At Berkshire Hathaway’s annual investor meeting earlier this year, Warren Buffett and his top insurance executive Ajit Jain issued a headline-grabbing warning that Berkshire would exercise caution regarding cyber insurance — in fact, it advised insurance agents to only sell cyber policies if they absolutely had to do so to satisfy a client, and to expect losses.
A primary reason cited is the difficulty in assessing the scale of losses possible from a single occurrence that spreads across technology systems, with Jain giving the hypothetical example of when a primary cloud provider’s platform “comes to a standstill.”
“That aggregation potential can be huge, and not being able to have a worst-case gap on it is what scares us,” he said.
Jain’s hypothetical seemed prescient when a quality control issue from cybersecurity firm CrowdStrike caused a worldwide IT outage that halted flights and freight, shuttered retail outlets, and caused hospitals to resort to charting on paper.
“Insurers have been worried about something like what happened with CrowdStrike since cloud adoption happened,” said Dale Gonzales, chief innovation officer at Axio, a cyber security risk analysis company.
But Gerald Glombicki, a senior director in Fitch Rating’s U.S. insurance group, believes the cyber insurance industry largely priced in the CrowdStrike meltdown correctly, and he expects it to be manageable rather than catastrophic for the cybersecurity insurance firms..
“It will have an impact because there will be losses,” said Glombicki, “but the modeling largely got it right. Mostly, we think the industry will handle it OK. There might be some issuers that mispriced policies,” he added.
Fitch estimates that the number of insured losses will not exceed $10 billion, ending somewhere in the mid- to high-single billions and that the industry largely priced those in.
The cybersecurity insurance market did get lucky, in some respects, with the CrowdStrike meltdown. For one, there were no significant physical damages, such as explosions at power plants, dams bursting, or fires caused by overheating equipment, which are becoming a bigger cyberterrorism risk.
“Cyber events that have more of a physical consequence would be much bigger in size or scope in terms of losses,” Glombicki said.
Additionally, even though CrowdStrike is widely deployed, its market share, estimated at 17% by Fitch, is large but limited in total impact. Among the companies that did use CrowdStrike, the worst impacted seemed to be on businesses that need 24/7 availability, like hospitals and airlines, Glombicki said.
Another factor in holding down losses and distributing them unevenly across the globe is that the CrowdStrike failure impacted places like Australia and Pacific Asia in the middle of the business day, but other markets, including the U.S., were hit during the night or early morning and many businesses were able to get systems back up within hours.
0 Comments