2222222222

Cyber Risk

Hacking the Food Supply

Cyber exposure is a growing concern for farms and agribusiness companies of all sizes.
By: | March 27, 2018 • 7 min read

As agribusiness companies large and small leverage new technologies to increase yields, ease labor strains and maintain a competitive edge, cyber risk has become a growing concern in what was once perceived by many as a relatively low-tech industry.

Advertisement




“When people generally think about agribusiness, they think about a farmer sitting on a tractor, driving it through his field,” said Stephanie Snyder, senior vice president and national sales leader of cyber insurance at Aon Professional Risk Solutions.

But increasingly, even small- and medium-sized farms are dependent on satellite imagery, drones, smart tractors and other tech.

“It’s not your grandpa’s farm anymore,” said Snyder. “Farming and agricultural organizations are really quite advanced from a technology standpoint.”

Each added device and connection means a greater attack surface for potential cyber security breaches.

“The cyber security that has been applied to a lot of these remotely connected devices is not the best cyber security in the world,” said Michael Born, vice president in Lockton’s Cyber Technology Practice.

Stephanie Snyder, SVP and national sales leader, cyber insurance, Aon Professional Risk Solutions

Scott Stransky, assistant vice president and principal scientist at AIR Worldwide, said users often don’t change their devices’ default passwords. “If you don’t change the default password, you’re basically inviting attackers in,” he said.

As is often the case with industry-specific devices, Stransky said, “There are systems in agriculture that only run on older and less secure operating systems that simply can’t be updated if they want the system to work properly. Hackers can use those vulnerabilities.”

Devices themselves can also be vulnerable to theft. “Drones are valuable,” said Born. “To the extent that I can interrupt your signal and have a drone come to me instead, that’s potentially an easy way for me to steal a piece of valuable property.”

Drones can also present liability risks by violating neighbors’ or others’ privacy rights, or interfering with aircraft.

More common than targeted attacks are problems caused by malware or ransomware, sometimes as a result of phishing attacks.

In other industries, the biggest cyber risk is data breach, and that can be a concern for biotech and chemical companies protecting sensitive trade secrets.

But while farmers may expose their personal or business data, the bigger risk is operational: What could happen if control of all those networks and devices are interrupted or even hijacked?

“In 2018, the focus is more on operational technology,” said Snyder.

“As these organizations are using more and more technology to run their business, if there is some type of breach of that technology, what is the impact to that organization from a balance sheet standpoint, from a financial loss standpoint?”

For farmers who have automated their irrigation, fertilization, harvesting, refrigerated storage or livestock management, such operational interruptions could be devastating.

“If the interruption lasts for any significant period of time at all, say days or even a week, then you could have serious effects on an agribusiness because of the nature of that business,” said Born.

Currently, such losses generally aren’t excluded.

“Once we start to talk about physical damage or livestock injuries or crop destruction, we’re now in the realm of what we call ‘silent cyber,’ where there actually is quite a bit of insurance being written today that doesn’t explicitly exclude cyber as a cause of loss, and doesn’t say it doesn’t include it either,” said Stransky.

“It’s literally silent on whether it includes cyber. And there’s very little legal precedent for whether or not the cyber-induced losses will end up having to be paid. The assumption is that they will, because they are not explicitly excluded.”

Michael Born, vice president, Cyber Technology Practice, Lockton

Major losses from cyber risks have been largely theoretical in the agriculture sector, and as long as they remain so, they most likely won’t be excluded.

“These policy wordings are not really changing due to cyber yet,” said Stransky. “It may take a very large event to spur that on, and then I think you’ll see a great number of companies changing.”

Born is not so sure. “Given the market that exists right now, coverage is broadening and not narrowing, so it’s less likely to happen.”

But he also sees events in other sectors impacting coverage in agribusiness.

“A lot of times these changes in insurance coverage happen globally for a company on all similarly written policies,” said Born.

“Since we’ve seen a couple of large losses on some of the manufacturing and transportation industries arising out of some of these attacks, insurance companies in general are starting to take a close look at what they do and do not cover from a property standpoint.

Advertisement




“It’s a really hot topic in the insurance industry today: where is this coverage going to fall? If you have a cyber attack that causes property damage or bodily injury, where does the coverage fall? Does it fall on the property policy, the general liability policy, a dedicated cyber policy? Are there gaps in between those?”

Either way, Snyder sees other benefits to cyber policies.

