In this episode, host Kermit Nash, co-chair of Saul Ewing Arnstein & Lehr’s Food, Beverage and Agribusiness (FBA) Practice, speaks with colleague Sandy Bilus, co-chair of the firm’s Cybersecurity and Privacy Practice, about how cyber criminals are targeting agribusiness and food companies and the ways these companies are vulnerable to cybersecurity attacks, such as ransomware attacks that significantly disrupt operations. They discuss three key steps that companies should be taking right now to help handle and prepare for cyber threats, including having comprehensive information security programs, viable data backups, and written incident response plans in place, as well as cyber insurance.
Episode: “Cybersecurity Threats Facing Food and Agribusiness Companies & the Preparation and Protection Safeguards to Help Mitigate Them”
Kermit Nash and Sandy Bilus
Kermit Nash: Thank you for joining us for our food, beverage and agribusiness podcast series, “Don't Miss a Beet.” My name is Kermit Nash. I'm the co-chair of the firm's Food, Beverage and Agribusiness Practice and I'm based in our Minneapolis office. Today, I'm thrilled to be joined by Sandy Bilus, a partner and co-chair of Saul Ewing's Cybersecurity and Privacy Practice. Sandy helps clients understand the legal liabilities they face if a cyber-attack or a data breach occurs and their compliance obligations to help minimize these risks. He helps clients prepare for cybersecurity incidents, conducts internal investigations and responses to potential breaches, and provides representation for related litigation. Sandy, thanks so much for joining us for today's episode. Our goal with these is to provide information about what's going on in the industry, and typically it's a selection of topics within the food, beverage and agribusiness sectors, and the topics are vast. But today we're going to put some industries together and some topics which may be a bit of a paradox: agribusiness and food with cybersecurity. To kind of kick this off, I'm just going to read a couple of headlines to you—ripped from the headlines, if you will—and I'd love for you to react and maybe have some of your own. First one that I saw recently is: “Agencies sound alarm over ransomware targeting agriculture groups.” The other one was: “Cyber event knocks dairy offline amid ransomware outbreak.” Next: “Ransomware group behind recent attacks on agriculture companies.” Sandy, this is starting to hit an industry that I don't think ever thought they would be yet. Can you explain what ransomware is and how it works? I just want to set the table for what we're going to talk about next.
Sandy Bilus: Sure thing Kermit, and thanks for having me on. It's nice to talk to you and all the podcasts listeners. So to talk about what ransomware really is at its most basic level, it is bad software. It is malware that can get into a computer system and really wreak havoc. So the way it works is the attackers, the bad guys, find and exploit a vulnerability in a computer system to get access to that system. They might do it through a phishing attack where somebody puts the wrong response to the wrong email or clicks on the wrong link. They may call up a customer service line and pretend to be someone they're not, but they find a way in. They get access to that system. They explore the system and get access to sensitive data—we can talk about the types of data that they look for. They sometimes—in a ransomware attack—they will exfiltrate that data, meaning they take it out of the system and they get their own copy of it. And then the key thing happens: they encrypt the system, meaning they lock it down so that only they have the key to decrypt it and the business can no longer use it. They then reach out to the business and they say, we're not going to unlock this system unless you pay us money, a ransom payment. And they may also, lately they have threatened as an additional harm to take that sensitive data that they stole, they exfiltrated, and expose it on the dark web for criminals to misuse. So it's a two-pronged threat. They lock your system down and they steal your information and threaten to expose it.
Kermit Nash: I read some headlines that have to do with agribusiness and food, but haven't these largely been with large public companies and branded companies. I think more recently, the pipeline that was attacked. Why do you think they're attacking agribusiness companies? I have some theories, but I'd love to hear what you have to say about it.
Sandy Bilus: Yes, I think there are a number of reasons why they are specifically targeting agribusiness companies and the FBI has confirmed that there are cyber criminals going after agribusiness. And I think there are a few reasons. One is many of those companies have older systems that were designed before cybersecurity was a real concern. Sometimes they have just outdated operating systems or easy-to-guess passwords. There's also been a rapid adoption of smart technologies and internet-of-things devices that often have sketchy cybersecurity protections in this industry. The companies may lack knowledge about how the systems interact and how they're protected. They may lack awareness of threats and risks out there. The people who use them—the systems and run them—may have no cybersecurity training at all. They're focused on food operations, food safety, for instance. And so you've got this group of companies, this sector that is a really ripe target because if they get hit, there can be significant harms inflicted on them. And we can talk about that too, if you'd like.
