It appears the next batch of food risks are starting to establish themselves…crisis management and food recall risk are intersecting with cyber risk.
Changes in FDA authority and generally tighter food control in the US and Canada have seen food recall frequency increase. The scale of the recalls is also growing. The risk management industry has been making great strides towards enabling food suppliers in making the right decisions during a contamination event, while also minimizing financial risk.
Insurance programs focused on providing financial support for companies dealing with such events are evolving and have provided many companies with a financial safety net for when a food contamination event occurs.
Similarly, as cyber risk continues to develop, the risk management sector is doing its best to keep up; providing insurance programs to assist in the event of a cyber attack or security breach, and the resulting damages.
However, there is a new batch of risk now making its way to the front of the supply chain which will result in potential challenges for the insurance industry.
Who covers the loss?
The question is, who should cover the loss triggered by a cyber event that results in a food contamination? Policy overlap and interaction has been seen before: cargo, general liability and property policies, as well as other coverage have had to interact when losses occur in the food supply chain. Now, with emerging trends in cyber activity, there is increased risk linked to someone’s ability to access and manipulate food processing systems. Perhaps a boiler system or cooling system controller was hacked and reconfigured by an attacker, and is ultimately found to be the root cause of a contamination event. We are now faced with an additional intersection of risk management – and a new batch of problems.
Cyber risk and food contamination
In an increasingly interconnected world, food manufacturers are employing automation processing control systems and are therefore inheriting cyber security risks previously only associated with computer based systems. A recent announcement from the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) reminded us of this fact. This announcement highlighted the vulnerability of certain systems currently in use in the food supply chain.
A frightening aspect of this risk is the frequency of new alerts regarding vulnerabilities of industrial control systems, and the scale of risk attributed to those vulnerabilities. Equipment used in food processing systems, as designed, are vulnerable to remote exploitation that would require a relatively low skill level.
Could this equipment be breached, controlled, and lead to a contamination event? And if so, who steps in to respond? Certainly the food safety issue is evident in such a situation, and protection against these scenarios is a specific purpose of food contamination policies. However, the typical policies covering food production do not carry cyber exclusions that would preclude (or negate) coverage of a cyber-caused event..
On the other hand, a cyber policy is intended to cover the risks associated with the financial impact of a security breach. These policies currently have fairly specific definitions on what costs are covered. In the cyber sector, we are seeing increasing demands for a broadening of business income loss coverage, where the loss is caused by a cyber breach. These currently link the losses to a defined period during which the software is “down.”
Looking forward to the future
As insurance policies – including cyber policies evolve – and business income loss cover broadens, the losses following such a service interruption period may form part of the covered loss. With such developments, linking cause and effect becomes increasingly important: What caused the loss? Was it a food safety issue? Or a cyber breach? Or maybe a combination of both?
The susceptibility of computer controlled systems has been in the public eye since Stuxnet, which is the malicious computer worm that impacted Iran’s nuclear program in 2010. This issue, now more commonplace, affects a larger spectrum of processing and impacts systems that are more familiar to us as consumers. The vulnerability is something that resonates with more and more people, and is more relevant and understood than a meltdown at a nuclear plant.
The recent announcement from ICS-CERT again highlights new areas of risk associated with supply chain management. Being aware of these emerging risks is critical to ensuring that the correct insurance portfolio exists. As coverage evolves, those handling claims within these sectors will need to understand who is covering what.
If electronic processing vulnerabilities lead to contamination within the supply chain, recall issues and business income loss issues will emerge as a result. The impact of cyber events is far reaching, and it is no longer limited to the release of personal data or other confidential information. Physical risk and extended financial losses are now a growing concern.