Cybersecurity has been a hot topic in both the popular and trade news. In fact, FE has had at least seven major stories this year (see the Resources Section at the end of the article). We’ve already seen the damage that can result from cybersecurity attacks—loss of millions of dollars and the potential risk to equipment, personnel, infrastructure and community. Guarding against these attacks demands all the attention and experts you can muster to create a plan to minimize risks.
While cybersecurity incidents can seem somewhat unpredictable, nevertheless, the ultimate responsibility in preventing damaging attacks is still incumbent on the user’s/manufacturer’s senior management taking precautions—after all managing cybersecurity is as important as maintaining a profit. Therefore, processors’ senior management should be educating end users about email scams and hacks and working closely with the IT staff and the OT (operations technology) group to plan systems and make them hardened to attack vectors. Management also should be preparing a recovery plan and—perhaps most important—having an offline backup system that works and has been tested thoroughly.
Don’t forget that expert cybersecurity help, however, is usually as close as your network vendors, automation suppliers and other specialized cyber security experts that can evaluate your system for problems.
Recently, a relatively new source of cybersecurity help comes from cyber insurance providers. Cyber insurance can help save a company from financial ruin, but cyber insurance companies and underwriters can help in many more ways to reduce risk, as we’ll learn here. Even so, having insurance doesn’t mean that you’re off the hook. You are still expected to take precautions. To find out how cyber insurance and underwriters can help your company, I spoke with Eric Fleming, CIC, CISR, CLCS, - risk consultant and head of the Food and Beverage Practice at the Minneapolis office of Marsh McLennan Agency (MMA), which provides cyber insurance policies. Fleming spent nine years with PepsiCo, in both operations and with sales teams over six distribution facilities and also a headquarters role.
FE: How long has Marsh McLennan Agency been in existence? How and why did it get started?
Eric Fleming: Marsh McLennan Agency (MMA) is a full-service insurance, retirement, and risk management firm dedicated to serving the insurance needs of middle market companies in the United States since 2008. As a subsidiary of Marsh, the world’s largest broker and risk advisor, MMA provides clients with unparalleled access to local service, regional expertise, and global resources. Marsh is predominantly focused on national and global risk management accounts and the organizational structure necessary to best service these accounts.
FE: What services do you offer clients? What types of clients do you take on?
Fleming: MMA has access to broad resources and solutions across all of its sister companies under the Marsh McLennan (MMC) banner. Although we are not integrating the businesses with Marsh, we are able to leverage the value of our respective capabilities and intellectual capital in those instances where there is a compelling case for collaboration between MMA and Marsh.
Mid-size companies need a partner they can trust and that can provide additional tools for opportunity and growth. We strive every day to service those needs. We bridge the gap between what the “big firms” offer and the advice, solutions, and programs that smaller businesses require.
Through the strength of our management team, our geographic presence and our world class services, MMA provides public and private companies with risk management and employee benefit support that helps them flourish. We are proud to provide our clients with best-in-class services that meet their growing needs.
MMA is currently the ninth largest insurance broker in the United States with annualized revenues of approximately $2 billion.
FE: What do you think is the primary [cyber insurance] role you play with a client? E.g., education, finding outside engineering help, etc.
Fleming: The primary role is to support and build a cyber risk management framework with our clients to ensure we understand, measure, and manage their exposure. This includes:
- Understanding risk profile, not just from IT perspective but from [what] insurance companies are looking for.
- Measure – leverage proprietary cyber analytics. We use benchmarking and modeling by industry to help quantify a client’s cyber exposure.
- Manage risk transfer – insurance is part of that (contractual risk transfer, interplay with supply chain.
FE: To make this a little easier to understand, how does cyber insurance differ from an auto or homeowner’s insurance policy? In what ways are they similar?
Fleming: Cyber insurance helps support preparedness for incident response as you don’t want to wait for a significant accident to occur. You are not going to get “dinged” by being proactive in reporting of a claim. It is very important to take advantage of loss mitigation services available through IT services providers recommended by the insurance carriers in advance of claim – who can help a company respond immediately when an incident happens.
The auto/homeowners marketplace is much more mature. The economics of cyber insurance are dramatically different as we really are at the infancy of the cyber marketplace.
It is similar in that the intent is to cover accidents and ultimately provide the defining characteristic of insurance in providing that a loss payment will replace what is lost. However, in the case of auto and homeowner’s insurance, the focus tends to be on tangible items like a car or a home, though not exclusively. In the case of cyber insurance, the focus tends to be on intangible assets, especially data.
FE: What roles do you play in analyzing a potential client’s system and risks? Do you advise a client to make certain changes before underwriting them?
Fleming: It first starts with assessing clients’ risk profile and developing their cyber risk management framework, getting them ready for initial coverage or renewal through the cyber resiliency best practices carriers require for coverage. We leverage our built-out cyber resiliency network to ensure they have an offering of partner resources to assist with proactive information security and legal components of compliance and risk management to support their cyber security efforts. To best address ever evolving cyber risk, we need to have clear visibility into an organization’s internal and external environment as we work on preparedness plans with organizations. Ultimately, with constant monitoring and investments around key security controls it is our goal to reduce their cyber risk and provide a path to insurability.
FE: I would expect that many food processors are not adequately prepared for a cyber incident. How do you help a client meet any risk requirements before insuring them? What recommendations do you make? At the senior management level, any number of risks/losses could occur, for example, IP (client/customer data, patent/invention data, and employee information), financial data, etc. Do you provide coverage in each of these areas? What other coverage?
