Six reasons the food and beverage industry needs cyber insurance
With the increasing integration of technology into business practices, we explore why and how should companies protect themselves from cyber-threats.
As a C-level professional, risk manager or general counsel of a food and beverage company, you may know that cyber-risk is a threat. What you may not know is that the food and beverage industry has become a real target.
Today, cyber-exposure has evolved from data breaches to attacks that are even more crippling, including business interruption, cyber-extortion and more.
The integration of technology into manufacturing processes, sales and distribution has created a new and significant risk for food and beverage companies. In some cases, hacks can render systems unable to communicate and halt operations altogether.
Take, for example, the 2017 malware attack dubbed NotPetya that impacted many large and well-known companies, one of them being Mondelēz International Inc, the American multinational confectionery, food and beverage company.
After the attack damaged its computer systems, operations were impacted, including production at a Cadbury chocolate factory. The company also reported a 5 percent drop in quarterly sales due to shipping and invoicing delays, according reports.
As a result of the damage caused both to its hardware and operational software systems, MDLZ incurred property damage, commercial supply and distribution disruptions, unfulfilled customer orders, reduced margins, and other covered losses aggregating well in excess of $100,000,000.”
This is according to a suit that Mondelez forged against its insurance company for not paying out under its property policy after the attack (more on why this exposure could have been covered if a cyber-policy was in place can be found here in an article by Dan Burke at Woodruff Sawyer, a Northern California Insurance Broker).
We’re also seeing a rise in payroll hacking where bad actors use phishing emails to capture an employee’s credentials. The hackers then change bank information to reroute payroll deposits. And of course, there is the traditional type of exposure in cyber-attacks, which is the threat of financial data loss related to customer credit cards and/or loss of personally identifiable or health-related information.
Responding to cyber risks
The answer lies in cyber-risk management, which includes a properly developed insurance program. This would include a specialised insurance product that specifically covers the exposures arising from our technology-driven world.
This type of insurance product is referred to as many things: cyber-liability, privacy, network security, data breach coverage and more – but let’s stick with the more general ‘cyber insurance’ for the purposes of this article.
Surprisingly, even with tech attacks on the rise, 68 percent of US businesses have not yet purchased any form of cyber insurance. Maybe it’s because it can be confusing to understand
where one insurance coverage picks up where the other leaves off.
For example, property insurance underwriters that typically provide coverage for business interruption are no longer wanting to take on the cyber-risk within a property policy.
There may be other policies that a business has in place that offers limited coverage for a cyber-event. However, the majority of underwriters are now looking to exclude specific cyber-risks within other lines of insurance, as they were not originally intending to cover them.
Being that cyber insurance is an important way to transfer the risk exposure that food and beverage companies face today, let’s look at six reasons why you may want to invest.
- Technology is a part of your business
If you use technology in your food manufacturing, processing, supply chain or to store data, you’re at risk. That’s basically any and every food and beverage company today. If your technology were to become unavailable due to a cyber-attack, the resulting business impact can be mitigated through cyber insurance.
- You want broad and specific coverage related to cyber-events
Cyber insurance was designed to cover a broad category of known and emerging cyber-risks. It can cover everything from errors and omissions, media liability, reputation risk, network security, privacy and business interruption. The network security and privacy piece covers both first-party costs (direct costs related to responding to a security failure or privacy breach) and third-party liabilities (if claims are made against you, you’re sued or regulators come after you).
- Coverage for fines and penalties related to cyber-events
Cyber insurance can cover some regulatory fines and penalties due to violations of privacy laws that occur as the result of a cyber-event, including GDPR.
- As a requirement for partners or lenders
With the increased risks related to the supply chain, many companies are including cyber-coverage in their contractual requirements. You will likely see in the near future a growing requirement that some sort of insurance coverage be in place, with vendors in different areas of your business to mitigate risk on both sides. We are also anticipating more scrutiny within lending requirements in the near future. Lenders may want to see that you’re protecting your balance sheet against the emerging risk that is cyber.
- It comes with risk mitigation and turnkey incident response
A well-endorsed cyber insurance policy will come with a team of vendors that specialise in both risk mitigation and incident response. The insurers will have developed a panel of fully vetted experts that offer risk assessment, penetration testing, incident response readiness, tabletop exercises, due diligence on security posture and much more. After a cyber-event has occurred, you’ll be connected to a team of vetted experts from legal counsel, IT forensics, consumer notification, on-demand call centres and public relations specialists to assist you in dealing with the crisis. These tools and best practices can offset security spend and provide significant value.
- It’s a board-level issue
No longer are cyber-issues relegated to a company’s tech department. If you have a board of directors, cyber-security is an important part of their oversight role today. In fact, directors could be sued and personally liable for breaching their duties related to a cyber-event.
Investing in cyber-coverage as a part of your risk management process is key. But remember that placing these policies can be quite complex and nuanced: in other words, it’s not a standardised policy.