“Cyber insurance policies are going to indemnify the organization for the net income loss they have, as well as extra expenses that they incur,” she said.

“And cyber insurance actually takes that one step further. You can have business interruption indemnification under the policy, not just for a breach of network security but also if you have a technology failure.”

Such coverage can also indemnify for costly computer forensics and remediation.

“Something that we work with our clients on is doing risk quantification modeling,” said Snyder. “Essentially helping our clients determine the financial statement impact or potential loss if they were to have some type of breach that resulted in an outage and an interruption.”

Born noted that, “A lot of insurers out there are offering risk management services along with cyber policies, and these are pre-breach services.”

But he recommends keeping your broker up to date. “If there is a change in operations that could have an impact on this type of exposure, then certainly they should talk to us and we should reevaluate that exposure, mid-term if necessary.”

“It’s not your grandpa’s farm anymore. Farming and agricultural organizations are really quite advanced from a technology standpoint.” — Stephanie Snyder, SVP and national sales leader, cyber insurance, Aon Professional Risk Solutions

Interruptions due to a cyber breach can also have impacts far beyond the farm directly affected.

“We’re talking about the beginning of the supply chain,” said Born. “… If their operations are interrupted and they don’t have the produce or the livestock to provide to the other folks along the supply chain, it’s going to affect all of those businesses.”

“Supply chain insurance is out there,” said Stransky, “but the take-up rate for supply chain insurance is really low.”

Scott Stransky, assistant vice president and principal scientist, AIR Worldwide

“You don’t typically buy insurance for bad things that happen to other people,” said Born. “You buy insurance for bad things that happen to you or your business.”

But with cyber risks threatening every link in the supply chain, that may no longer be the case.

“Even if nothing happened to you and nothing was your fault, if your supply is interrupted because of a cyber attack or other perils, that affects your ability to do business and to make income, we can cover that exposure for you as well,” said Born.

But, he added, “That starts to get into aggregation issues, which is something we’ve been talking about for a while when it comes to cyber, but is particularly relevant when you start insuring events that could happen to another party.

“If that same party supplies many different companies and all of those companies have the supply chain insurance, you have some real aggregation issues.”

Advertisement




While coverage is obviously important, even more important is avoiding vulnerabilities in the first place.

“It’s all about the people and their vigilance against the cyber attacks,” said Stransky. He emphasizes the importance of changing default passwords, being wary of phishing attempts, and hiring a trusted IT professional to set up equipment and explain how to maintain it.

But ultimately, Born sees cyber coverage becoming another basic cost of doing business.

“I think some form of cyber coverage will become more or less standard coverage for most businesses at some point in the future,” said Born.

“And I don’t think agribusiness is going to be any exception.” &

Jon McGoran is a novelist and magazine editor based outside of Philadelphia. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Focus: Workers' Comp

Do You Have Employees or Gig Workers?

The number of gig economy workers is growing in the U.S. But their classification as contractors leaves many without workers’ comp, unemployment protection or other benefits.
By: and | July 30, 2018 • 5 min read

A growing number of Americans earn their living in the gig economy without employer-provided benefits and protections such as workers’ compensation.

Advertisement




With the proliferation of on-demand services powered by digital platforms, questions surrounding who does and does not actually work in the gig economy continue to vex stakeholders. Courts and legislators are being asked to decide what constitutes an employee and what constitutes an independent contractor, or gig worker.

The issues are how the worker is paid and who controls the work process, said Bobby Bollinger, a North Carolina attorney specializing in workers’ compensation law with a client roster in the trucking industry.

The common law test, he said, the same one the IRS uses, considers “whose tools and whose materials are used. Whether the employer is telling the worker how to do the job on a minute-to-minute basis. Whether the worker is paid by the hour or by the job. Whether he’s free to work for someone else.”

Legal challenges have occurred, starting with lawsuits against transportation network companies (TNCs) like Uber and Lyft. Several court cases in recent years have come down on the side of allowing such companies to continue classifying drivers as independent contractors.

Those decisions are significant for TNCs, because the gig model relies on the lower labor cost of independent contractors. Classification as an employee adds at least 30 percent to labor costs.

The issues lie with how a worker is paid and who controls the work process. — Bobby Bollinger, a North Carolina attorney

However, a March 2018 California Supreme Court ruling in a case involving delivery drivers for Dynamex went the other way. The Dynamex decision places heavy emphasis on whether the worker is performing a core function of the business.

