The unfortunate thing is that how Berkshire Hathaway decides it wants to handle the issue of cyber risk ends up impacting far more than Berkshire Hathaway. Buffet is so admired and Berkshire Hathaway such a giant player in risk and insurance, that his words impact everyone’s security.
Warren Buffet may be old, but he continues to be held in the highest of esteem by investors. He certainly has a great track record. Buffet is also admired because of his openness and candid discussion of his methods and stock picks. He’s always sworn by a long term investing strategy, which values not only growth but stability. His disciplined approach has been the key to great success.
For this reason, when he speaks, the investing and business world listen. He’s been called the Oracle Of Ohama. When his Berkshire Hathaway group holds its annual shareholders meeting, some investing companies take the day off and gather to watch the whole thing with the enthusiasm and fanfare of the Superbowl.
When Warren Buffet speaks, the financial world listens. The insurance world also listens, because Berkshire Hathaway has become one of the biggest players in insurance. The group recently purchased a large portion of Chubb, one of the largest providers of cyber risk coverage.
This is a problem, because when someone so influential speaks about something so important, they had better be correct, and in this case, he is dead wrong. I do not mean to criticize Mr. Buffet personally, of course, but it’s important to bring attention to this. As an expert in this area, I find his comments to be absolutely terrifying.
The reason it’s so terrifying is the impact that these comments, and others like it, from other business leaders, has caused to national security and the global economy. Insurance vital to how a capitalist economy self regulates and how risk is properly priced. Insurance is the bedrock of how risks are treated in the economy.
The unfortunate thing is that this very ignorance is at the root of the stagnation of cyber defenses, the layoffs of so many in the sector, the divestment of resources and the acceptance of such dire levels of loss. It’s terrible to think that anyone so followed could be actively telling people that cyber security is a mystery nobody has figured out. If that were the case, it would be pointless to spend on it and hire experts.
Shortly after this meeting, a large number of cyber security professionals were laid off.
Beyond that, it is absolutely staggering to me that anyone would think it would be acceptable to say these words publicly, admitting that they expect and accept high losses in this line. Keep in mind, this insurance pays extortion. What you are watching is an American business person telling the criminals that if they care to attack a company he insures, he presumes they will be successful, and he accepts that it’s just a loss center.
The disconnection here is mind-blowing. It’s not only the fact that these things are being said, but it’s amazing to see an entire auditorium of people nodding, as if this makes sense. There have been several press reports about this level of flat-earthism. However, they all reported the statements as if they were reasonable. In a sane world, there would be reports of fear that these men had dementia. Yet, the world goes by, with a straight face, acting like this is sanity.
Also, despite the claims to wanting to keep cyber security insurance sales to a minimum, because the losses are so high, the actual amount of cyber risk controlled by Berkshire Hathaway has quietly mushroomed to the scale of being many tens of billions of dollars. That was inevitable, of course, because it’s the fastest growing line and one all businesses need.
The two men in the video above, despite downplaying it, are some of the biggest and most influential players in the financial assessment of cyber security risks and their mitigation or acceptance. In throwing their hands in the air and agreeing “I guess we will lose money here,” they have doomed society to ever increasing losses.
Some additional Quotes:
- “There’s no place where that kind of a dilemma enters into more than cyber. You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”
– Warren Buffett - “I haven’t figured out cyber security. I don’t think anyone has figured out cyber security’’
– Warren Buffett - “You’re likely to find with [cyber security] you’ve just eaten rat poison!”
– Warren Buffett - “There’s no place where that kind of a dilemma enters into more than cyber, You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”
– Warren Buffett - “Because when you insure something, you really want to think of what, how much can you lose? And the question, I remember the first time it was happened, I think in the 1968 when there were the riots in various cities, because I think it was the Bobby Kennedy death that set it off for the Martin Luther King death….
When you write a policy, you have a limit in that policy. But the question is, what is one event? So if somebody is assassinated in some town and that causes losses at thousands of businesses all over the country, if you’ve written all those thousands of policies, you have one event, nor do you have a thousand events. And there’s no place where that kind of a dilemma enters into more than cyber. Because if you think about it, if, you know, let’s say you’re writing $10 million of limit per risk, and that’s fine, if you lose 10 million for some event, you can take it.
