Client advisory: Dealing with increasing cyber risks in agriculture

Cybersecurity is an urban problem, isn’t it? Aren’t rural areas far less susceptible to cyberattacks? In fact, a large problem facing rural communities is the lack of broadband access. So, why would agriculture be a target for cybercriminals?

The adoption of advanced technology and farm information management systems in agriculture, including crops and livestock has introduced new vulnerabilities into an industry that was previously mostly mechanical.

As agribusiness more and more becomes “precision agriculture” by introducing sophisticated technology, it is being increasingly targeted by cybercriminals. Large corporate farms are more obvious targets, but small and midsize operations that have embraced digitalization are equally in jeopardy.

In the United Kingdom, “rural crime” is so prevalent the National Cyber Security Center has forcefully recommended that every part of the agricultural system assume the worst, update and patch all devices and software, make regular back-ups and use password protection and encryption.

Agriculture is now more vulnerable than ever to phishing campaigns that house malicious links and attachments; ransomware that leads to lost revenue and business disruption caused by hacks on essential machinery; exposure of confidential data; and even intentional falsification of data that can cause serious integrity issues.

A Caledonia Solution study reported that the adoption of precision agriculture technology doubled on farms from 2013 to 2019. Those farms saw an 11 percent average increase in crop production and a 9 percent average decrease in input expenses. But these benefits can often create their own cyber-security issues.

A Farm Journal Pulse survey discovered that less than 20 percent of interviewed farms felt confident in their data security. As recently as 2014, a Farm Bureau study found that 87 percent of farmers did not have a contingency plan to manage security breaches.

COVID-19 has made the problems even worse

How do you adapt to managing a remote workforce with limited farm labor? Fewer people doing more work often resulting in potentially less oversight of automated equipment and software programs.

Since supplying food to the U.S. and the world relies on a complex, interrelated supply chain, crop and livestock production is susceptible to supply problems that can be created by pandemic issues. With all parts of that chain concerned with protecting against COVID-19, the focus is definitely not on cyber-security.

For example, the first half of the 2020 pandemic year has shown that cyberattack activity has increased:

• Ransomware attacks jumped 148 percent (VMWare)
• Phishing attacks are up 600 percent (KnowBe4)
• 16 billion records were exposed
• FBI and U.S. Secret Service issued alerts for growing threats on business email compromise and malicious email attacks

Using unsecured personal devices for business or not using proper mobile device management protection (VPN, corporate wi-fi, etc.) has always been a potential problem. But that has been exacerbated with many employees working remotely using inconsistent network infrastructures and supports. The resulting confusion and inattention to protocols is what cybercriminals hope for and rely on. 

What the pandemic has meant for supply chain resiliency

Late in 2020, Iowa State University researchers received a grant from the National Institute of Food and Agriculture to study impacts of the COVID-19 pandemic on the U.S. food supply chain. The goal of the study is to develop short- and long-term solutions to increase resiliency against future disruptions, including cyberattacks.

According to Iowa State, the pandemic created major disruptions in a number of agricultural industries, including the realization that there was less of a shock to the agricultural products supply and more of a problem with processing capacity because of reduced labor caused by the pandemic.

As the pandemic spread, restaurants, bars and schools closed which altered eating habits and needs­­—and that created further disruptions in the supply chain. Consumers stayed home, either by choice or by lockdown edicts, and that drove down the need for gasoline, which meant less ethanol.

So, if cybercriminals continue to be successful in hacking both the agricultural industry, its supply chain and the food industry, the disruption could prove not only costly but the consequences could be dire.

Why do cybercriminals attack agriculture?

As mentioned before, food production is a widely interconnected system that is often under-secured, giving cybercriminals multiple entry points.

• Globalization has created an extended supply chain that is far more difficult to secure, and that often results in partnering with and relying on companies that may lack proper cyber-security
• Agriculture has had a traditional focus on performance and safety — not security — and that can lead to major cybersecurity gaps in the entire production and distribution chain
• The growing complexity of precision agriculture has created complexities that are extremely difficult to manage and make secure
• Farmers rely on a mix of cellular, Bluetooth, and Wi-Fi networks, and often still rely heavily on USB drives to manually transfer data. But signal loss and data bandwidth limits common in rural communications networks are a major weak link in the cyber security chain.
• Information firms specializing in agriculture are a potentially vulnerable point of attack.

How do cyber criminals attack agriculture?

