Cyber Risk

Hacking the Food Supply

Cyber exposure is a growing concern for farms and agribusiness companies of all sizes.
By: | March 27, 2018 • 7 min read

As agribusiness companies large and small leverage new technologies to increase yields, ease labor strains and maintain a competitive edge, cyber risk has become a growing concern in what was once perceived by many as a relatively low-tech industry.

Advertisement




“When people generally think about agribusiness, they think about a farmer sitting on a tractor, driving it through his field,” said Stephanie Snyder, senior vice president and national sales leader of cyber insurance at Aon Professional Risk Solutions.

But increasingly, even small- and medium-sized farms are dependent on satellite imagery, drones, smart tractors and other tech.

“It’s not your grandpa’s farm anymore,” said Snyder. “Farming and agricultural organizations are really quite advanced from a technology standpoint.”

Each added device and connection means a greater attack surface for potential cyber security breaches.

“The cyber security that has been applied to a lot of these remotely connected devices is not the best cyber security in the world,” said Michael Born, vice president in Lockton’s Cyber Technology Practice.

Stephanie Snyder, SVP and national sales leader, cyber insurance, Aon Professional Risk Solutions

Scott Stransky, assistant vice president and principal scientist at AIR Worldwide, said users often don’t change their devices’ default passwords. “If you don’t change the default password, you’re basically inviting attackers in,” he said.

As is often the case with industry-specific devices, Stransky said, “There are systems in agriculture that only run on older and less secure operating systems that simply can’t be updated if they want the system to work properly. Hackers can use those vulnerabilities.”

Devices themselves can also be vulnerable to theft. “Drones are valuable,” said Born. “To the extent that I can interrupt your signal and have a drone come to me instead, that’s potentially an easy way for me to steal a piece of valuable property.”

Drones can also present liability risks by violating neighbors’ or others’ privacy rights, or interfering with aircraft.

More common than targeted attacks are problems caused by malware or ransomware, sometimes as a result of phishing attacks.

In other industries, the biggest cyber risk is data breach, and that can be a concern for biotech and chemical companies protecting sensitive trade secrets.

But while farmers may expose their personal or business data, the bigger risk is operational: What could happen if control of all those networks and devices are interrupted or even hijacked?

“In 2018, the focus is more on operational technology,” said Snyder.

“As these organizations are using more and more technology to run their business, if there is some type of breach of that technology, what is the impact to that organization from a balance sheet standpoint, from a financial loss standpoint?”

For farmers who have automated their irrigation, fertilization, harvesting, refrigerated storage or livestock management, such operational interruptions could be devastating.

“If the interruption lasts for any significant period of time at all, say days or even a week, then you could have serious effects on an agribusiness because of the nature of that business,” said Born.

Currently, such losses generally aren’t excluded.

“Once we start to talk about physical damage or livestock injuries or crop destruction, we’re now in the realm of what we call ‘silent cyber,’ where there actually is quite a bit of insurance being written today that doesn’t explicitly exclude cyber as a cause of loss, and doesn’t say it doesn’t include it either,” said Stransky.

“It’s literally silent on whether it includes cyber. And there’s very little legal precedent for whether or not the cyber-induced losses will end up having to be paid. The assumption is that they will, because they are not explicitly excluded.”

Michael Born, vice president, Cyber Technology Practice, Lockton

Major losses from cyber risks have been largely theoretical in the agriculture sector, and as long as they remain so, they most likely won’t be excluded.

“These policy wordings are not really changing due to cyber yet,” said Stransky. “It may take a very large event to spur that on, and then I think you’ll see a great number of companies changing.”

Born is not so sure. “Given the market that exists right now, coverage is broadening and not narrowing, so it’s less likely to happen.”

But he also sees events in other sectors impacting coverage in agribusiness.

“A lot of times these changes in insurance coverage happen globally for a company on all similarly written policies,” said Born.

“Since we’ve seen a couple of large losses on some of the manufacturing and transportation industries arising out of some of these attacks, insurance companies in general are starting to take a close look at what they do and do not cover from a property standpoint.

Advertisement




“It’s a really hot topic in the insurance industry today: where is this coverage going to fall? If you have a cyber attack that causes property damage or bodily injury, where does the coverage fall? Does it fall on the property policy, the general liability policy, a dedicated cyber policy? Are there gaps in between those?”

Either way, Snyder sees other benefits to cyber policies.

“Cyber insurance policies are going to indemnify the organization for the net income loss they have, as well as extra expenses that they incur,” she said.

“And cyber insurance actually takes that one step further. You can have business interruption indemnification under the policy, not just for a breach of network security but also if you have a technology failure.”

Such coverage can also indemnify for costly computer forensics and remediation.

“Something that we work with our clients on is doing risk quantification modeling,” said Snyder. “Essentially helping our clients determine the financial statement impact or potential loss if they were to have some type of breach that resulted in an outage and an interruption.”

Born noted that, “A lot of insurers out there are offering risk management services along with cyber policies, and these are pre-breach services.”

But he recommends keeping your broker up to date. “If there is a change in operations that could have an impact on this type of exposure, then certainly they should talk to us and we should reevaluate that exposure, mid-term if necessary.”

“It’s not your grandpa’s farm anymore. Farming and agricultural organizations are really quite advanced from a technology standpoint.” — Stephanie Snyder, SVP and national sales leader, cyber insurance, Aon Professional Risk Solutions

Interruptions due to a cyber breach can also have impacts far beyond the farm directly affected.

“We’re talking about the beginning of the supply chain,” said Born. “… If their operations are interrupted and they don’t have the produce or the livestock to provide to the other folks along the supply chain, it’s going to affect all of those businesses.”

“Supply chain insurance is out there,” said Stransky, “but the take-up rate for supply chain insurance is really low.”

Scott Stransky, assistant vice president and principal scientist, AIR Worldwide

“You don’t typically buy insurance for bad things that happen to other people,” said Born. “You buy insurance for bad things that happen to you or your business.”

But with cyber risks threatening every link in the supply chain, that may no longer be the case.

“Even if nothing happened to you and nothing was your fault, if your supply is interrupted because of a cyber attack or other perils, that affects your ability to do business and to make income, we can cover that exposure for you as well,” said Born.

But, he added, “That starts to get into aggregation issues, which is something we’ve been talking about for a while when it comes to cyber, but is particularly relevant when you start insuring events that could happen to another party.

“If that same party supplies many different companies and all of those companies have the supply chain insurance, you have some real aggregation issues.”

Advertisement




While coverage is obviously important, even more important is avoiding vulnerabilities in the first place.

“It’s all about the people and their vigilance against the cyber attacks,” said Stransky. He emphasizes the importance of changing default passwords, being wary of phishing attempts, and hiring a trusted IT professional to set up equipment and explain how to maintain it.

But ultimately, Born sees cyber coverage becoming another basic cost of doing business.

“I think some form of cyber coverage will become more or less standard coverage for most businesses at some point in the future,” said Born.

“And I don’t think agribusiness is going to be any exception.” &

Jon McGoran is a novelist and magazine editor based outside of Philadelphia. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]