At Berkshire Hathaway’s annual investor meeting earlier this year, Warren Buffett and his top insurance executive Ajit Jain issued a headline-grabbing warning that Berkshire would exercise caution regarding cyber insurance. It advised insurance agents only to sell cyber policies if they had to do so to satisfy a client and to expect losses.
A primary reason cited is the difficulty in assessing the scale of losses possible from a single occurrence that spreads across technology systems. Jain gives the hypothetical example of when a primary cloud provider’s platform “comes to a standstill.”
“That aggregation potential can be huge, and not being able to have a worst-case gap on it is what scares us,” he said.
Jain’s hypothetical seemed prescient when a quality control issue from cybersecurity firm CrowdStrike caused a worldwide IT outage that halted flights and freight, shuttered retail outlets, and caused hospitals to resort to charting on paper.
Cyber security risk analysis outfit Axio’s Dale Gonzales told Reuters that insurers have been worried about something like what happened with CrowdStrike since cloud adoption occurred.
In some respects, the cybersecurity insurance market did get lucky with the CrowdStrike meltdown. For one, there were no significant physical damages, such as explosions at power plants, dams bursting, or fires caused by overheating equipment, which are becoming a more considerable cyberterrorism risk.
Another factor in holding down losses and distributing them unevenly across the globe is that the CrowdStrike failure impacted places like Australia and Pacific Asia in the middle of the business day. Still, other markets, including the U.S., were hit during the night or early morning and many businesses could get systems back up within hours.
Not all cyber experts are expressing as much confidence at this point. Josephine Wolff, an associate professor of cybersecurity policy at Tufts University’s Fletcher School who has been studying the evolving market for several years, suspects the CrowdStrike meltdown will send shock waves through the nascent cyber insurance market.
“It’s still pretty early to assess the volume of claims that insurers are going to see due to CrowdStrike, but I sense that there will be a lot of business interruption claims across all industry sectors, just based on the impacts we’ve seen covered in the news, and that it will be a terrible situation for insurers,” Wolff said.