Digging In: Is the Global Food Supply Vulnerable to Cyber Criminals?

Intro/Outro (00:01):
You're listening to Digging In, where we dig into the insurance topics, trends and news surrounding all things Agribusiness. Here is your host, Bruce Droz.

Bruce Droz (00:18):
Hello everybody, and welcome to another edition of Digging In podcast with Alliant Agribusiness. Today, our topic is cyber issues specifically, as they relate to the agricultural and food industry. And for our conversation today, we've got a really esteemed panel of Alliant professionals. I'm going to let each one introduce themselves, but just briefly, Bobby Horn is in New York. Meghan O'Malley is in California and David Finz is also in New York. So Bobby, why don't you start off with a little background.

Bobby Horn (00:51):
Thank you, Bruce. I appreciate the invite. My name is Bobby Horn. I'm the co-practice leader with Alliant's cyber solutions team, which is housed within the Alliant management and professional solutions group. I work with our clients finding the best possible outcomes for, you know, their cyber insurance needs from placement through, coverage analysis, claims, coordination, you name it. We assist in that. So, thanks again for having us on.

Bruce Droz (01:13):
Meghan.

Meghan O'Malley (01:15):
Thanks, Bruce. Yes. Hi, I'm Meghan O'Malley. I am Bobby's counterpart in the Western half of the US, so to help co-lead our cyber team here at Alliant and I have been in the cyber industry since about 2008, working both in the broking and underwriting sides. So really excited to chat with you today about what we're seeing in the agriculture industry.

Bruce Droz (01:33):
Glad to have you here. Okay. Last, but certainly not least. David.

David Finz (01:37):
Thanks, Bruce. David Finz. I've been with Alliant now for about a year and a half and my role is twofold. I work with Meghan and Bobby to negotiate best-in-class policy wording for our clients, and also to help them maximize their recovery when they have a claim.

Bruce Droz (01:54):
Thank you, David. Alliant is a specialty broker, our group in agribusiness and food, a hundred percent of what we do is in that space. And it seems that there's been all sorts of pressures on this industry here recently, starting from the logistics problems that we're all experiencing, but the Ag and food industry have experienced that in spades, the rising costs, you know, the input costs, labor costs. So, pardon the pun, but it almost seems like the industry is low-hanging fruit for cyber criminals. You know, what have you seen out there that our audience would be interested in, in terms of some anecdotal situations involving agribusiness and food?

Meghan O'Malley (02:34):
I'll take a stab at this one. I think, you know, one of the biggest things that probably caught the eye of agriculture companies was the JBS USA ransomware event in May of 2021. For those of you who aren't aware, JBS USA is a subsidiary of Brazil's JBSSA, who are one of the world's largest meat suppliers and meat processors. And actually, I think they process about 20% of America's meat supply. And they ended up having a ransomware event that shut down their systems completely. We don't know too much about it, other than it was a ransomware event, they were forced to shut down and they ended up paying the 11 million in ransom to get their operations back up and going. But if you think about, you know, 20% of America's meat supply, not being able to function operationally, that's a pretty huge hit to the industry. You know, I think in the insurance industry, we started getting used to seeing ransomware events in other industries, right, in healthcare, in financial services. And seeing that attack on JBS USA was a bit of a shock for us all. I think a lot of times, people in cyber think of agriculture as just a farming industry. And so, you know, how do they have cyber exposures, but there is massive cyber exposures in that industry, given the reliance on operational technology. And so, I think the JBS ransomware event, which ended up paying out what about $11 million was a real eyeopener for our industry for underwriters and brokers alike to go, gosh, there is… there's a lot that we as brokers can be doing for agriculture clients to really ensure that we're helping them transfer risk.

Bruce Droz (04:08):
You mentioned, Meghan, that it was a ransomware attack. That's a term that we hear a lot about. I guess the two terms that we hear a lot about in our space are ransomware and social engineering. Those are the two things that it seems are the most prevalent. Let's address, kind of what that means exactly. How does a ransomware attack happen and how does a social engineering attack happen?

