Digging In: "Smart" Farms: New Targets for Cyber Criminals

Introduction (00:00):
You're listening to Digging In where we dig into the insurance topics, trends and news surrounding all things Agribusiness. Here's your host, Bruce Droz.

Bruce Droz (00:09):
Hello everyone. Welcome to another Alliant Agribusiness podcast. This is Bruce Droz of Alliant Agribusiness and with me today is Trey Busch, the Executive Vice President of Alliant Agribusiness as well as a special guest Bobby Horn. Bobby is Vice President of Alliant Management and Professional Solutions. He's also the Cyber Leader within the group. Welcome Bobby.

Bobby Horn (00:36):
Thanks Bruce. Thanks for having me. Trey, nice to see you as well.

Bruce Droz (00:38):
Great to have you here. So at Alliant Agribusiness, we deal with multiple facets of the food chain from farmers and grower shippers, all the input companies, the fertilizer and chemical seed equipment on the other end of the growing chain, the distribution, food processors. So, it's quite the gamut of types of businesses and sizes of businesses from medium size up to very large. And in our travels and our conversations with our clients and prospects, cyber is on everybody's mind. It's in the news all the time. Everybody knows somebody that has been hit by an attack if they haven't been hit by themselves. Bobby, just to kind of start the conversation, what do you think it is about agribusiness that attracts these cyber criminals? And what do you think it is about the various sizes? It seems like whether you're small or large, you're still a risk. Speak to us about that if you would.

Bobby Horn (01:43):
Yeah. I think specifically with respect to agricultural business, I think as the industry becomes more technologically advanced, right, become more of an online platform, they become a more of a target for these bad actors, right? So, I mean, traditional targets for cyber-criminal activity were manufacturers higher education, municipalities, that type of risk. But as we see the agricultural industry become more and more technologically advanced, they've got more of a target on their back. And so, I think that's one of the reasons that we're seeing a rise in attacks against this type of business. And as far as the size, obviously the larger the company, the bigger the target they have, but it's really the small and medium size businesses that don't have the right controls in place that make them more susceptible to an attack. Obviously the bigger the company, more of an IT budget they have, but we see it not just in agricultural, but really in all industry classes. Those smaller businesses are having more of a difficult time dealing with this cyber risk because they don't have the controls or the funds of the backing for a large it group compared to some of the larger competitors.

Bruce Droz (02:41):
Yeah. And I think it's maybe just a lack of knowledge and a lot of cases of knowing what they need to do, farming and agriculture and food processing, all that stuff. It has become very technologically dependent these days where you think of farming and growing as a low tech natural, it's done by nature, right? You get water, seed and dirt. And however, technology is a huge part of things in the field in terms of the equipment that's being used. In the packing houses, a lot of the equipment is all automated and interconnected. And of course, in the office side, the accounting is all done using sophisticated software programs. So, you talked about the controls and not having resources for these controls. Let's talk about that a little more because the insurance marketplace is in pretty much disarray right now, and you can speak to this on the cyber side. It's in disarray and other areas too, but for obvious reasons on the cyber side, and we're finding that insurers are demanding certain things sometimes with not a lot of notice before the renewal. So, what are you seeing in that area?

Bobby Horn (03:44):
It's been a struggle for us on the brokerage side, dealing with the different requests and demands that the carriers or are looking for. And it's all as a result of the claims that they're paying. Right? I mean, so I guess on the bright side of that, the insurance policies are actually paying out. So that's good, right? It's a good thing for our clients to understand that if you have a policy more likely than not, you're going to get paid for that. Because of the amount of losses, the carriers are saying, okay, well, we had a ransom attack, where was the point of impact? So, things like multi-factor authentication, that's probably the number one control that we're seeing carriers require and without it, we can't get quotes. That's not only just for new business, but also for renewal business as well. And you're right. There's sometimes the deadline put on our appliance is almost unreasonable and the problem with that is that along with these requirements that have underwriters, we're putting on, on our clients, they keep moving the goalposts on. So, they may ask for a multi-factor authentication just for email, right? So, we confirm with our clients, great, you've got multi-factor authentication for email, but then we present it to the underwriters, and they say, well, now we want to see it for remote desktop protocol and virtual desktop virtual logins, as well as privileged access. So they keep, like I said, moving the goalposts on us and requiring additional information on top of what we think is a good risk to begin with. Things on top of multi-factor authentication, we're seeing requirements to have offline backups, encrypted backups, and the use of what we call endpoint detection. We're also seeing carriers require some sort of network monitoring software that can look at the incoming traffic into your network. And short of that carries are saying, we shouldn't run this risk anymore. So, it's been a real uphill battle and a challenge for us to kind of deal with these changes and requirements at the end, or as we're looking for.

