United Kingdom

Cyber risk indigestion for the food, agricultural, and beverage sector

“It can take months or even years to realise the full cost of a cyber-attack, and some firms may never recover”. That’s the stark warning contained in Aon’s latest C-Suite Series report – Prepare for the expected: Safeguarding value in the era of cyber risk – and it’s one that is particularly pertinent for the food, agricultural, and beverage (FAB) sector with its tight margins, risk aggregation and historic underinvestment in cyber resilience.

Businesses interrupted

Every industry is vulnerable to cyber risk, but it seems to me that the FAB sector has more vulnerabilities than most, particularly when it comes to critical aggregations within the industry. Take one example such as food irrigation for example. Getting on for half the world’s food irrigators are supplied by a single organisation. What if there was some sort of aggregated outage across connected irrigators following a cyber-attack? The potential for a non-damage business interruption (BI) attack across all those irrigators could be huge.

Through connected systems and complex supply chains, FAB businesses are now getting problems in multiple sites and it’s easy to see how the commercial impact of an event aggregates very quickly.

Stolen secrets

Other business exposures for the FAB sector include confidentiality of information with its trade secrets, knowhow, and intellectual property as well as customer information. FAB companies have seen some of the largest personally identifiable information breaches (PII) and in the US, something like 20% of all data breaches are in that sector.

Product integrity is also fundamental to the FAB sector. Threat actors might be interested in impacting the integrity of food products given the role FAB plays in the critical infrastructure of a nation state. Again, the aggregations could be very scary.

Lack of investment in cyber resilience

What this all means is the FAB sector cannot afford to take its cyber security lightly but findings from Aon’s cyber self-assessment tool – CyQu, which evaluates cybers security maturity across industry verticals – reveal that the FAB is low maturity when it comes to cyber resilience. One reason for this lack of investment revolves around the sector’s focus on quality, safety and cost of products, and how they leverage technology without committing the necessary resource to looking what can happen if things go wrong.

It is a 24/7 industry that often doesn’t have the time to consider the risks of using new technology. Think about farmers for example who have to look at product safety, quality and budgets; they’re having to use technology to guarantee those three things but farmers aren’t generally technology experts which makes them vulnerable to cyber-attack, particularly for hackers looking to use smaller, more vulnerable third parties to access the networks of bigger companies.

How to improve

To improve cyber resilience, Aon’s cyber report lists four key steps: the need for the C-suite to take accountability; a whole enterprise approach to the risk; a focus on prevention; and a need to protect the balance sheet. For the FAB sector, it’s the protection of the balance sheet for FAB that really stands out. With such tight margins, even the large companies can’t easily manage a shutdown of more than one or two days before liquidity issues become a problem.

So, how best to address their cyber risk? For most organisations, it’s about understanding what technology assets are crucial to the business from a revenue generation and/or risk aggregation standpoint – like the storage of PII for example.

We encourage clients in FAB to identify what their key assets are and what their maximum potential loss could be; to look at potential scenarios through a structured walk-through for example to see what would happen to cause financial stress to the business. It’s then about understanding from a quantitative perspective what the loss would look like by identifying first-party costs and third-party costs, and then ultimately doing something about mitigating that risk.

Are you covered?

It might mean going back to your insurance policies to see if you’re covered and, if not, what improvements could be made? There is a low take-up of cyber insurance in the EMEA region in the FAB industry with a lot of companies thinking they’re already covered. You only have to look at the recent Mondelez NotPetya ransomware case – which saw the food company’s 1,700 servers and 24,000 laptops put out of action – and its insurer’s refusal to pay out US$100 million on a property policy to see what can happened if the right insurance isn’t in place.

Businesses are still relying on their property damage/business interruption or general liability policies which are not intended for non-damage scenarios. It’s a real gap we’re seeing that needs to be addressed through a standalone cyber insurance policy.

To find out more about how to protect your business from the cyber threat, read the full Aon report: Prepare for the expected: Safeguarding value in the era of cyber risk