Bobby Horn (04:31):
I'll take part of that question. So, ransomware, it’s a type of malware that's deployed across a system, whether it's through clicking on a link that then, you know, worms its way through your network to the point where then, you know, once the bad guys have an idea of what your network looks like, they can shut you down. But ransomware from an insurance perspective means a lot of different things, right? Because it touches on multiple insurance agreements, not just the cyber extortion. So, when you have a ransomware loss, not only are you impacted from an operational standpoint, so you have a business interruption loss, but there's also a data recovery aspect that comes into play, right? So, the cost to build the systems back up and play, plus the cyber extortion aspect, right, where you're paying a demand to the bad actors if, in fact, you can't get yourself up and running from backups

Bruce Droz (05:14):
Well, so we could give some advice to companies in the Ag food business on how to protect themselves. Obviously buying insurance is an important part of it, but internally, what advice can we give to those listening about maybe some best practices on how to protect themselves?

Meghan O'Malley (05:32):
Bruce, I think that's a really good question to ask and something that all Ag businesses really need to be considering, right? The threat of ransomware and cyber-attacks isn't going away anytime soon. So, the question really is what can we do to better protect ourselves? And I think looking at the Ag industry, one of the first things they can do is really look at segmenting their networks. So, making sure there's proper segmentation or separation between their operational technology networks and their information technology network. So that's your OT network and your IT network. And this is often where there's a lot of weakness in the Ag business in particular because Ag companies have used operational technology for decades. It's what's allowed them to operate. It was really only the introduction of the internet to that operational technology that has increased that cyber threat. And so, I think first and foremost, it's really creating segmentation between that IT network, where a lot of the administrative work is done. And then the OT network, where it's more operational work being done. Bobby, do you want to add in some others there?

Bobby Horn (06:34):
Yeah, no, I think that's a great way to kind of kick it off, right? I think specifically when it comes to control, especially, the underwriters are looking at things like multifactor authentication. I think it's probably the biggest buzzword we've found over the last 24 months, as far as what's the absolute minimum you have to have in place in order to secure coverage, multifactor authentication is probably the answer, you know, without having that in place, that's the easiest way for someone's credentials to be compromised. So, making sure you have MFA in place is critical. Also, the use of dedicated accounts for privileged admin activities. So, password management, rotation logging of accounts. So, you can have an idea of who's in your network and what are they doing. And beyond that, right? Nextgen type of software, smart learning software tracking user behavior. So that, you know, let's say, Bruce Droz, right? You're a broker, why, you know, we can track your day-to-day behavior. But if we see you're going into, you know, certain networks that you shouldn't be, that's going to send a red flag to your IT folks. So that type of software is really, what's kind of the next step from a control standpoint, even with all these things in place. I think one of the things that often gets overlooked is employee training, right? Because that's the first line of defense without your employees being aware of what's out there from a cyber security perspective, or threat perspective, all it takes is one person to click on a link and you're done for. So, there are a plethora of things you can do as a company to make sure you're taking the right steps to prevent an attack.

Bruce Droz (07:53):
Those are great points, Bobby, thank you very much. And I really like the fact that you hit employee training because when you think about it, the human element here is the hardest to control of the whole ecosystem if you will. And it's just very important that employees be always cognizant and always thinking. You did mention too, which is a good segue, you know, occasionally a bad actor will get through. So, let's talk about that. Let's talk about somebody gets in and a business in the agribusiness or food space is faced with a situation where they've got a cyber crisis on their hands. You know, what should they do? What are the most important things to do?

