Hacking the Food Supply
As agribusiness companies large and small leverage new technologies to increase yields, ease labor strains and maintain a competitive edge, cyber risk has become a growing concern in what was once perceived by many as a relatively low-tech industry.
“When people generally think about agribusiness, they think about a farmer sitting on a tractor, driving it through his field,” said Stephanie Snyder, senior vice president and national sales leader of cyber insurance at Aon Professional Risk Solutions.
But increasingly, even small- and medium-sized farms are dependent on satellite imagery, drones, smart tractors and other tech.
“It’s not your grandpa’s farm anymore,” said Snyder. “Farming and agricultural organizations are really quite advanced from a technology standpoint.”
Each added device and connection means a greater attack surface for potential cyber security breaches.
“The cyber security that has been applied to a lot of these remotely connected devices is not the best cyber security in the world,” said Michael Born, vice president in Lockton’s Cyber Technology Practice.
Scott Stransky, assistant vice president and principal scientist at AIR Worldwide, said users often don’t change their devices’ default passwords. “If you don’t change the default password, you’re basically inviting attackers in,” he said.
As is often the case with industry-specific devices, Stransky said, “There are systems in agriculture that only run on older and less secure operating systems that simply can’t be updated if they want the system to work properly. Hackers can use those vulnerabilities.”
Devices themselves can also be vulnerable to theft. “Drones are valuable,” said Born. “To the extent that I can interrupt your signal and have a drone come to me instead, that’s potentially an easy way for me to steal a piece of valuable property.”
Drones can also present liability risks by violating neighbors’ or others’ privacy rights, or interfering with aircraft.
More common than targeted attacks are problems caused by malware or ransomware, sometimes as a result of phishing attacks.
In other industries, the biggest cyber risk is data breach, and that can be a concern for biotech and chemical companies protecting sensitive trade secrets.
But while farmers may expose their personal or business data, the bigger risk is operational: What could happen if control of all those networks and devices are interrupted or even hijacked?
“In 2018, the focus is more on operational technology,” said Snyder.
“As these organizations are using more and more technology to run their business, if there is some type of breach of that technology, what is the impact to that organization from a balance sheet standpoint, from a financial loss standpoint?”
For farmers who have automated their irrigation, fertilization, harvesting, refrigerated storage or livestock management, such operational interruptions could be devastating.
“If the interruption lasts for any significant period of time at all, say days or even a week, then you could have serious effects on an agribusiness because of the nature of that business,” said Born.
Currently, such losses generally aren’t excluded.
“Once we start to talk about physical damage or livestock injuries or crop destruction, we’re now in the realm of what we call ‘silent cyber,’ where there actually is quite a bit of insurance being written today that doesn’t explicitly exclude cyber as a cause of loss, and doesn’t say it doesn’t include it either,” said Stransky.
“It’s literally silent on whether it includes cyber. And there’s very little legal precedent for whether or not the cyber-induced losses will end up having to be paid. The assumption is that they will, because they are not explicitly excluded.”
Major losses from cyber risks have been largely theoretical in the agriculture sector, and as long as they remain so, they most likely won’t be excluded.
“These policy wordings are not really changing due to cyber yet,” said Stransky. “It may take a very large event to spur that on, and then I think you’ll see a great number of companies changing.”
Born is not so sure. “Given the market that exists right now, coverage is broadening and not narrowing, so it’s less likely to happen.”
But he also sees events in other sectors impacting coverage in agribusiness.
“A lot of times these changes in insurance coverage happen globally for a company on all similarly written policies,” said Born.
“Since we’ve seen a couple of large losses on some of the manufacturing and transportation industries arising out of some of these attacks, insurance companies in general are starting to take a close look at what they do and do not cover from a property standpoint.
“It’s a really hot topic in the insurance industry today: where is this coverage going to fall? If you have a cyber attack that causes property damage or bodily injury, where does the coverage fall? Does it fall on the property policy, the general liability policy, a dedicated cyber policy? Are there gaps in between those?”
Either way, Snyder sees other benefits to cyber policies.
“Cyber insurance policies are going to indemnify the organization for the net income loss they have, as well as extra expenses that they incur,” she said.
“And cyber insurance actually takes that one step further. You can have business interruption indemnification under the policy, not just for a breach of network security but also if you have a technology failure.”
Such coverage can also indemnify for costly computer forensics and remediation.
“Something that we work with our clients on is doing risk quantification modeling,” said Snyder. “Essentially helping our clients determine the financial statement impact or potential loss if they were to have some type of breach that resulted in an outage and an interruption.”
Born noted that, “A lot of insurers out there are offering risk management services along with cyber policies, and these are pre-breach services.”
But he recommends keeping your broker up to date. “If there is a change in operations that could have an impact on this type of exposure, then certainly they should talk to us and we should reevaluate that exposure, mid-term if necessary.”
“It’s not your grandpa’s farm anymore. Farming and agricultural organizations are really quite advanced from a technology standpoint.” — Stephanie Snyder, SVP and national sales leader, cyber insurance, Aon Professional Risk Solutions
Interruptions due to a cyber breach can also have impacts far beyond the farm directly affected.
“We’re talking about the beginning of the supply chain,” said Born. “… If their operations are interrupted and they don’t have the produce or the livestock to provide to the other folks along the supply chain, it’s going to affect all of those businesses.”
“Supply chain insurance is out there,” said Stransky, “but the take-up rate for supply chain insurance is really low.”
“You don’t typically buy insurance for bad things that happen to other people,” said Born. “You buy insurance for bad things that happen to you or your business.”
But with cyber risks threatening every link in the supply chain, that may no longer be the case.
“Even if nothing happened to you and nothing was your fault, if your supply is interrupted because of a cyber attack or other perils, that affects your ability to do business and to make income, we can cover that exposure for you as well,” said Born.
But, he added, “That starts to get into aggregation issues, which is something we’ve been talking about for a while when it comes to cyber, but is particularly relevant when you start insuring events that could happen to another party.
“If that same party supplies many different companies and all of those companies have the supply chain insurance, you have some real aggregation issues.”
While coverage is obviously important, even more important is avoiding vulnerabilities in the first place.
“It’s all about the people and their vigilance against the cyber attacks,” said Stransky. He emphasizes the importance of changing default passwords, being wary of phishing attempts, and hiring a trusted IT professional to set up equipment and explain how to maintain it.
But ultimately, Born sees cyber coverage becoming another basic cost of doing business.
“I think some form of cyber coverage will become more or less standard coverage for most businesses at some point in the future,” said Born.
“And I don’t think agribusiness is going to be any exception.” &