Bruce Droz (05:21):
So, if a client, if a business, does not have robust internal resources, like an IT department, and they're faced with these requests and demands in order to get a quote and get insurance on the cyber side. If someone is already insured and has a cyber policy, are there any resources available that kind of come with that from the insurer that could help them through that process?

Bobby Horn (05:45):
Yeah, absolutely. I think one of the main aspects and components of these cyber policies is that they have what we call pre-breach services. So, things like employee training, that's one, right? We talked about MSA and backup controls, but employee training is, is also a key cog in the underwriting requirements. So, whether it's a company, known before, they're a pretty well-known training company. That's one thing. Tabletop exercises, right? So, if you have an incident response plan, are you able to actually test that? So, the carriers will provide services to help you make sure that in the event of an actual ransomware attack, all the pieces are in place, and you know what to do. So, you're not handling it for the first time. We are starting to see more and more carriers also offer for a discount, right? Not necessarily part of the premium, but for a discount, the use of some of their third party technology vendors to get you things like multifactor authentication or EDR tool. So I think that's kind of the shift is that we're seeing some of these carriers, the ones that are more leading edge, offering more of these technology software platforms to their policy holders, because they understand look, number one, it's going to cost an arm and a leg. If you do this without us. And number two, some don't have the wherewithal to actually know who to go to. So, by partnering with these vendors, these carriers, and some of these carriers anyway, are making it easier for their policy holders can become a better risk.

Bruce Droz (06:58):
Well, that's good. There's definitely some value-added services that policy holders need to be aware of. Definitely.

Trey Busch (07:04):
Once a breach does happen, Bobby talked to the robustness of what the carriers provide at the time of a breach and how it may vary from carrier to carrier because it's one thing to buy the policy. It's another thing to have boots on the ground when the claim hits. Right?

Bobby Horn (07:23):
Absolutely. And so, you know, we talked about pre-breach services, obviously where the rubber meets the road is the post-breach services. So, the thing in the carrier, all good cyber carriers have a panel of vendors that you can work with. And that ranges from, the computer forensics teams through legal counsel, public relations, and crisis management teams. So, ideally what we'd like to do for our clients is make sure that we have a dedicated vendor prior to any breach. So, in event of a breach, we know who we're dealing with first, rather than going through that kind of pick and choose process after a claim that just, it takes time and time really is money. And they've been through this specifically with respect to ransomware attack, but the vendors. And again, it varies with each carrier. We'll help you with respect to the computer forensics firms, right? To help you get back online, I'll help you remediate and repair any loss data. And then the law firms, of course, the cyber specialty law firms, so they specialize in data breaches, specifically with respect to privacy loss. If there's a loss of consumer information and you need to notify customers, they're specialists, and they know that because there's 50 different state notification requirements, they'll help you draft those letters and get those out within whether it's the 10, 15-to-30-day requirements by each state. So that's really important to make sure that you have a good understanding of who your panel vendors are and more importantly, making sure that you're picking those vendors prior to any sort of breach occurring. Some carriers, again, it varies each carrier like a company like Beasley, for instance, right? They are pretty much it's our way or the highway. So, you don't use their vendors. You're out of luck. So, we've had instances where companies bought a policy to have a claim and they use their own vendors. And then we, it, they submit to us and at the Beasley and these as well, unfortunately, they're not in the panel, it's not covered. Other carriers provide a supplement, you go off panel and then still other carriers will allow you to endorse non-panel vendors on to their policy, but subject to their preferred rates. So, it's really important that you make sure you understand the difference between panel vendor versus non-panel vendor. And what is available to you as a policy holder.

Trey Busch (09:17):
That's a really important point. I think because in the AG space, there tend to be third-party vendors that these folks use and they're critical because they really are their outsourced IT department. And they do an awful lot of work to try to support and resolve the issue. And if you've got a carrier that's not accepting that it could create a real problem between the broker, the client and the carrier. And so, it's really important to understand that before you have a claim.

Bobby Horn (09:49):
It is right. These companies, whether it's farming or processing, they have a business to focus on and not, they're not necessarily focused on IT. So, they allow us to outsource, like you said. So that is an important part to mention that again, even before the policy is bound, you want to have these conversations with our clients, make sure they understand what are they able to then, and if necessarily, if we need to endorse that specific vendor that the carrier understands and underwrites that beforehand.