Business email
Using email to impersonate someone the farmer may know and trust, and convince them to make an urgent payment or to change their account details

Text and phone scams
Phishing calls and scam texts attempt to trick targets to reveal personal information or click on a link that downloads malware

Phishing emails
Cyber criminals can now convincingly mimic branding and content of well-known organizations which means many people blindly trust them.

The high cost of technology risks

There are two kinds of precision agriculture businesses: ones that have been hacked and ones that will be.

Being highly connected and successfully handling information flow represent the two key factors that create a successful digitally managed farm operation. But these best practices also become the highest vulnerability to cyberattack to disrupt food production.

Cybersecurity in agribusiness isn’t something that should be assumed is simply an IT function or a task outsourced to a vendor. It’s a way of doing business that needs to start at the top and permeate the entire organization in order for cybersecurity to work.

Larger operations may be able to weather cyber-attacks such as phishing, but small farms are often unable to absorb that kind of financial loss. The U.S. House of Representatives Small Business subcommittee on health and technology has reported that 60 percent of small businesses fail after a cyberattack.

Some years farmers will make a profit of up to 50 percent, but the year after they can lose as much as 25 percent, depending on the weather. So, during the “wrong” year, a farming operation would not be able to handle the ransom brought on by a successful phishing attack.

What are the key cyber risks facing agribusiness?

• Business interruption resulting in critical delays and lost opportunity
• Theft, loss, or unauthorized disclosure of corporate personal information
• Theft of proprietary corporate assets (privileged contracts, confidential data, security designs)
• Theft of customer and third-party information
• Access to personal information on other organizations’ servers
• Theft or other damage by disgruntled employees, subcontractors, or vendors
• Corporate espionage by competitors
• Manipulation of vehicles, machinery, HVAC systems and more

Employee exposure
Errors by well-intentioned (but often under-trained) employees can cause serious harm, as can direct attacks by disgruntled, rogue employees. Phishing attacks are prevalent, especially now during the COVID-19 pandemic. Scams can range from the obvious “Nigerian Prince” attacks to falsified invoices from supposedly real vendors to what is known as “Spear Phishing”, which is highly targeted attacks that appear to be from a trusted source such as the company CEO.

Health data exposure
All agricultural organizations have health care data stored for employees and independent contractors as well as being access points for third-party data. This information is highly regarded by cybercriminals, even more so than credit card information.

Social media exposure
Furloughed employees who have become disgruntled with the company may use their own social media accounts to defame their employer as well as distributing sensitive or even false information. While this may create a media liability risk, some cyber insurance policies will cover it.

Corporate social media accounts can be hijacked to spread misleading claims about the organization. That could produce a negative image, especially if the company is well-known or publicly traded.

Potential regulatory exposure
Both the European Union’s GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act) requires any company that collects and shares data to get user consent, provide transparency regarding use of the data, and protect that data. Penalties for non-compliance or breach of privacy are steep, so all companies, including agriculture-related businesses, need to provide additional safeguards for sensitive information as well as update and monitor data collection, retention and removal protocols.

How prepared are agribusiness firms? 

Are agricultural companies ready to create and enforce actionable cyber security rules? Will they be able to act quickly should a cyberattack occur? Will they be able to rapidly initiate an investigation? Deal with claims? Manage class action law suits?

The most recent MMA Cyber Survey showed that 56 percent of all respondents ranked cybersecurity as a Top Five risk management priority, down from the last survey. Eighty percent were confident in their organization’s ability to manage and respond to a cyber event, which is a significant increase from the last survey. And 82 percent believe they are prepared to prevent such an attack.

Yet only 45 percent of respondents said they actually had a plan in place.

As mentioned previously, less than 20 percent are confident that their data — and the data from connected sources — is secure. 87 percent of all farms did not have a contingency plan to manage security breaches.

Preparing for and managing cyber risk 

The first step is to identify sources of potential risk. This should include conducting audits to fully understand how employees access and use critical and sensitive data. The audit should determine who has access to information and critical systems, and examine existing capabilities for monitoring inappropriate system access and potential security vulnerabilities.

Next, institute formal, written policies on the use of corporate networks, and ensure that access to sensitive data is restricted only to parties that require it.

