Your comment a couple of days ago has me wishing for more detail and sources
“Cyber attack insurance liability is the biggest direct risk to Berkshire that springs to mind. The wording of many policies is not tight enough to allow the insurer to use the “acts of war” exclusion. As shown in the recent Kraft ruling. Such attacks are already underway, and could very plausibly “escape” to, or be aimed at, entities insured by Berkshire.”
At the 2002 annual meeting, WEB was forthright that the absence of terrorism-exclusion clauses in a number of the catastrophic reinsurance policies that Berkshire backed was a serious omission on his part. If my memory serves, he implied it could have been an existential Berkshire event. He went on to reassure that those holes were being rapidly plugged as policies termed out and were renegotiated, and I think it was later that year (or perhaps the 2003 meeting) he reported, all done.
It seems unlikely to me – and, disturbing if true – that Warren/Ajit/Berkshire would be repeating this error of omission twenty years later with the absence of a carefully worded cyberterrorism exclusion. It seems pretty well accepted that major governments have each others’ financial, utilities, refining informatics infrastructure deeply penetrated (quote below, fwiw).
My point is, for the same management team to miss a potentially existential exclusion twice would be unforgivable.
a) Why do you state that the current supercat language doesn’t do that? Would you provide a contemporary example?
b) Where did you get the hypothesized $10bn limit? Why couldn’t this be $100Bn?
"Russia, China, North Korea, and Iran are stockpiling their own zero-days and laying their own logic bombs. They know our digital topography well; in too many cases, they are already inside… one could argue the gap between what the United States is capable of and what our enemies can do has sufficiently closed.
The world is on the precipice of a cyber catastrophe. A few years ago, I dismissed these words as alarmist, irresponsible even. Too many used “FUD” to pitch snake oil. The cybersecurity industry pushed so many world-ending scenarios on us, with such frequency, that we became jaded. But after a decade immersed in digital threats, I fear these words have never been truer."
Nicole Perlroth, “This is How They Tell Me the World Ends”, Bloomsbury 2021
Why do you state that the current supercat language doesn’t do that? Would you provide a contemporary example?
Kraft was hit badly by the NotPetya attack, the largest cyber loss epidemic to date.
They wanted their insurer to pay out, as they had cyber attack insurance in place.
The insurer said no, arguing they were hit by “stray digital bullets” from a Russian attack on Ukraine. (not the current one!)
The insurer’s excuse was that it was an act of war, which was excluded from the policy.
It went to court, and the result was released only recently.
The court said “nope”—wars generally mean things like soldiers, tanks, bullets, and that had the
policy intended to exclude digital attacks, the insurer had had many years to update their wording to say that.
As they had not done so, any reasonable person would expect “war” to mean shooting war, so they were ordered to honour the policy.
Of course, all the insurers with similar wording will be re-writing their policies frantically to exclude cyber attacks as part of an act of war.
But it takes time for existing policies to run off.
And this could be a bad month or two for cyber losses.
b) Where did you get the hypothesized $10bn limit? Why couldn’t this be $100Bn?
Plucked from thin air.
But I suspect Berkshire doesn’t write THAT much cyber insurance.
Maximum losses are probably capped somewhere, for each client and probably in aggregate as well.
I picked a number, on the order of a hurricane.
Berkshire is a pretty staid insurer. My estimation is that there is no way they would sit on a potential $100bn liability.