Kermit Nash: Yes, I think you really hit a point there and it's something that I would love to hear more about your impression because you mentioned that these are ripe targets and are low-hanging fruit, if you will, and this is a food podcast, so we can use those analogies and metaphors. But really the timing to me, these aren't random, these are happening right before harvest. These are happening in periods of time where it seems like someone is being very deliberate and methodical about the attack, as opposed to other times of the year, where there isn't as much concentration where it wouldn't be nearly as bad. So tell me a little bit more about who the actors are and because this doesn't seem random and it doesn't seem like it's just kind of to create problems. It seems like it's got a very intended purpose for who they're targeting.
Sandy Bilus: Absolutely. These attackers, these are organized criminal gangs often, or they're operating with the sanction of a state. But a lot of the times they are criminals overseas who have access to very powerful tools that are fairly easy to use for ransomware attacks. You know, you can rent these things, from other criminals basically, and then use them to carry out attacks. And if you time it right, you can really, really hurt companies. So you end up with companies facing loss of money, if they decide to pay the ransom, while they are unable to use the system that can have serious effects on business—operations can shut down, your plants can shut down, there can be damage caused to your equipment, to the operators of the equipment. If one system gets shut down for cooling, for instance, and everything else gets ruined because of it, you've also got that danger of sensitive information being exposed. It could be intellectual property, very sensitive data relating to the company. It could be confidential customer data. And then the big risks, the really scary, I mean, obviously those are big risks, but the really scary one for food companies for agribusiness is food safety, right? An attack like this actually can threaten food safety and cause harm to customers down the line, consumers, which could be catastrophic for a company if that happens. So you throw all that together you've got real reputational risk if something happens like this, and then you've got smaller and mid-sized companies in this area that I think have a real risk because they have less resources to devote to protecting against these threats.
Kermit Nash: I think those are really great insights. And when we think about supply chain risk, a lot of these agribusiness companies are one link in the chain, meaning the products may not be on the last mile, which we talk about is consumer facing or retail, but they might be in production. Recently a cooperative not too far from where I'm sitting was hit, and they do grain handling, but the reason why I think that created such a stir is because there's only certain amounts of time where the trains can come and be loaded and then they have to move. And there's always this constant flow. And if there's a disruption, it can create a massive backlog in the supply chain, which are creating right now. So just some insights for
those listening, Sandy, if this were to happen, and when I say, if this were to happen is because risk management in the old days was to isolate risk and eliminate it. Risk management today is acknowledging that risks are part of life and you have to manage it. So if this were to happen to a company just based on some casual reading, is it even legal to pay a ransom if someone were to seize and take control of your own software for operating, whether it be your elevator, your equipment, or your tractors.
Sandy Bilus: That's a great question and the answer is: it depends. Honestly, it can depend on who you're paying this ransom to because the Treasury has issued guidance to companies saying that if you make a ransomware payment to one of the people on the sanctions list, the bad guys list, maybe a terrorist organization-affiliated person, or to a person in a country where you're not supposed to be sending money to you can be hit with fines, significant fines for making that ransom payment. So there are ways to mitigate that risk somewhat of being fined, including by working early with law enforcement, getting them involved in the response and essentially getting OFAC to somewhat bless the ransom payment, and working with forensics experts to identify who you're making the payment to—all those things can lessen that risk. But absolutely, there is a danger that if you make that payment, you could be subject to significant fines.
Kermit Nash: So adding insult to injury, and speaking of just that kind of that risk awareness and risk management, when these things happen, they seem to happen quickly, but it seems like sometimes the software may be in a system for some time before they actually do something inside of the operations of a company. I'd love your insights on if someone is listening and they're thinking, well, this may not happen to us, but if it did, what would we do? It seems like prevention is where people should be thinking if this hasn't happened before. So let's pivot a little bit to prevention, meaning you're the company that's listening. This hasn't happened, but now you're seeing instances where it's happening in the industry and its catastrophic, because everything stops in an instant. This becomes your sole focus. Give me a couple ideas. Give me your top three things that companies should be doing right now if they haven't been thinking about this more seriously, knowing that it could happen to anyone.