Trey Busch (10:10):
While we're talking about these types of services provided by the carriers, can you speak a little bit about the forensic piece of this that the policies can provide? Because the amount of time it takes a client to recreate and then justify and verify their loss can be extremely taxing on a client without a robust financial department.

Bobby Horn (10:35):
Yeah. So, I think what you're referring to as the business interruption side, right? So, we talked about different areas of loss. Obviously, ransomware is most top of mind for a lot of our clients for obvious reasons. But what people don't tend to think about is the business interruption loss associated with ransomware. So, you may have a ransomware attack and the demand is $5 million and you decide, well, you know what, we're not going to pay it because we have good backups, but you're going to be down for a week. And so, trade to your point, not the carriers, not just going to write a check for your lost income for those seven days, you need to provide detailed information that show, okay, this is what are our expected income was for this amount of time. And that comes with the heavy burden on the insured. And so, look, the carrier is going to have their own accounting forensics on their side. Our job as a broker is to also provide an independent forensic accounting firms so that we can provide that information and defend our client to make sure that they're getting the most out of the policy. We've been successful in getting the carriers to add a supplement, whether it's a $100,000 or $150,000 or $200,000, the cost to hire an outside forensic accounting team to help prepare those business interruptions with spreadsheets. But again, it's a good point to bring up because people kind of tend to not think about that side of the loss when they're hit with a ransomware attack. But we're seeing that the business interruption loss tends to be higher than the actual ransomware payment.

Bruce Droz (11:53):
Since we are on the theme of talking about claims, let's stick with that a little bit. What we're seeing from a frequency standpoint on the agribusiness side is the ransomware of course which was getting a lot of the press. But the other thing, maybe even more so is the continuation of social engineering claims. And just to all of our listeners, know what we're talking about here. Could you give an example of both types of claims actually?

Bobby Horn (12:16):
Yeah. So social engineering claims say you've got an email from someone that looks like the right name, from a vendor of yours, asking you to wire funds to an account or services provided. Person let's say on the control team takes that information, wires, let's say a hundred thousand dollars to that account and then two days later, the CFO comes saying, Hey, where did this money go? Why did you send it? Oh, it was, it was from our vendor. And then we get a call from the vendor saying, oh, we were hacked. Someone got into our systems, you're out a hundred thousand dollars. So, the policies do provide some extension of coverage for social engineering, right? So, it's typically supplemented to a 100,000, 250,000. In some cases, 500,000, there are still outliers where we can get full limits. I say full, and it's a million dollars. So that type of coverage, but it is available and there's different extension of cyber-crime. So, you've got obviously social engineering where you're somewhere proposed to be someone that you’re familiar with. There's also invoice manipulation, where your systems are hacked and the information on the invoices are authored so that the money goes to somebody else. We're seeing more and more carriers offer that coverage as well. So, you're right. I mean, ransomware certainly is the kind of buzzword in the insurance industry right now, but social engineering attacks are still probably more prevalent than any other loss that we see on our book.

Bruce Droz (13:32):
And really when you think about how you prevent that, it boils down to the human element and the basic picking up the phone and calling a person you know to confirm that the request is legitimate. That's really the only defense for it.

Bobby Horn (13:46):
Yeah. And it's a good point to make sure you highlight the fact that you pick up the phone. Because I can tell you a pretty funny claim. We had a client, it was a property manager and somebody in the finance department, gets an email asking for money to be paid to this account. So, the email looks suspicious. So rather than pick up the phone, they just responded back to the email, and it said, is this a legitimate request, right? Thinking they're doing the right thing. Of course, the person on their end says, yes, of course it's legitimate. You know, what are you waiting for? Get this money wired over. So that individual then wired three separate payments of $250,000 over the course of a week. Thankfully, the client was able to recover $500,000 of that $750,000 total loss. But it's things like that where someone thinks they're doing the right thing. But by picking up the phone that could have saved themselves a lot of money and their jobs and they eventually did get terminated. But yeah, it's having those policies and procedures in place and making sure your employees are aware of what they are. So, training goes a long way because no matter how great your controls are, you could have the best systems in the world. It all comes down to the human element. As you mentioned, Bruce, and all it takes is one employee to click on a link or in this case not take the extra step to call to verify the payment is legitimate.

Bruce Droz (14:53):
So, continuing to think about coverages and the policy. A lot of insurance policies have a lot of different options and different things that can be added that need to be aware of cyber policies. Haven't really been around all that long in a big scheme of insurance. It's been fairly recent. And our sense is that the coverages are pretty comprehensive for cyber, and most carriers don't offer a lot of pick and choose, but most of the policies automatically include, I would say the majority of the coverages that you'd want as a policy holder. Would you agree with that?