David Finz (08:30):
So, this sounds like one that I should take a stab at. Every organization should have an incident response plan in place, and they should design that incident response plan with an eye toward making sure that their insurance policy performs. And by that, I mean, making sure that the service providers that they're going to use are approved as panel firms or added to the policy by endorsement, that there is a process in place for notifying the insurer to get in touch with the insurer's hotline to coordinate the incident response, making sure that all the statements of work from those outside vendors are approved. Having a plan in place about how to communicate with each other in the event that the network itself is not secure because the last thing we want to have are emails going back and forth about your insurance program while the threat actors in the system. And, you know, we as a broker do not quarterback the incident response, but we could certainly help coordinate getting those providers together, making sure that they're approved and advanced by the carrier, and even taking part in a tabletop exercise to offer our perspective as to how the insurance comes into play with each decision that an organization makes

Bruce Droz (09:51):
Great points, David. And I think that what we've seen is there's different levels of preparedness. There's different levels of companies that either have relationships with providers or may not have existing relationships with providers. And in those cases, there's really a value-added feature of having a cyber policy in place because those resources can come to you, you know, kind of through the insurance company relationships. And we've seen that provide a lot of value to our mid-size and smaller clientele.

David Finz (10:24):
Absolutely, absolutely. Because these are firms that are in this space every day, they understand both how to render the services that are necessary as part of the incident response, but also how to format their invoices and communicate with the insurer in a way that makes sure that the adjusters get the opportunity to review and approve these bills in a timely fashion, which is every bit as important in terms of managing the financial impact to an organization as the capabilities of the firm itself, that's delivering the services.

Bruce Droz (10:59):
So, along those lines, in your experience, I'll ask this of the group, in your experience, have some things come to light that you can share that we would advise, you know, we're talking about what to do. Are there things that you shouldn't do? Any kind of red flags or traps that you shouldn't do when you have an event, right off the bat?

Bobby Horn (11:18):
Yeah. I think one of the things we've talked about and we've run into is making sure that the organization, you experience a ransomware attack, go offline, so to speak, right? Use your personal email rather than broadcasting across your network. Hey, we've been hit with an attack. We need to contact our insurance brokers to see how we have coverage for this. Because that's one thing the bad actors are in your network and they see that communication. Then, they know that you have a cyber insurance policy potentially, and they can ask for more money.

Meghan O'Malley (11:43):
On that note. I'll add David and I were just chatting about this yesterday to a client in that incident response plan that David said you really should have. It's important to note those alternative personal phone numbers and email addresses in that plan. So that at the time of crisis you have that information readily available.

Bruce Droz (12:03):
You know, thank you very much. So, does anyone else have any thoughts along those lines that we can share?

Meghan O'Malley (12:07):
Yeah. I think, Bruce, I would echo some things that have sort of been said before, but I want to really hammer it home that if you purchase a cyber insurance policy, there will be, on any decent policy, there will be a 24/7 hotline that you can call. And that phone number really should be your very first port of call that is going to engage you with an incident response handler who's usually a law firm who specializes in this, will go ahead and start quarterbacking the incident for you, bringing in all the right vendors. And so, I think it's vital. You reach out to those people first and foremost even before you reach out to your broker and then take a moment to pause, you know, and don't freak out about paying the ransom right away because most people don't pay the ransom right away. Those vendors brought in through that kind of quarterbacking hotline will usually engage a ransomware negotiator. And this is someone who literally will negotiate with the bad actors to reduce the payment that they're requiring you to make. And in most instances, we do see the payment made ends up being far less than what they initially requested. So don't pay right away, you know, take a beat, pause, work with the people who are on that panel with you work with the negotiators, work with the forensics people, work with your own in-house people to look at how your systems are actually set up. And if you can access those backups that Bobby mentioned earlier, without taking too long, don't rush the process because you can ultimately end up saving a bit more money if you don't.

Bruce Droz (13:34):
I think I started off the podcast by talking about some of the pressures that the agribusiness and food industry are under and that as a result, it seems to be if you will, pardon the pun, low-hanging fruit for the bad actors. What other situations have you seen out there that can illustrate what's happening in that marketplace right now?

David Finz (13:51):
Yeah. So, without getting into the specifics of, you know, particular incidents that may have been in the news, particular businesses, what we've seen is that the agribusiness sector suffers from some vulnerabilities that can be exploited by these bad actors, right? Some of those vulnerabilities include outdated equipment, legacy equipment that wasn't really designed to work with the internet, a reliance on third parties, a reliance on contractors who have access to the network and whose credentials may not necessarily be closed off once the service agreement has been completed. And all of this just leads to a lot of what are known as attack factors, right? These are opportunities for bad actors to essentially come into a network, gain access, gain privileges, and then maneuver around inside the network to position themselves, to be able to compromise and either to take it down so that it's unable to operate or to exfiltrate or encrypt data that they essentially hold hostage for the payment of ransom.

