2222222222

Cyber Risk

Hacking the Food Supply

Cyber exposure is a growing concern for farms and agribusiness companies of all sizes.
By: | March 27, 2018 • 7 min read

As agribusiness companies large and small leverage new technologies to increase yields, ease labor strains and maintain a competitive edge, cyber risk has become a growing concern in what was once perceived by many as a relatively low-tech industry.

Advertisement




“When people generally think about agribusiness, they think about a farmer sitting on a tractor, driving it through his field,” said Stephanie Snyder, senior vice president and national sales leader of cyber insurance at Aon Professional Risk Solutions.

But increasingly, even small- and medium-sized farms are dependent on satellite imagery, drones, smart tractors and other tech.

“It’s not your grandpa’s farm anymore,” said Snyder. “Farming and agricultural organizations are really quite advanced from a technology standpoint.”

Each added device and connection means a greater attack surface for potential cyber security breaches.

“The cyber security that has been applied to a lot of these remotely connected devices is not the best cyber security in the world,” said Michael Born, vice president in Lockton’s Cyber Technology Practice.

Stephanie Snyder, SVP and national sales leader, cyber insurance, Aon Professional Risk Solutions

Scott Stransky, assistant vice president and principal scientist at AIR Worldwide, said users often don’t change their devices’ default passwords. “If you don’t change the default password, you’re basically inviting attackers in,” he said.

As is often the case with industry-specific devices, Stransky said, “There are systems in agriculture that only run on older and less secure operating systems that simply can’t be updated if they want the system to work properly. Hackers can use those vulnerabilities.”

Devices themselves can also be vulnerable to theft. “Drones are valuable,” said Born. “To the extent that I can interrupt your signal and have a drone come to me instead, that’s potentially an easy way for me to steal a piece of valuable property.”

Drones can also present liability risks by violating neighbors’ or others’ privacy rights, or interfering with aircraft.

More common than targeted attacks are problems caused by malware or ransomware, sometimes as a result of phishing attacks.

In other industries, the biggest cyber risk is data breach, and that can be a concern for biotech and chemical companies protecting sensitive trade secrets.

But while farmers may expose their personal or business data, the bigger risk is operational: What could happen if control of all those networks and devices are interrupted or even hijacked?

“In 2018, the focus is more on operational technology,” said Snyder.

“As these organizations are using more and more technology to run their business, if there is some type of breach of that technology, what is the impact to that organization from a balance sheet standpoint, from a financial loss standpoint?”

For farmers who have automated their irrigation, fertilization, harvesting, refrigerated storage or livestock management, such operational interruptions could be devastating.

“If the interruption lasts for any significant period of time at all, say days or even a week, then you could have serious effects on an agribusiness because of the nature of that business,” said Born.

Currently, such losses generally aren’t excluded.

“Once we start to talk about physical damage or livestock injuries or crop destruction, we’re now in the realm of what we call ‘silent cyber,’ where there actually is quite a bit of insurance being written today that doesn’t explicitly exclude cyber as a cause of loss, and doesn’t say it doesn’t include it either,” said Stransky.

“It’s literally silent on whether it includes cyber. And there’s very little legal precedent for whether or not the cyber-induced losses will end up having to be paid. The assumption is that they will, because they are not explicitly excluded.”

Michael Born, vice president, Cyber Technology Practice, Lockton

Major losses from cyber risks have been largely theoretical in the agriculture sector, and as long as they remain so, they most likely won’t be excluded.

“These policy wordings are not really changing due to cyber yet,” said Stransky. “It may take a very large event to spur that on, and then I think you’ll see a great number of companies changing.”

Born is not so sure. “Given the market that exists right now, coverage is broadening and not narrowing, so it’s less likely to happen.”

But he also sees events in other sectors impacting coverage in agribusiness.

“A lot of times these changes in insurance coverage happen globally for a company on all similarly written policies,” said Born.

“Since we’ve seen a couple of large losses on some of the manufacturing and transportation industries arising out of some of these attacks, insurance companies in general are starting to take a close look at what they do and do not cover from a property standpoint.

Advertisement




“It’s a really hot topic in the insurance industry today: where is this coverage going to fall? If you have a cyber attack that causes property damage or bodily injury, where does the coverage fall? Does it fall on the property policy, the general liability policy, a dedicated cyber policy? Are there gaps in between those?”

Either way, Snyder sees other benefits to cyber policies.

“Cyber insurance policies are going to indemnify the organization for the net income loss they have, as well as extra expenses that they incur,” she said.

“And cyber insurance actually takes that one step further. You can have business interruption indemnification under the policy, not just for a breach of network security but also if you have a technology failure.”

Such coverage can also indemnify for costly computer forensics and remediation.

“Something that we work with our clients on is doing risk quantification modeling,” said Snyder. “Essentially helping our clients determine the financial statement impact or potential loss if they were to have some type of breach that resulted in an outage and an interruption.”

Born noted that, “A lot of insurers out there are offering risk management services along with cyber policies, and these are pre-breach services.”

But he recommends keeping your broker up to date. “If there is a change in operations that could have an impact on this type of exposure, then certainly they should talk to us and we should reevaluate that exposure, mid-term if necessary.”

“It’s not your grandpa’s farm anymore. Farming and agricultural organizations are really quite advanced from a technology standpoint.” — Stephanie Snyder, SVP and national sales leader, cyber insurance, Aon Professional Risk Solutions

Interruptions due to a cyber breach can also have impacts far beyond the farm directly affected.

“We’re talking about the beginning of the supply chain,” said Born. “… If their operations are interrupted and they don’t have the produce or the livestock to provide to the other folks along the supply chain, it’s going to affect all of those businesses.”