Sandy Bilus: Sure. So here are the top three things that I would think about if I were a company trying to get my arms around how to handle and prepare for this kind of threat. First, do you have an information security program, right? Is it written down? Does it contain administrative, technical and physical safeguards that are appropriate for your company, given what you do and the risks that you face? And I can talk about what those safeguards might be, but this is the key component of any information security program. Do you have somebody who's qualified overseeing and implementing that program and enforcing it? And then do you conduct a regular risk assessment where you look at the foreseeable internal and external risks to the security, confidentiality and integrity of your systems and your data, and you're assessing the sufficiency of the safeguards that you put in place to control for those risks? You basically look at the risks, you identify them, you identify your safeguards and you think about whether they’re effective. So it's a continuous process of assessing risk, putting safeguards in place and assessing the safeguards that you put in place. When I say “safeguards,” I said technical administrative and physical are the other three kinds of safeguards you can have. Physical—that's an easy one. Those are things like locked doors, locked filing cabinets, surveillance video, things to protect your physical business where you may be keeping data and systems so that people can't get physical access to those systems. Technical—those are your technical protections that can be access controls. So, you're basically authenticating and permitting only access to only authorized users and you're limiting those users to being able to access only the information they need to do their jobs, so they're not somebody who's a low-level employee who doesn't need an administrative access to every system in the company, all of the data. That's the way they limit their access. Do you have an inventory of your devices and your data? Are you encrypting sensitive data? Both when it's being stored and when it's being transmitted by your company? Do you use multi-factor authentication? That is something that many, many companies out there have rolled out in the last five years or so. All of us use it in one form or another, or should be. But your company can be using it too. And it's basically having more than one factor being required before a person is permitted access to a system. So it could be something they know like a password or pin, something they have on them, like a key or a remote access code, or something that they are, like a fingerprint or an eye scan. You combine those factors and it makes it harder for the bad guys to get into your system. Other technical safeguards that you want to think about are: how are you getting rid of data? Are you getting rid of data? A lot of companies just keep everything forever and they don't get rid of it and it sits there even though they don't need it. And it’s just sitting there as like a massive risk and amount of exposure. You've got all this personal data. You've got all this sensitive business data. Why are you keeping it if you don't need it anymore? Get rid of it and get rid of it securely. Don't just throw it in the trash. You know, if it was physical paper copies, but actually get rid of it in a secure way. Those are some of the technical safeguards and then administrative safeguards. Those are your written policies and procedures that govern training and hiring of qualified people. When you're bringing on a vendor, what are your procedures for vetting them and doing due diligence? Vendors are a significant gap and risk in your cybersecurity protection. They absolutely should be vetted and you should be paying attention to the safeguards they have in place. So those are some of the administrative types of safeguards you can have in place. So that's number one. I know it took a little while to get through, but that's number one, that's your information security program. There are lots of different pieces to it, but in a nutshell, that's what you want to be thinking through.
Number two for the other thing that if I'm a company I want to get in place as quickly as possible to help mitigate this threat are backups. Ransomware encrypts your system and your data so that you can't use it. If you have viable backups, you can avoid paying the ransom. And when I say viable, it means that they actually are usable because a lot of companies will set up backup systems, but they're not actual usable. They cannot rebuild their system, or it will take a long time to get back online and you end up being down for a long time just trying to use your backup. And most importantly, nowadays the bad guys know the best way to get around ransomware is for you to use a backup. They go hunting for your backups and they will look to encrypt the backups. So your backups have to be segregated from your system, have them offline, have them offsite, and have them encrypted. And you put your most essential information in those backups so that nobody can get to that stuff except for you. So segregate those backups. That's number two.
Then finally, if you're looking to get ready, I think it's absolutely crucial to have a written incident response plan in place. And what I mean by an incident response plan is a document that says exactly how you will respond to a cybersecurity incident if it happens. And it will lay out the goals of this plan, what your goals will be, and your process for responding to this event. It will define roles and responsibilities for the different people who will be involved in the response. It will talk about notifications, when you may need to do them, including sending it to regulators and sending it to individuals. It will talk about other external communications. (Cyber insurance—I hope you all have cyber insurance. This is not on my list, but this should be number four.) The incident response plan will go through how to document and respond to an incident and then how you will update your plan and evaluate what happened after an incident so that you're constantly improving it. And you train on that plan. Once you have that plan in place, you do what a lot of people call table-top exercises, meaning everybody gets together around a table and you have a hypothetical scenario laid out, saying: our company, for instance, has just been hit by ransomware. These things are happening. What do we do respond? And you get the key stakeholders in the room. You get the people on the response team, and maybe other stakeholders who aren't typical members of the team, but might need to be educated about what could happen if there's an event like this and you walk through the response to the hypothetical event and that way you'll do a few really crucial things for your company. First, you'll identify weaknesses and gaps in your plan because it won't work exactly how you think it might, and you'll be able to improve it. Second, you'll all have gone through this event now. There'll be a hypothetical event, but you'll at least have some understanding of what could happen so that when an event happens, and it's very possible it could happen, everyone won't be running around like chickens with their heads cut off. They will be ready to respond because they'll train for this. And the third good benefit of doing these exercises is it will scare the heck out of your bosses. The people who decide how to allocate resources and they will see how bad this could be and they will make efforts to get you the resources you need to properly protect your company. So that's why it's so important to do these exercises on a regular basis. So those are my top three ways to prepare and to protect your company against an incident like this.