Bruce Droz (14:59):
So obviously there's a lot going on here. And the frequency of these situations has been elevated, to say the least. What has the reaction been in the insurance marketplace in terms of insurers’, you know, willingness to provide this coverage? What do you think about the potential for availability issues?

Bobby Horn (15:16):
For the longest time cyber as an insurance product was extremely underpriced, right? It was when it first came out 20-plus years ago, it was a liability-only policy. And that coverage only expanded as the years went by, right? We added first-party coverage, cyber extortion, business interruption, and there was so much capacity and so much competition that the rates just got driven down and down to the point where you could get a 10 million policy for, you know, $20,000. In some cases, it's just unheard of when the claims started rolling in the underwriters and the actuaries realized this pricing model is unsustainable. And so, with, you know, ransomware has always been around, but the onload of ransom in the last 24, 36 months has shown that that pricing model needs to be severely corrected. So last year, right when the market started to harden, we saw carriers starting to pull back, not only on limits where 10 million limits were, you know, pretty easily given out cutting those down to five, five were cut to two and a half, but more importantly, we saw ransomware coverage specifically being supplemented. So, you know, as those losses crept up, that particular coverage was being removed.

Meghan O'Malley (16:20):
I think the one thing I would add to that which really marries well with everything Bobby just said is on the capacity issue. You know, Bruce, you asked about new capacity. We really haven't seen new capacity in the market. We haven't seen any new players come in in the last probably two years. It's - the only real new capacity we've seen is the people who went from tens down to fives, maybe creeping back up to tens, but otherwise, we're not seeing new entrance to the cyber market.

Bruce Droz (16:47):
In situations where you do have a client that has experienced reduced capacity, are carriers offering excess coverage to participate on top?

Meghan O'Malley (16:57):
Definitely, you know, we are still able to get excess capacity, given the limited number of people who wanted to actually write primary, it's still a pretty tight market to get the low excess, you know, your first excess is always going to be a bit of a struggle, but there are people willing to do it. And again, the better the controls are. The controls that Bobby mentioned earlier, such as multifactor authentication, EDR, strong backup solutions, you know, the use of privileged access management tools, and those things. The more of those you have, obviously the easier it is going to be to find that low access capacity.

Bruce Droz (17:30):
David, have you seen some specific situations that would resonate with our listeners here of situations that have come up causing an issue on a claim?

David Finz (17:42):
Sure. You know one of the leading cyber insurers right now is embroiled in coverage litigation against one of their own insureds where the question is whether that insured had been truthful in their application around the security controls that they had in place at the time that the coverage was bound. Now that they are staring down a ransomware event that they had notified their insurer about in hope of receiving coverage. The insurer is alleging that in the course of the investigation around the claim, it was discovered that they didn't have certain controls in place that the policyholder claimed that they had, this obviously puts their ability to recover on that claim in jeopardy. And that's why I feel it's very important for broking and claims to work together as Meghan and Bobby and I do, to make sure that, you know, our clients understand this is not a check-the-box exercise. We want to use the underwriting process as a gut check to identify where there may be some deficiencies in their controls to help them get better cybersecurity in place. Not only to reduce the likelihood of the severity of an incident but also to help for the sake of integrity in dealing with the carrier when there is a claim to be able to maximize their recovery if they do have a loss.

Bruce Droz (19:09):
Perfect. If you're a current Alliant client, feel free to reach out to your account executive team for that information, if you're not, you can always access us through www.alliant.com. And with that, I'd really like to thank our panel today, Meghan O'Malley, Bobby Horn and David Finz. I'd like to thank all the listeners as well for tuning in to Alliant's Digging In podcast, have a good day.