Fleming: We are very focused on ensuring that our clients have the most effective security controls in place to minimize their risk. We encourage clients to work with qualified internal or external IT resources.
It is important to map out with food organizations the cyber threats they face through their supply chain, vendors, external partners, etc. These include:
- Contractual risk transfer – making sure we have contingent business interruption coverage stemming from failure of their own systems (unintentional unplanned outage), or failure by a key vendor they rely on.
- Developing a tested, operational incident response plan that is audited by a qualified, outside vendor. And making sure there’s a copy of the plan kept outside of the IT system.
- Covering legacy systems – such as manufacturing controls, that might be susceptible to cyber attack and trigger a manufacturing shutdown or other disruption.
FE: How do you help a food processor client be ready for purchasing an insurance policy?
Fleming: Make sure you have all stakeholders at the table, including finance, legal, IT, operations. It is important for all stakeholders to share a common, credible commentary of the investments and controls your organization has made around cyber security controls to ensure you achieve the best pricing, terms and conditions in the insurance marketplace. In many cases as we go through our renewal process with our clients, we will have virtual meetings getting the stakeholders in front of the underwriters to share this commentary as we find it most effective coming directly from the client with our guidance as the broker.
FE: After underwriting a policy for a client, what services do you offer to help them maintain some level of protection from cyberattacks (e.g., arrange to have a client work with a cybersecurity vendor—or do you offer these services as well)?
Fleming: Claims handling is one of the critical services we offer clients. It may be our client’s first cyber claim, but we have a claims team with broad experience. Also, we recommend an onboarding call with the carrier to understand best practices for reporting incident along with approved panel providers by that carrier. Our team has built out a dedicated cyber resiliency network to support our clients with tools and resources to constantly review their security controls.
FE: Should a food processor report an attack to you [even before contacting the FBI or police]? What is the next step(s)? Should you be the first one a client calls when an attack happens, e.g. ransomware?
Fleming: Typically, you will want to leverage the 24/7 hotline typically through the carrier to report the claim immediately. You also should engage with your privacy attorney along with your insurance broker for additional potential advocacy and support.
FE: When a processor receives a “ransom note,” do you get involved in contacting the cyber criminals? Is this even advisable? If your client has a backup that is good, do you recommend this option first?
Fleming: It is often recommended that you work with expert forensic firms in communication with cyber criminals. You don’t know if sensitive info has been accessed; it’s important to understand exactly what is at risk. A breach coach should handle any communications with cyber criminals.
FE: Do you do a post-mortem after an attack to learn how to prevent it in the future?
Fleming: Yes, you typically will get a download from the forensics team and an executive summary.
FE: One thing I haven’t asked in all this is that it seems that most cyber incidents happen at the IT/management level, but more and more as I discussed in my interview with Joe Weiss, attacks sometimes happen at the controls, and certainly this can represent a valuable monetary target for hackers—and also present some really dangerous outcomes to infrastructure. What role do you play in reducing the threat level at the controls/OT side of the business?
Fleming: First, we help support assessing infrastructure and the control environment of a client’s operational technology, including industrial control systems, to help prevent business interruption loss.
FE: Liability at the controls/OT side could be far greater than the IT side. For example, an attacker asks for $3 million in ransom, having broken into the financial system, but what is the liability for failed infrastructure where there are physical losses, people injured, or consumers sickened by product ruined by a cyberattack at the controls level?
Fleming: This is where contingent business interruption can come into play.
FE: How do you lessen the probability of a cyber attack at the controls/infrastructure level?
Fleming: After a thorough risk assessment, we make specific recommendations for improving cyber resiliency through best practices and the assistance of vetted IT vendors. In the case of legacy systems, this may mean updating or replacing controls that are difficult to protect.
FE: What else is important that I didn’t mention?
Fleming: Each client is unique in terms of their existing assets and vulnerabilities. A comprehensive risk assessment is the key starting point; “cookie cutter” coverage may not be adequate.
For more information:
You can reach Eric Fleming at firstname.lastname@example.org or 763 746 8557.
About Eric Fleming
Eric Fleming is a business insurance and risk consultant at Marsh and McLennan Agency - Minneapolis. He has extensive experience in operations and sales leading the Minneapolis Food & Beverage Practice. His previous experience with PepsiCo—for nine years leading both operations and sales teams over six distribution facilities and a headquarters role—has enhanced the way he looks to build partnerships.
Fleming brings a consultative, needs-based approach to clients. Starting with a thorough needs and exposure analysis, he provides custom business risk solutions to help support each client’s organization-wide objectives.
In his role at MMA, Fleming partners with organizations to help manage their commercial insurance programs. The majority of his time is spent working with organizations looking to develop a more comprehensive risk management strategy.
Fleming, a graduate of the University of St. Thomas. is involved in several associations including: Minnesota Grocers Association, Minnesota Restaurant Association, Minnesota Trucking Association and the Manufacturers Alliance.
Recent FE resources:
“BlackMatter ransomware targets food/agriculture sector,” Labs, FE, October 2021
“Ransomware attack hits JBS, shutting down operations,” Labs, FE, June, 2021
“Cyberattacks: What food processors won’t talk about,” Labs, FE, May 2021
“The challenge of preventing human error in cybersecurity, Laughman, FE, May 2021
“AI, machine learning and cybersecurity,” Labs, FE, April 2021
“Control system vulnerabilities put food & beverage at serious risk,” Labs, FE, March 2021
“Remote attacks on process/automation systems can wreak havoc,” Labs, FE, FEB., 2021