Kermit Nash: Sandy, that's just excellent. It seems like it's also the topic that should be front and center for boards of directors who are supposed to be overseeing the operations of the company, but also managing that risk as fiduciaries to the company. I remember a couple of years ago now, before COVID, the number one issue affecting boards was they felt that companies had a lack of preparedness for cybersecurity risks. I think maybe I've forgotten that a little bit with other types of risks in business, but that still remains as something that's largely unmet. And, you know, I just have to say, I appreciate how you're addressing what could be the scariest period in the life of a company if everything gets brought to a sudden halt, because all of a sudden things don't work properly. And just some data points, 75 percent of all tractors in use today in the U.S. are either using some form of satellite technology, are driven by software, or are driverless and so they're a 100 percent dependent on using software just for operations in the field. Sixty percent of all dairies use software systems to control gates in the flow of product, and food processors are pretty high on the top of the list where 85 percent are dependent on some type of open source software to run operations. Not to mention, every company probably has payroll, which is online and information about customers and pricing. So, you handled a very scary topic with a lot of calm and I appreciate that. One thing that you mentioned, I think this is going to help lead us home, is that tabletop exercises sound like war games. As I hear a lot of this, these are things that large companies obviously need to do, but it sounds like it's spot on for even your small-to-medium sized companies. Tell me where you fit in, Sandy, because it seems like this all comes down to not just the legal risk, but there are action steps. Tell us about how you are involved in that and maybe the good takeaway here is when should they call you?
Sandy Bilus: Yeah, sure. What do the lawyers do here? I think it's a great question. We help in a few ways. One way is on the preparation side. I regularly help companies create and revise their incident response plans and other policies that make up their information security program. So I'm not a technical expert, although I have a lot of technical knowledge, I'm not a forensics computer guru, but I'm able to come in and look at your policies and procedures to make sure they make sense, that they comply with any laws that may apply to you, to think through your notification obligations, if you have an incident, and things like that. So on the prep side, I help write these things and work with companies. When it gets to a tabletop exercise and to a real event, you absolutely want lawyers as part of your team for a few reasons. One is you may have legal responsibilities coming out of the incident, whether it's notifying regulators, being required to notify regulators, or individuals’ personal data was exposed in an incident or for interfacing with law enforcement and being a liaison to law enforcement because a lot of times you're going to want to get law enforcement involved early and throughout the incident, in part because if you're going to be paying a ransom, like I said earlier, you can be walking into some fines if you don't do it right. Another reason to involve lawyers in the response to an incident is you have an argument that your investigation of the incident is privileged and is protected by the attorney client privilege, which means if there is litigation down the line arising out of what happened in that incident, the things that were said between the lawyers and their clients and the experts helping the lawyers advise their client will be protected against being required to be disclosed to the other side in a lawsuit. So it's absolutely crucial if everybody's in a room talking about an incident, what they did was wrong and why they were negligent, you want a lawyer involved in that conversation to protect, or at least give you an argument that that conversation should not be discoverable in a lawsuit.
Kermit Nash: Right. That's excellent. The quick takeaway is preparation and prevention is going to be key. Getting involved early and often is going to be very helpful, especially to make the case that the company was being diligent and taking steps to prevent this from happening. But it also sounds like, Sandy, that if not every step was taken and some of these bad actors are pretty sophisticated, if it happens, they're not completely stuck either. It sounds like there's a way if you call it quickly enough and get the right people involved, sounds like we need you on speed dial, there are things you can do to help mitigate as well. Is that fair?
Sandy Bilus: Absolutely. You want to set up those relationships with your outside people who are going to be involved in your response team before it happens so that you're not negotiating an engagement letter while at the same time you can't get access to your Outlook account, right? So you set up those relationships with your outside counsel and with forensic experts, the technical guys who can come in, help identify what happened, fix what happened, get you back online and preserve evidence relating to what happened. You set those up in advance and you hire those forensic guys through the lawyers so that they are advising the lawyers as experts makes it more likely that you can argue that their work is protected by the privilege as well. You do all those things in advance and then you'll be on a much better footing when something happens.
Kermit Nash: Well, Sandy, thanks so much for your time as always, I enjoy our discussions, but I learned a lot and appreciate your time. For those listening. I hope you enjoyed your time with us. Please be sure to join us next time on “Don't Miss a Beet.”
Sandy Bilus: Thanks, Kermit.