Aon’s Richard Fawcett – UK Industry Leader for Food, Agribusiness & Beverage, explores some of the key themes from Aon’s recent Cyber and Artificial Intelligence webinar, held in conjunction with the Food and Drink Federation.
It was no surprise that businesses responding to Aon’s recent Global Risk Management Survey identified cyber-attacks and data breaches as the number one risk facing their organisations. Perhaps more of a surprise was the sector analysis for the food, agribusiness and beverage (FAB) industry which pushed cyber and data breach down to fourth in their top ten business risks, behind commodity price risk or scarcity of materials, supply chain or distribution failure, and business interruption. But, taking a closer look, it’s not hard to see how the interconnected nature of cyber risk can be a cause of many of those top ten risks for FAB businesses, including supply chain disruption, business interruption, reputational damage and brand, product liability and the failure to attract or retain top talent.
Even if it’s not perceived as the number one risk, no business in the FAB sector should be complacent about the risk from cyber and the growing challenges of AI, particularly given the regular news coverage relating to major cyber breaches for FAB organisations.
Ransomware Frequency on the Rise
2023 was the worst year in terms of frequency for ransomware attacks within the FAB sector, hitting balance sheets not just in terms of business interruption but also in the associated recovery costs and reputational damage. There is some good news, however, that 2023 wasn’t the costliest year given businesses paid ransoms for higher amounts in 2021. Part of that improvement was due to the introduction of better controls such as multi-factor authentication, as well as improved testing of system back-ups and business continuity plans meaning hackers were not able to generate as much revenue from each attack.
Five Converging Factors of Digital Transformation
While those reduced payouts should be a cause for optimism, the cyber risk is becoming more complex and challenging; a risk shaped by five key converging factors of digital transformation in the FAB industry. First is the operational resilience of digital infrastructure – on both the IT side of a business and the operational technology (OT) side – with an emphasis on new technology such as AI and the Internet of Things (IoT). Second, there is a renewed focus on food quality management with a growth in the use of sensor technology which can monitor and correct conditions during storage and transportation. Then there is the automation of production, logistics and warehousing automation with the use of driverless trucks and autonomous mobile warehouse robotics. The fourth area of digital transformation relates to the rapid expansion of data collection on everything from how labour is controlled, to machine use and the development of machine learning. And finally, legislation is getting stricter. For example, the EU’s Network and Information Security Directive (NIS2), has replaced the 2016 NIS Directive with an intent to ensure a higher common level of cyber security across the EU. The main change is that more businesses will come under the scope of the legislation with a requirement to strengthen their cyber security arrangements.
Understanding Who the Stakeholders Are
In addition to these five factors, there are now more ‘stakeholders’ then ever who seek to know about potential cyber security exposures. Hackers, of course, want to find out what vulnerabilities a firm has, how they can be exploited and for how much. While insurance underwriters will be asking whether a prospective insured can meet a minimum standard of security, and what terms and limits they can provide for the risk they are taking.
In addition, key stakeholders include shareholders who want information around how past or future cyber losses can affect stock price and profitability. Aon’s Reputation Risk in the Cyber Age: The Impact on Shareholder Value, for example, showed that on average a major cyber incident resulted in a 9 percent decrease in shareholder value meaning key questions shareholders will ask is “how is cyber risk being addressed to prevent cyber loss, what is the potential financial impact and what preventative measures are in place?” Similarly, another key stakeholder – the regulators – will also want to know the answer to similar questions.
Managing the AI Challenge
Against this backdrop, FAB businesses have both the opportunities and threats of AI to manage. It’s obvious why many are adopting AI in the FAB sector given the benefits it can offer in key areas such as reducing human errors, and the tracking and monitoring of supply chains in real time to help identify bottlenecks and take corrective action, as well as automating repetitive tasks previously carried out by humans. But an important question every business should ask itself is around the requirement for regular due diligence of AI. Are businesses frequently testing their AI enabled processes and systems to make sure they are not being compromised? AI is not just a technology that can be installed and forgotten.
Emerging Risks from Generative AI
Taking a closer look at generative AI, for example, which relates to algorithms like ChatGPT and Copilot for the creation of content such as text, images and video, there are several risks for businesses to look out for. These include the risk to data privacy and confidential information which makes it important not to share personally identifiable information (PII). There is also the possibility of unreliable model training, given AI is only as good as the data it’s given, and it takes time to get it right.
It's also important to consider unintended consequences of AI use. A class action lawsuit against a US firm, for example, focused on a recruitment programme where AI was being used to select candidates for interview but ignored all the CVs of individuals over 50; an oversight which led to an age discrimination lawsuit. Finally, there is always the possibility of AI inadvertently leaking intellectual property information like trade secrets, recipes or formulations to third parties.
Of course, AI can also be used by hackers for malign purposes and there are growing examples of how cyber-attacks have become more sophisticated such as with the use of deepfakes to impersonate company executives. Developments like these highlight the importance of educating employees around any new cyber threats but in addition, and specifically for AI related issues, it’s key that businesses carry out routine audits of their AI models to ensure algorithms or data sets do not propagate unwanted advice.
It’s also vital there is an understanding of copyright ownership of AI generated materials, while considering other safeguards such as mitigating risk through the implementation of B2B contractual limitation of liability for tighter vendor risk management, and the insertion of human control points.
Build a Framework Around the Risk
Cyber – and increasingly AI – is a big challenge for the FAB sector, but by introducing a considered framework around the risk, such as Aon’s Cyber Loop which considers the four stages of assessment, mitigation, risk transfer, and recovery, businesses can make better decisions. Using this framework will not only help them understand their balance sheet exposure to cyber and AI, but also understand the economic value and return from investment in cyber mitigation, inform decision making on risk transfer, and improve board understanding of the shareholder value at risk.
Watch the Aon/Food and Drink Federation Cyber and Artificial Intelligence webinar here.
For more information contact [email protected]
The information contained in this document is intended to assist readers and is for general guidance only. Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.