Agribusinesses should also:

• Create a contingency plan—what happens after the attack
• Encrypt/ secure critical technologies (laptops, smartphones, tablets, portable media devices) as well as emerging technologies that can represent significant data security threats
• Train employees and others on how to identify, avoid, and report potentially malicious activity on corporate networks.  Thorough and regular training along with buy-in from everyone will help cyber risk management plans to be more effective
• Educate employees and suppliers on Phishing campaigns—recognizing and avoiding them
• Implement strong internal controls, including resetting of passwords every 90 days
• Regularly review and update software, firewalls and security patches
• Businesses should also institute secure file sharing, advanced email and web filtering, and create separate wi-fi networks for third-parties
• Assess the cybersecurity processes of any third parties that access or retain critical data
• Build favorable “hold harmless” agreements into contracts with third-party vendors
• Establish procedures to evaluate any third-party service providers (if applicable)
• Develop detailed data breach response plans to help the organization act swiftly, decisively, and effectively
• Back up files regularly
• Avoid giving out sensitive information through written communication
• Make sure someone is keeping up with cyber-security protocols, alerts, and recommendations
• Limit access to communications networks
• Ensure that you understand the vulnerabilities of the new leading-edge technologies employed in precision agriculture
• Never skimp on security
• Test your protection systems regularly

Why cyber insurance?

The Council of Insurance Agents and Brokers (CIAB) calculates that the average breach cost nearly $4 million cross all sectors.

To help plan for and mitigate the risk of a cyberattack, cyber insurance can serve as a means of protection on both the back-end to help cover the costs of a breach and also on the front end — outside consultants can help bolster cybersecurity and work with employees to help raise awareness of vulnerabilities and the importance of good cybersecurity practices.

There are still unanswered questions around regulatory enforcement and how organizations are prepared for investigations and claims of financial injury from consumers and the ever- creative plaintiffs’ bar, regardless of whether a security or privacy breach occurred. The cyber security insurance marketplace can help address this evolving risk with a number of carriers providing affirmative coverage for wrongful collection events (although the current cyber insurance marketplace typically requires a security or privacy incident trigger).   

Customized policies for agribusiness
According to the 2019 NetDiligence Claims Study Report, which analyzes actual paid claims, small to mid-sized companies have been hit with an average of $178K per breach, with crisis services costing $112K and legal costs averaging $181K.

Lost income for small and mid-sized firms averaged $343K and the expense to recover systems and files cost an average of $45K. Equally as bad, there were an average of 280K records exposed to hackers, which produces a per-document cost of $234 on average.

Cyber insurance provides a number of solutions to respond to threats.  Marsh & McLennan Agency can design an insurance coverage that provides protection for loss and liability arising out of the use of technology and data in the agricultural industry. 

First-Party Cyber Coverages
Business interruption/extra expense: Reimbursement for lost revenue and expenses caused by a technology failure, computer system outage, or cyber-attack, with the option to include:

• Contingent business interruption resulting from a third-party/supply chain event
• Internet of Things products/services used in distribution, inventory, and warehouse operations

Information asset protection: Costs to recreate or reconfigure information and electronic data assets, with option to include cost to replace hardware or to rebuild systems.

Breach/event management: Costs for notification and investigation of privacy and security breaches, including legal and forensic services, with the option to include losses from unauthorized price alteration.

Cyber extortion: Ransom and investigative expenses associated with threats to steal confidential information, introduce malicious code, corrupt computer systems, or hinder system access.

Third-Party Cyber Coverages
Privacy liability: Failure to prevent breaches of confidential personal information—electronic or hard copy—or to disclose an event, with the option to include coupons, discounts, and goodwill payments in settlements and costs.

Network security liability: Actual or alleged failure of computer security to prevent or mitigate an IoT or computer attack.

Regulatory Defense: Costs to defend regulatory actions and for certain fines and penalties.

Payment Card Information: Fines and penalties for PCI industry settlements, fraud recoveries, chargebacks, and forensic investigations.

Marsh & McLennan Agency is ready to help

Cyberattacks are likely to increase to take full advantage of the COVID-19 pandemic given that it has forced much of the world onto the internet for shopping, ordering from restaurants, communicating and more.

MMA takes a comprehensive approach to helping you manage cyber risk, taking your entire enterprise—operations, compliance, legal, finance, communications and IT—into consideration. After all, everyone in your company has a stake in keeping corporate data and customer information as secure as possible

MMA provides proprietary solutions and best-in-class advisory services to help you understand your cyber risk, vulnerability and threats; measure your exposure with customized tools; and manage your cyber risk using our tailored insurance solutions, education and coaching programs, risk mitigation and loss prevention tools and response planning and performance improvement reviews.

To learn more, talk with your Marsh & McLennan Agency representative.