But the problem is if that one event turns out to affect 1000 policies and somehow they’re all linked together in some way and the courts decide that way.”
– Warren Buffett - “Cyber is uncharted territory. It’s going to get worse, not better. You’re right in pointing that out as a very material risk that didn’t exist 10 to 15 years ago, and will get more intense as time goes on.”
– Warren Buffett - “There is, however, one clear, present and enduring danger to Berkshire against which Charlie and I are powerless. That threat to Berkshire is also the major threat our citizenry faces: a ‘successful’ (as defined by the aggressor) cyber, biological, nuclear or chemical attack on the United States.“
-Warren Buffet - “You’ve written something that in no way we’re getting the proper price for and could break the company. And I will tell you that most people want to be in anything that’s fashionable when they write insurance. And Cyber’s an easy issue. You can write a lot of it. The agents like it.”
– Warren Buffett - “You know, they’re getting the commission on every policy they write. And you’ve got to have somebody in charge of things that understands that you may get an aggregation of risks that you never dreamt of and maybe worse as, and some earthquake happening someplace just because you have a whole bunch of policies with a million dollar limit. And I would say that human nature is such that most insurance companies will get very excited and their agents will get very excited, and it’s very fashionable and it’s kind of interesting, and as Charlie would say, it may be rat poison.”
- – Warren Buffett
- “Cyber insurance has become a very fashionable product these days… it has become at least a 10 billion market … now having said that, we are very careful about taking on cyber insurance liabilities, because it is very difficult to know what the quantum of losses from a single event… That aggregation potential can be huge, and not being able to have a worst-case gap on it is what scares us.”
– Ajit Jain, chief of insurance at Berkshire Hathaway - “In our insurance operations, I have told the people running the operations, I have discouraged writing cyber insurance…. to the extent they need to write it so as to satisfy certain client needs, I have told them no matter how much you charge you should tell yourself that each time you write a cyber insurance policy you’re losing money. We can argue about how much money you’re losing, but the mindset should be you’re not making money on it, and we can go from there”
– Ajit Jain, chief of insurance at Berkshire Hathaway - “There’s a significant challenge in understanding the potential quantum of losses that could occur from a single incident and the potential for aggregate losses. There’s no clear worst-case scenario cap, which makes it difficult to predict and manage the maximum possible loss. It’s also difficult to have a clear sense of the loss cost, both for a single loss event and across time. Jain mentioned that there is not enough data available to reliably predict true loss costs in the cyber insurance domain. This lack of data makes it risky for insurers to confidently offer cyber insurance products because they cannot accurately price the risk. Due to these challenges and risks, the decision has been made to stay away from cyber insurance.”
-Statement from Berkshire Hathaway
Wow. Lets take a deep breath and unpack all this nonsense.
One of the problems with confronting this mentality is that it could be called “Not even wrong” meaning that it isn’t simply empirically wrong, due to a given incorrect fact or single logical flaw. It’s a complete missunderstanding of the risk that is so entrenched and complete, that it becomes difficult to figure out how to easily refute it in a short piece. This level of complete wrongheadedness is why so many of my writings end up being so long.
Fear of systemic risks:
A systemic risk is the type of risk that an insurer worries about most, because it is the type of risk that can hit many clients at once and which can lead to extremely high aggregated losses. One of the fears that has been expressed is that the interdependent nature of organizations and their IT systems would result in a huge compounding loss that an insurer would not be able to deal with.
Although there can be systemic risks in cyber security, as there can be in almost anything, but in the case of cyber security these risks are easy to determine, mitigate and document. The reason is that the risk is completely artificial, and it is possible to determine which third parties are used, which certainly can be done. Sure, a cloud service outage at AWS could cause a major disruption to those organizations who rely upon it, but we can always determine that ahead of time, and not all organizations rely upon it.
