Cyber criminals target "low-hanging fruit" in agribusiness

Cyber criminals target "low-hanging fruit" in agribusiness | Insurance Business America

Cyber criminals target "low-hanging fruit" in agribusiness

The world’s largest meat processing company, Brazil-based JBS SA, fell prey to a ransomware attack in May 2021, where hackers paralyzed the servers supporting the food giant’s operations in North America and Australia. Production was disrupted for several days, until JBS paid the equivalent of US$11 million for the hackers to unlock their systems. The FBI attributed the attack to REvil, a Russian-speaking hacking group that has made some of the largest ransomware demands on record in recent months.

As one of the most high-profile attacks ever to impact an agribusiness company, the JBS ransomware incident really set tongues wagging among food growers, processors, producers, manufacturers, distributors, importers and exporters – really the entire food supply chain from seed to sale – around the importance of cyber insurance and effective cyber risk management.

“The food industry has a lot of touch points. Very rarely do you come across someone that grows a product, packages it, and distributes it, so there are often a lot of different first- and third-party access points,” said Justin Reese, executive risk management consultant at the Insurance Office of America (IOA). “Cyber criminals are finding that the food industry, from the large organizations all the way down to the smaller independent operations, is a good place to attack and potentially get a return on investment.”

Read next: Brokers need better cyber support

In recent years, there has been an uptick in the purchase of cyber insurance in the agribusiness industry. Reese pointed out that companies have started to realize that cyber liability is no longer an “obscure” line of business; rather, it’s something the bigger firms (at least) are willing to budget for and educate themselves around.   

“They’re more receptive to not only purchasing a policy, but also to learning about how to mitigate their risk and transfer that risk appropriately,” he commented. “And when they purchase a cyber insurance policy, they’re also making use of the value-added services that often come along with that. There are many advantages of having a policy beyond just the potential claims payment, including educational resources and risk control services.”

The frequency and severity of cyber claims impacting all industries – not just the agribusiness – have both shot up in the past two years. With so many potential entry points for cyber criminals in the agribusiness supply chain, Reese stressed that buying a cyber insurance policy is “a good business decision” based on cost benefit analysis.

He shared the example of a food processing facility with multiple locations across the US and annual revenue of around $150 million. That organization suffered a ransomware attack, in which their entire operations were shut down for almost two weeks.

“Just imagine the amount of business income they could lose in two weeks; it’s very significant,” Reese noted. “They did the best they could to take orders and go old school, but when a huge processing facility is offline, it’s basically impossible to replicate the automation and digital processes with people bagging and boxing. These are very sophisticated risks, so if an insured is shut down for a tremendous period of time, not only might they have to pay a ransom, but they’ll also suffer loss of income, business interruption, potentially a loss of clients, and considerable reputational damage.

“With any type of supply chain, especially in the food industry, if there’s a disruption for even a short period of time, that can cause a significant impact to the bottom line. Cyber insurance policies can help companies deal with those expenses, and they also come with resources – for example, IT experts and legal professionals - that will help insureds get back up and running.”

Read more: “Attackers only need to be correct once”: tackling the new frontier of ransomware

While advocating for agribusiness companies to secure cyber insurance, Reese stressed that “the best line of defense” is always understanding and then putting in risk management or mitigation devices to help eliminate the possibility, or at least reduce the possibility, that they have to actually trigger and use their cyber policy. Security controls like multi-factor authentication (MFA) and regular employee training around issues like phishing are now required by insurers before they will even entertain writing a new cyber policy or renewing an account.

Agents and brokers can help their clients with this. Reese said: “Having an agent or broker that understands the risk and has the resources to help mitigate that risk and put the proper policies in place is critical. Food and agribusiness is very different to many traditional risks. There are not a lot of folks who focus all of their attention in this particular vertical. If an insured deals with specialists that understand the industry, they’re in a better position to ultimately tailor and structure a program, specifically in this case with cyber, that is going to be more beneficial at the time of loss. And most importantly, they’re going to be able to remove some of that low-hanging fruit that cybercriminals have clearly identified in the agribusiness sector.”