“Supply chain insurance is out there,” said Stransky, “but the take-up rate for supply chain insurance is really low.”

Scott Stransky, assistant vice president and principal scientist, AIR Worldwide

“You don’t typically buy insurance for bad things that happen to other people,” said Born. “You buy insurance for bad things that happen to you or your business.”

But with cyber risks threatening every link in the supply chain, that may no longer be the case.

“Even if nothing happened to you and nothing was your fault, if your supply is interrupted because of a cyber attack or other perils, that affects your ability to do business and to make income, we can cover that exposure for you as well,” said Born.

But, he added, “That starts to get into aggregation issues, which is something we’ve been talking about for a while when it comes to cyber, but is particularly relevant when you start insuring events that could happen to another party.

“If that same party supplies many different companies and all of those companies have the supply chain insurance, you have some real aggregation issues.”

Advertisement




While coverage is obviously important, even more important is avoiding vulnerabilities in the first place.

“It’s all about the people and their vigilance against the cyber attacks,” said Stransky. He emphasizes the importance of changing default passwords, being wary of phishing attempts, and hiring a trusted IT professional to set up equipment and explain how to maintain it.

But ultimately, Born sees cyber coverage becoming another basic cost of doing business.

“I think some form of cyber coverage will become more or less standard coverage for most businesses at some point in the future,” said Born.

“And I don’t think agribusiness is going to be any exception.” &

Jon McGoran is a novelist and magazine editor based outside of Philadelphia. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession: Curt Gross

This director of risk management sees cyber, IP and reputation risks as evolving threats, but more formal education may make emerging risk professionals better prepared.
By: | June 1, 2018 • 4 min read

R&I: What was your first job?

My first non-professional job was working at Burger King in high school. I learned some valuable life lessons there.

R&I: How did you come to work in risk management?

After taking some accounting classes in high school, I originally thought I wanted to be an accountant. After working on a few Widgets Inc. projects in college, I figured out that wasn’t what I really wanted to do. Risk management found me. The rest is history. Looking back, I am pleased with how things worked out.

R&I: What is the risk management community doing right?

Advertisement




I think we do a nice job on post graduate education. I think the ARM and CPCU designations give credibility to the profession. Plus, formal college risk management degrees are becoming more popular these days. I know The University of Akron just launched a new risk management bachelor’s program in the fall of 2017 within the business school.

R&I: What could the risk management community be doing a better job of?

I think we could do a better job with streamlining certificates of insurance or, better yet, evaluating if they are even necessary. It just seems to me that there is a significant amount of time and expense around generating certificates. There has to be a more efficient way.

R&I: What was the best location and year for the RIMS conference and why?

Selfishly, I prefer a destination with a direct flight when possible. RIMS does a nice job of selecting various locations throughout the country. It is a big job to successfully pull off a conference of that size.

Curt Gross, Director of Risk Management, Parker Hannifin Corp.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

Definitely the change in nontraditional property & casualty exposures such as intellectual property and reputational risk. Those exposures existed way back when but in different ways. As computer networks become more and more connected and news travels at a more rapid pace, it just amplifies these types of exposures. Sometimes we have to think like the perpetrator, which can be difficult to do.

R&I: What emerging commercial risk most concerns you?

I hate to sound cliché — it’s quite the buzz these days — but I would have to say cyber. It’s such a complex risk involving nontraditional players and motives. Definitely a challenging exposure to get your arms around. Unfortunately, I don’t think we’ll really know the true exposure until there is more claim development.

R&I: What insurance carrier do you have the highest opinion of?

Advertisement




Our captive insurance company. I’ve been fortunate to work for several companies with a captive, each one with a different operating objective. I view a captive as an essential tool for a successful risk management program.

R&I: Who is your mentor and why?

I can’t point to just one. I have and continue to be lucky to work for really good managers throughout my career. Each one has taken the time and interest to develop me as a professional. I certainly haven’t arrived yet and welcome feedback to continue to try to be the best I can be every day.

R&I: What have you accomplished that you are proudest of?

I would like to think I have and continue to bring meaningful value to my company. However, I would have to say my family is my proudest accomplishment.

R&I: What is your favorite book or movie?

Favorite movie is definitely “Good Will Hunting.”

R&I: What’s the best restaurant you’ve ever eaten at?

Tough question to narrow down. If my wife ran a restaurant, it would be hers. We try to have dinner as a family as much as possible. If I had to pick one restaurant though, I would say Fire Food & Drink in Cleveland, Ohio. Chef Katz is a culinary genius.

R&I: What is the most unusual/interesting place you have ever visited?

The Grand Canyon. It is just so vast. A close second is Stonehenge.

R&I: What is the riskiest activity you ever engaged in?

Advertisement




A few, actually. Up until a few years ago, I owned a sport bike (motorcycle). Of course, I wore the proper gear, took a safety course and read a motorcycle safety book. Also, I have taken a few laps in a NASCAR [race car] around Daytona International Speedway at 180 mph. Most recently, trying to ride my daughter’s skateboard.

R&I: If the world has a modern hero, who is it and why?

The Dalai Lama. A world full of compassion, tolerance and patience and free of discrimination, racism and violence, while perhaps idealistic, sounds like a wonderful place to me.

R&I: What about this work do you find the most fulfilling or rewarding?

I really enjoy the company I work for and my role, because I get the opportunity to work with various functions. For example, while mostly finance, I get to interact with legal, human resources, employee health and safety, to name a few.

R&I: What do your friends and family think you do?

I asked my son. He said, “Risk management and insurance.” (He’s had the benefit of bring-your-kid-to-work day.)

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]