It is important to know what one is doing here, because there are interdependencies and sometimes a vendor might be dependent on one of their vendors. But, it’s an artificial, finite system and it’s easy to automate and standardize, so this is not actually the major problem that it seems. From there, how you mitigate this risk could not be more conventional and straight forward. First, an insurer can diversify, by only having a certain percentage of clients on a given third party. Secondly, they can mitigate it by requiring those who do have some kind of backup procedure, alternate vendor or means of operating offline.
There are actually many tools to help reign in third party risk. This is an area of cyber security that truly does require some level of expertise, because it partially relies on conventions, standards and certifications that those outside the field would not be familiar with. I will not go into all the ways that audits, SLAs, contract law, multi vendor solutions and independent vetting and assurance plays here. However, it functions basically the same way you’d deal with third party risk with any secure relationship: digital or otherwise.
Cyber Attacks Can Be as Unpredictable as the Post RFK Assignation Rioting:
This is one of the worst metaphors for cyber risk that I have ever heard in my entire life. It could not be more wrong. One of these events was a random extreme event which caused an unpredictable social cascade of anger and grief, leading to further problems. The other is malicious actor in an artificial and fully monitored, controlled environment, which was designed by engineers in the United States.
With any kind of manmade technology, the failure modes can be determined through full stress and torture testing, in a controlled environment. Any problems can be repaired. Things can always be monitored in real-time, and nothing happens instantaneously.
I honestly can’t think of a worse thing of comparing a cyber attack to than some chaotic social event that caused mass levels of unrest. They could not be more different. It has also been compared to an earthquake, in such cases, the unpredictability and the claim that a cyber attack can happen to anyone, any time, striking without warning and impossible to defend against.
That’s ridiculous. Cyber security incidents are like plane crashes. They are unacceptable event where a series of things goes wrong, a lot of people are not doing their job, and in the end, it is discovered that every plane crash has a chain of missed opportunities to avert it. That’s the case here too. It’s because there were a large number of preventative, detective and responsive controls that were not in place or inadequate.
We Need to Clear Up Why These Things Happen So Much:
It does seem like things are difficult in cyber security. After all, we are suffering massive economic losses and are experiencing a potential crisis in national security because of it. How could it be that it would be doing so badly, if it is figured out and can be done. Why don’t companies just improve their cyber security and stop getting hacked left and right?
The term for what we are experiencing is moral crisis. It’s not an independent thing from insurance. In fact, it’s caused by the very insurance that claims that the problem is insurmountable. This problem was caused by the fact that unqualified cyber insurance was sold, that losses were subsidized and that paying ransom to criminals was normalized is exactly why we have the crisis.
I will go into this far deeper in other posts, but the way cyber insurance companies have conducted themselves has been extremely damaging to the cyber security sector. It’s currently impossible to get a job in cyber security and layoffs abound.
We “Don’t Have Enough Data” and Therefore “Can’t Price it”:
I cannot even begin to explain how wrong and off base that statement is. It’s so wrong, because it reveals a basic assumption which many start off with, and which leads to these ridiculous situations. In this case, because insurers are completely ignorant of how cyber security works, they are presuming to fit it into something they do understand: actuarial risk modeling. The problem is that this is not an actuarial risk, and that goes to show a complete disconnect on the basic ideas of what cyber security really is.
Actuarial risks are based on natural cycles and demographics. For example, we can predict that young people, especially those who live in suburbs are far more likely to get into a car accident than a middle aged person who lives in a city and drives far less often. The demographic factors of age and location correspond well to some risks. We can also tell that a certain area of world is prone to receiving natural disasters of a certain type, although climate change can throw this off.
Not all risks are actuarial in nature. Many security risks are not, since they depend primarily on the controls in place at a give organization. There are other risks like this. The risk of technology failing is not actuarial, since technology is always changing. The risk of something arising from bad behavior in the workplace is also not actuarial in nature, since it is based on the individual character of he company and what controls they have in place far more than where they are located or even what sector they are in.
And here is where we come to the major mistake that is at the root of all these false assumptions; cyber security does not need data to be collected, because the theory is known. It is a human invention, and largely invented here in the US. We know this. It’s ours. It’s not like it’s a force of nature that is governed by variables so wide and chaotic that they can’t all be measured. It’s nothing like that.
