Food manufacturers have a lot to worry about. On any given day, not only do they need to think about their processes and brainstorm ways to become more efficient and stay competitive, they must also focus on the bottom line—sales, profits, losses and the unpredictable possibility and ramifications of a recall. But is there now a new concern to lose sleep over?
Changes implemented by the U.S. Food and Drug Administration and generally tighter food control have seen food recall cases increase in frequency and magnitude. The risk management industry has helped manufacturers make better decisions in the event of a food recall, while also minimizing financial risk.
The insurance industry has developed programs to assist companies when a contamination or recall occurs, crisis consultants are there to help, and financial protection is available. Similarly, insurers are busily developing responses to cyber risks and providing insurance programs, which include resources to aid in the event of a cyber-attack or security breach—and to help remedy the resulting damages.
There is a new type of risk making its way down the supply chain which will present new challenges for food manufacturers and the insurance industry. Crisis management and food recall risks are now on a collision course with cyber risk.
Food Contamination and Cyber Risk
In an increasingly interconnected world, manufacturers are automating their processes more frequently. But by utilizing automation, manufacturers are inheriting and assuming the potential cyber risks previously only associated with computer based systems.
The recent series of alerts from ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) reminds us of the vulnerability of certain systems utilized in the food supply chain. As designed, much of the equipment used in food manufacturing is vulnerable to remote exploitation that requires a relatively low level of skill. Therefore, the increasing frequency of these alerts is concerning, as are the size and scope of the associated risks.
It is not inconceivable to think that, in the near future, someone with malicious intent could hack into a food processing system and make slight adjustments to machinery without anyone noticing. A few degrees warmer in the refrigerator or a few minutes off of the time in the oven could be all it takes for an item to go from consumable to unsafe food, with a risk of harm. There is a possibility that food manufacturing equipment could be breached, remotely controlled and possibly cause a contamination or food safety event.
This type of equipment vulnerability is nothing new. It was first seen with Stuxnet, the malicious computer worm that impacted Iran’s nuclear program via remote exploitation in 2010. Granted, that involved a nuclear plant system, and manufacturers and consumers may have a hard time relating a meltdown at a nuclear plant to food processing. But the point is that systems vulnerability can impact a wide range of processing systems that people interact with on an everyday basis.
Who Covers the Loss?
When a cyber event causes a food safety or contamination event, who steps in to cover the loss? Which of an insured’s policies covers the loss and which carrier takes the lead in the claim handling? Policy interactions of this type have been seen before, where cargo, general liability and property policies, as well as other coverages all have to interact when faced with a loss in the food supply chain. In past events, the food safety issues were evident, and food contamination policies had been designed to respond and protect against these scenarios.
However, cyber matters are not clearly addressed when it comes to food production. The typical policies covering food production do not carry cyber exclusions that would limit coverage of a cyber caused event. And new cyber policies are being designed to cover the broader risks associated with the financial impact of a security breach. The costs covered under these policies are fairly well defined, but cyber events are continuing to evolve. In the cyber sector, we are seeing a continued increase in the demand to broaden business income loss coverage, where the loss is caused by a cyber breach. These policy terms currently link the losses to a defined period during which the software is “down.” We will continue to see an interplay between cyber coverage and other areas of more traditional insurance.
Looking Forward
As cyber insurance policies evolve and business income loss coverage broadens, these type of service interruptions may form part of the covered loss. With losses of these types, linking cause and effect is increasingly important: What caused the loss? Was it a food safety issue? Or a cyber breach? Or maybe a combination of the two?
The recent announcements from ICS-CERT serve to highlight the new risks associated with supply chain management. As coverage evolves, insurers and those handling claims will need to understand who is covering what.
If manufacturing process vulnerabilities lead to contamination within the supply chain, recall and business income loss issues will be the result. The impact of cyber events is far reaching, and it is no longer limited to the release of personal data or confidential information. Physical risk and extended financial losses are a growing concern.
Simon Oddy is a partner and Duc Nguyen is the forensic technology manager at RGL Forensics.