega-cat from cyber, and let’s say it hits 400 billion, I do not think we’ll have more than a 3 percent…
No, no, we’ll get our share.
And but it, you know, it will destroy… what will destroy a lot of companies… that we will actually, if we had a $12 billion loss, I would think, except for the new accounting rule, but I believe from what I call operating earnings, we would probably still have a reasonable profit that year.
I mean, we are in a different position than any insurance company I know of in the world, in our ability to handle the really… really super, super-cat.
OK, shareholder from station 2.
May I point out that the main shareholder to my right here has almost all his net worth in one security. That’s likely to be more carefully managed than some public place with people just passing through.
Yeah, you don’t want a guy that’s 64 and is going to retire at 65. And a lot of decisions you really don’t want him or her to be making.