The insistence that this is an actuarial risk, as opposed to the type of risk better determined through bench tests and engineering deconstructions. It should be obvious, when one considers the full context. Like any other artificial system operating in professional environments, the problems are basically regulatory and come down to a lack of good established and enforceable practices.
In additional post I will detail the process of how cyber risks are best assessed, quantified and mitigated. As an expert in the quantitive analysis of defensive measures, risk mitigation and threat modeling, I can tell you that it absolutely can be loss controlled down to an arbitrary low level. Risks could be brought to approximately zero, as is the case with any other kind of security, but doing so is simply more expensive than accepting residual risk.
So how do you do this?
1. Establish good evidence-based rules of compliance
2. Communicate these clearly to policyholders
3. Audit them for compliance
4. Laugh all the way to the bank
If done properly, that’s about all you have to do.
How to Price Cyber Insurance:
Once again, illustrating how out of touch the leadership has become, the pricing of cyber insurance is quite easy. It’s basically the cost of compliance enforcement and administration plus a reasonable profit margin. Claims should not be a major part of what the insurance line pays.
Yeah I know… that out of touch. They don’t even realize that they should be running this as a safety assurance and compliance management service, not a claims paying service. If it pays any substantial claims, you are doing it wrong. That’s how wrong it is being done.
There Seems to be a Problem with Magical Thinking:
One thing we often hear is about “What do we do if there is a cyber doomsday” or that cyber attack ranks up there with nuclear war and being hit by an asteroid as an extinction event. Even people like Warren Buffet have lamented that he feared that a train on one of his railroads could be derailed by a cyber attack.
Now lets be clear on something: Cyber security is not magic and hackers don’t have unlimited god-like powers. They can’t hack physics, and things that are not connected to any computer can’t be hacked. It’s possible, of course, to stage elaborate social engineering attacks, but in general it’s impossible for anyone to ever hack the faucet in your bathroom, because you have to be there to turn the valve.
Anything that involves human life and could go badly off course, such as a train or the IT system in a hospital, should never really be fully automated without some human in the loop. It’s true that we often don’t do a great job and connected systems can end up in places they should not. For example, there’s no reason for a chlorination system for drinking water to be controlled over the internet.
Because this is all artificial, we can limit the exposure however we want to, and we can use the laws of physics to our advantage.
But you do Need Experts:
The fact that this level of flat-earthism can exist for such a well established business science as cyber security goes to show exactly why legitimate subject matter experts are needed. It is important to understand one thing: Insurance executives, insurance boards of directors have literally never spoken to a single subject matter expert in cyber security. Not even one, that I can find. They certainly do not have any working for them. If they did, this would not be happening.
What seems to have happened (and I will discuss this further in additional posts) is that insurers naively went into cyber risk, thinking they could sell unqualified insurance. When it blew up in their faces, they decided they hated cyber risk and didn’t want to bother with it again.
Cyber insurance is under invested in. The underwriters of cyber insurance tend to be the dullest, lowest achievers. Honestly, I have never met people as immature and clueless as cyber insurance underwriters. The executive leadership is just fully disconnected and affirmatively does not want to get involved. As one can see in the video above, the mentality could not be more toxic or ignorant.
Cyber security does indeed come out as perplexing to those who have no background in it at all. It’s intimidating, in part, because it is security and the stakes are high. People are told it is complicated and has not been figured out. This seem to perpetuate quite a bit, but with so many myths in this area, it truly is necessary to stick to the advice of credentialled experts.
In general, and for a variety of reasons, which I will include in subsequent posts, amateurs do very badly in cyber security, and the need to know what you are doing seems to be underestimated in this field worse than almost any other.
There are some greater problems that come from this level of affirmative disconnection. In many cases, the complete willful disregard for any kind of obligation to try not to lose money here could be a violation of Sarbanes-Oxley. In fact if you wanted to enforce that law to the maximum, there are all kinds of violations that happen in cyber security.