Innovations in technology, automation and artificial intelligence (AI) have huge potential to transform the food and beverage sector, but rapid digitization also increases cyber risks.
In WTW's Food and Beverage Survey 2024, when asked about their greatest near-term opportunities, 48% of respondents said increased use of production technologies such as automation, and 43% new technologies, such as AI[1]. These innovations offer great potential to make production more efficient and fill gaps in the labour market.
However, they can also open new ways for cyber criminals to get into systems. The damage caused by cyber-attacks is increasing in severity, highlighting the need to develop a comprehensive approach to cyber risk assessment, incident response and cyber insurance.
In this blog, we look at emerging cyber risks and what the sector can do to manage and mitigate them.
Why are food and beverage companies at risk?
The sector traditionally uses operational technology, machinery and systems that can be decades old and not built to the same security standards as the information technology we use today. These can expose critical manufacturing systems to cyber-attack, including newer devices that are linked to them.
Food and beverage companies are also a target because:
- Levels of investment in cyber security aren't always equal to the cyber risks faced.
- Cyber controls may not be as robust as those in other sectors.
- Attacking a well-known food and beverage brand, or a brand people rely on, can have a greater and more visible impact.
Emerging cyber risks
Ransomware
Ransomware attacks are one of the top cyber threats to business. It's an efficient way for criminals to extort huge sums of money and can lead to loss of system or network access, data exfiltration and data privacy breaches. If a food and beverage company's business is interrupted, costs can spiral and recovery time could be days, weeks or even months.
Political cyber risks
Cyber risks may also emerge at state level, as cyber space becomes a new frontier in the conflict between countries. While nations may not directly target food and beverage businesses, targeting service providers such as financial systems could put the sector at risk indirectly.
Artificial intelligence (AI) risks
Food and beverage companies are increasingly using AI, from drones using image recognition to pick fruit, to cutting edge technology that digitally reformulates a product's ingredients without compromising flavour. These bring opportunities, but they also bring new risks.
If cyber criminals infiltrate systems, they could change things like ingredients and allergen labelling and cause harm to customers."
Simon Lusher | Global Food and Beverage Leader
If cyber criminals infiltrate systems, they could change things like ingredients and allergen labelling and cause harm to customers. Growing reliance on AI to take on these tasks increases risks. Without effective human oversight, changes like these could go unidentified and substantial damage could be caused before the company even identifies the issue.
There are also risks from cyber criminals using generative AI. They no longer need coding skills to write code to hack into a system – they can ask a generative AI application to write it for them. This opens the doors to more people having the tools to conduct cyber-attacks.
Supply chain risk
Cyber criminals can target suppliers as weak links that enable them to access food and beverage companies' systems. This is a major risk for companies who might have multiple third-party vendors and complex supply chains.
People and culture
Email based attacks such as phishing are making a comeback as hackers learn new ways to fool people into clicking on links and attachments.
There's a global shortage of cyber practitioners. This means food and beverage companies are competing to recruit them with companies in other sectors who may offer more lucrative employee packages.
What can you do to get ahead of emerging challenges?
Identify and record risks: Put an appropriate process in place to identify and record your cyber security risks. You can't take targeted action to mitigate the risks if you don't know what they are, what causes them and what the impact of an attack would be. A risk register is a smart way of achieving this.
Identify what you need to protect: What assets, including data, systems and devices, are most critical to business delivery and continuity?
Carry out a gap analysis of current cyber security to identify any weak points. Compare the result against your critical assets to see where you need to prioritize protection.
Implement cyber security controls such as multi-factor authentication, privileged access management (PAM), encryption, endpoint security and rapid patch systems.
Train staff in cyber security and create a culture of openness where cyber security is everyone's business and everyone is encouraged to report anything suspicious.
Integrate cyber threats into business continuity plans: Make cyber a regular part of incident response and disaster recovery planning. Identify vulnerabilities and fix them.
Define roles, responsibilities and accountabilities: Determine who's responsible for your automated systems. If AI is making decisions without human intervention, do you know how it's trained, who owns the data it uses, and who's accountable if something goes wrong?
Assess what insurance cover is needed: Even with the best controls, incidents can still happen. Cyber insurance can protect your business from incidents caused by cyber-attack.
Enterprise Risk Management (ERM) to identify and respond to risks
Our team of risk and resilience specialists develop custom-built ERM frameworks that help you to articulate the key drivers of value for your business and identify the things that threaten them, including the cyber and technological risks explored in this article.
As well as a framework, we can work with you to develop and populate a risk register and establish intelligent risk reporting, providing recommendations on how to manage risk in a practical, proportionate way. We consider the sources of risk – cyber, people, operational, financial etc. – and the specific impact the risk could have on your business. We can help you understand how better security controls can make your business more insurable and lower your non-insurable risk profile.
How WTW can help
WTW offers three key areas of cyber support:
Assessment
We develop custom-built assessment frameworks that assess risk factors and how hackers could infiltrate your technology, focusing on your information technology and operational technologies.
We'll work with you to develop a risk register and provide recommendations to manage risk in a practical, proportionate way. We consider the impacts of your people, processes and technology. We can help you understand how better security controls can make your business more insurable.
Quantification
Our analytical tools and models like Cyber Quantified help you measure and understand cyber risk in financial terms.
We also have a comprehensive quantification methodology based on data and analytics, that looks at your business from a cyber control perspective and incorporates a root and branch quantification process.
The insights can be used to guide your investments in security improvement projects and to support you in developing a risk transfer strategy.
Insurance
We can help establish where your exposures lie so that you can look at the limits you need and how to make the best use of coverages available in the market.
We develop products and innovative solutions to provide tailored coverage for the exposures you face. Our broking and consultancy team combine to deliver the best value and reduce your workload.
Conclusion
While rapid changes in technology provide opportunities for food and beverage businesses, they also increase the risk of cyber-criminals infiltrating systems. The potential harm can go far beyond IT and affect food hygiene and health. By understanding these risks and their impact, businesses can take steps to mitigate them. WTW can help you measure and quantify risks and find the best coverage for the exposures you face.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.