Bobby Horn (15:26):
I would say even your basic off the shelf insurance policy in the cyber marketplace; it covers a good amount of the loss scenario. So, it covers your traditional third-party liability. So, if claims are brought against an insured or let's say a network security attack or loss of private information, you've got coverage for defense and settlement. And then more importantly, all the first party coverage is a lot what we have be talking about today, the breach response costs, the computer forensics, the rent and payments, the business interruption loss, those are all caked into your, even your off the shelf, basic policy. And obviously we as brokers, our job is to dive a little deeper and change, you know, make sure we can make amendments to the policy to tighten up some of the language lessons, some of those broader exclusions and add coverage where we can. But I think for the most part, the policies do what they're intended to do.

Bruce Droz (16:13):
Well, certainly a lot of people, including us are concerned about the state of the marketplace with the huge number of claims that are coming into the cyber arena. What's your read on the current insurance market for cyber and where do you see it going?

Bobby Horn (16:27):
Yeah, it's definitely a difficult marketplace right now. And it's certainly the hardest market in the 20 plus years of this product has been around. Starting the end of 2020, really with that the solar wind supply chain attack, where we started to see that the carriers will take notice and start to promote their terms and conditions. So, we're seeing anywhere on average. I think our clients experience an 80% increase in renewal premium this year alone. On top of that, we're seeing a real restriction of limits as well. So, towers of a hundred million dollars with 10 carriers each putting up 10. Now we're looking at a hundred dollars with 20 carriers. Everyone's only put up 5. So, it's been a real challenge to try and get carries on risk. And on top of that, right, we're also seeing increases in retention. So, the carrier is looking to have, the insurers have a little more skin in the game, right? They want to have them, okay, look, we're paying these losses. We want you to also pay a little bit more than your share that you've been paying. And I think until we see a broader adoption of stronger controls and policies and procedures on the insurance side, we're going to continue to see these firms at these rates that you've perming up even more. Even the best clients with the best controls we're seeing increases, not just in premiums, but also retention. So, anything we can do to differentiate our clients, to make them a better risk to present it to the marketplace is going to help. But I still think we're a ways away. I think at least a year before we see calming down of these rates. And I think many of our clients have experienced already the pains going through a renewal. I mean, again, these things can't happen overnight. It takes sometimes in certain cases, months to implement something like MSA across the board or for having a more robust security operation center or a security incident monitoring tool. So, they're not going to necessarily reap the benefits of those controls until the next renewal.

Trey Busch (18:07):
Yeah, Bobby, we recently had a renewal take place where our client was adamant, they were never going to pay a ransom and we were able to get options where they excluded the ransom payment and actually help provide capacity to our client. Are you seeing a lot of that being done in the marketplace?

Bobby Horn (18:28):
So, we're able to provide a lot of different solutions for our clients with respect to renewed coverage. While we would love to be able to provide full limits across the board for all insurance, give us to our clients, it's not always feasible, certainly based on controls that are in place. So, things like co-insurance are being introduced. And what I mean by co-insurance is that in the event of a loss, the client is responsible for not only the retention, but a percentage of the loss associated with any ransomware attack. So, not just the ransomware payment itself, but anything associated with the loss. So, the business interruption costs, the data forensics remediation, legal counsel, all those costs are considered ransomware loss. So, the insured is responsible for let's say 10, 25 or 50% of that coverage. And there's also times where we can say can we just not pick up the extortion coverage? Which certainly carriers are more than willing to provide that option. We necessarily wouldn't want to do that. But we have had scenarios where clients had a ransomware loss and it was a limit loss and we had to put a new policy in place. And the one of the solutions or one of the options we provided was a go-forward policy that did not include cyber extortion, but the key there, right? Because if you don't read the fine print it can be a little tricky. They cannot cover cyber extortion coverage. So right, that the actual ransom payment, but they're still going to cover the associated loss with the business interruption, the computer forensic, the legal counsel. That's a the clear distinction to make, because other carriers will say, we're not going to cover any ransomware loss, which really is a difficult pill to swallow, especially in the event of a claim, but yet whether it's higher retention, co-insurance supplementing the cyber extortion coverage itself. There's different ways to go about it and making sure that guys at least have an option to buy.

Bruce Droz (20:06):
Bobby, thank you so much for spending that time with us today and sharing your insights into the cyber world and the world of cyber insurance. Trey Busch, thank you for joining us today. Again, this is Bruce Droz of Alliant Agribusiness, signing off this podcast and for our listeners for more information, please go to www.Alliant.com.