Under the Dynamex court’s standard, an electrician called to fix a wiring problem at an Uber office would be considered a general contractor. But a driver providing rides to customers would be part of the company’s central mission and therefore an employee.

Despite the California ruling, a Philadelphia court a month later declined to follow suit, ruling that Uber’s limousine drivers are independent contractors, not employees. So a definitive answer remains elusive.

A Legislative Movement

Misclassification of workers as independent contractors introduces risks to both employers and workers, said Matt Zender, vice president, workers’ compensation product manager, AmTrust.

“My concern is for individuals who believe they’re covered under workers’ compensation, have an injury, try to file a claim and find they’re not covered.”

Misclassifying workers opens a “Pandora’s box” for employers, said Richard R. Meneghello, partner, Fisher Phillips.

Issues include tax liabilities, claims for minimum wage and overtime violations, workers’ comp benefits, civil labor law rights and wrongful termination suits.

The motive for companies seeking the contractor definition is clear: They don’t have to pay for benefits, said Meneghello. “But from a legal perspective, it’s not so easy to turn the workforce into contractors.”

“My concern is for individuals who believe they’re covered under workers’ compensation, have an injury, try to file a claim and find they’re not covered in the eyes of the state.” — Matt Zender, vice president, workers’ compensation product manager, AmTrust

It’s about to get easier, however. In 2016, Handy — which is being sued in five states for misclassification of workers — drafted a N.Y. bill to establish a program where gig-economy companies would pay 2.5 percent of workers’ income into individual health savings accounts, yet would classify them as independent contractors.

Unions and worker advocacy groups argue the program would rob workers of rights and protections. So Handy moved on to eight other states where it would be more likely to win.

Advertisement




So far, the Handy bills have passed one house of the legislature in Georgia and Colorado; passed both houses in Iowa and Tennessee; and been signed into law in Kentucky, Utah and Indiana. A similar bill was also introduced in Alabama.

The bills’ language says all workers who find jobs through a website or mobile app are independent contractors, as long as the company running the digital platform does not control schedules, prohibit them from working elsewhere and meets other criteria. Two bills exclude transportation network companies such as Uber.

These laws could have far-reaching consequences. Traditional service companies will struggle to compete with start-ups paying minimal labor costs.

Opponents warn that the Handy bills are so broad that a service company need only launch an app for customers to contract services, and they’d be free to re-classify their employees as independent contractors — leaving workers without social security, health insurance or the protections of unemployment insurance or workers’ comp.

That could destabilize social safety nets as well as shrink available workers’ comp premiums.

A New Classification

Independent contractors need to buy their own insurance, including workers’ compensation. But many don’t, said Hart Brown, executive vice president, COO, Firestorm. They may not realize that in the case of an accident, their personal car and health insurance won’t engage, Brown said.

Matt Zender, vice president, workers’ compensation product manager, AmTrust

Workers’ compensation for gig workers can be hard to find. Some state-sponsored funds provide self-employed contractors’ coverage.  Policies can be expensive though in some high-risk occupations, such as roofing, said Bollinger.

The gig system, where a worker does several different jobs for several different companies, breaks down without portable benefits, said Brown. Portable benefits would follow workers from one workplace engagement to another.

What a portable benefits program would look like is unclear, he said, but some combination of employers, independent contractors and intermediaries (such as a digital platform business or staffing agency) would contribute to the program based on a percentage of each transaction.

There is movement toward portable benefits legislation. The Aspen Institute proposed portable benefits where companies contribute to workers’ benefits based on how much an employee works for them. Uber and SEI together proposed a portable benefits bill to the Washington State Legislature.

Advertisement




Senator Mark Warner (D. VA) introduced the Portable Benefits for Independent Workers Pilot Program Act for the study of portable benefits, and Congresswoman Suzan DelBene (D. WA) introduced a House companion bill.

Meneghello is skeptical of portable benefits as a long-term solution. “They’re a good first step,” he said, “but they paper over the problem. We need a new category of workers.”

A portable benefits model would open opportunities for the growing Insurtech market. Brad Smith, CEO, Intuit, estimates the gig economy to be about 34 percent of the workforce in 2018, growing to 43 percent by 2020.

The insurance industry reinvented itself from a risk transfer mechanism to a risk management mechanism, Brown said, and now it’s reinventing itself again as risk educator to a new hybrid market. &

Susannah Levine writes about health care, education and technology. She can be reached at [email protected] Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]