Hello and welcome to today's podcast. Today's focus is on cyber risk, a growing threat which can disrupt production, compromise supply chains, and even put food safety at risk. With increasing digitalization from automated production lines to connected logistics, the sector has become an attractive target for cyber criminals.
I'm really pleased to be joined today by my colleagues Ian Cairns and Matt Ellis from our specialist cyber team. In this episode, we'll explore the cyber vulnerabilities in food and beverage manufacturing and the practical steps you can take to strengthen resilience. Matt, can we start by discussing the recent history of cyber attacks on food and beverage businesses, please.
MATT ELLIS: Yeah hi, Sue. And hello, everybody. And I think if we start from the top, we're all aware that there are many different sectors in the food and beverage space. And this ranges from production to processing, and also distribution as Sue has mentioned. And there have been a number of attacks impacting business operations across the globe in all of these areas.
And they've impacted different organizations from cooperatives, breweries, and dairy operations in Europe, North America, and other geographies, but also you need to consider the other sectors within the food and beverage space around farming, how it might impact elements, such as animal welfare, and in fact, even in one instance recently, it has contributed to the death of some livestock in Switzerland due to some failures in the monitoring of that livestock following a cyber event.
So there's an awful lot going on in this space. If we look at the US, for example, there's been some recent supply chain disruption over there, and there were even reports that the hacker group Scattered Spider, which Ian may mention later, has moved on from the UK retailer attacks into the US and including food production as part of their target list, if you like.
The other things to mention, I suppose, is where production sits in the chain, not only from a supply point of view, but also in the way that the production or breweries or farming supplies their customers, and how an impact at the end customer could influence the way that you're able to distribute your produce or your stock. So a cyber event happens at a retailer, and they cannot take your product, for example, how is that going to impact you? And we've seen that quite recently, again, in the UK following the spate of retailer events towards the start of the year and in the middle of the year.
SUE NEWTON: And in terms of why the food and beverage sector has become a target, and clearly, we have seen a lot of attacks on the sector, can you speak a little bit about why it has become a target? Perhaps this is one for Ian to kick off.
IAN CAIRNS: Yeah thanks, Sue. When we start looking at the food and beverage sector, it's so vast. There's a lot of household name, household brands in there. And so therefore, if you have a cyber attack and your aim of individual group conducting the attack, your aim is to raise your profile to get yourself some notoriety, then obviously, the food and beverage sector works very well. You can gain some real traction in news cycles and news outlets.
But also the other thing as well is that they see it as maybe a sector that doesn't invest quite as heavily in their cyber controls as maybe something like financial services would. So therefore, there may be more opportunity there to gain access to systems where they shouldn't be, if we're talking about malicious bad actors. But also, I think, the attraction comes because there could be challenges that are presented there.
There could be some very niche, bespoke operational technology used in food processing plants within bottling, canning, whatever it may be, that can prove as an interesting challenge, because they want the challenge to relieve boredom, to prove to their friends they're a better hacker than their friend may be. I also think we start looking at the supply chain piece, and it might not be directly attacking the food and beverage manufacturer, but it could be maybe attacking the company that supplies your glass bottles.
And actually, if they lost their glass furnace, what would the so what be? How long would it take for you to use an alternative supplier to meet demand? Do you have to slow down your own production? What does that mean for your onward sale of a product? And all these things in isolation, it may not seem like a big issue, but actually, the knock on effect, the tail of it could be huge. And that becomes a bigger concern, I would say as Matt alluded to is the supply chain.
MATT ELLIS: Yes. Ian, I just wanted to add on this as well that with the food and beverage industry, you have the added challenge and the pressure on production for things like contamination, public health, and spoilage, which is often pulled into the public eye, as you mentioned, the notoriety element of hackers as well. So this added level of complexity and consideration that this industry has, especially when you move further down the chain to the public side and the public view of each brand.
IAN CAIRNS: Yeah, that's absolutely a valid point, Matt, is what reputational damage does it do to this having a cyber attack? Does the reputational damage put doubt in the consumer's mind over the quality of your product? Is it safe? Has it been contaminated? And this all feeds. Yeah, absolutely, this all feeds into the consumer mind. And sometimes, there might not actually be a problem, but then we come back to the messaging and handling of a cyber incident. And if you leave a void, someone will fill it. And in the world of social media, someone will absolutely find time to fill it for you.
SUE NEWTON: And in terms of how you see these attacks typically unfolding, Ian, when you've dealt with them, what typically happens if these attacks occur?
IAN CAIRNS: The two main vectors that we would see as attack occurring is one of them is a misconfiguration of an IT service control product, and so it's been maybe, exposed to the internet when it shouldn't be, or there hasn't been a mature enough controls in place to monitor the activity on it. And so that could be someone could find a router or a switch that's exposed to the internet that still uses the manufacturer's default password. And from there, they would then look to log in.
It could be some service as a software solution where people have used a weak password or reused a password, and we don't have MFA (Multi Factor Authentication) in place that control to prevent unauthorized access. So someone can easily get in that way, potentially, look to then escalate credentials or steal other people's credentials who have a greater permissions. The other typical vector we would see would be from the social engineering side. This, as Matt alluded to, Scattered Spiders.
They've had quite a successful year in 2025. Unfortunately for a lot of industries. But by being English-speaking Western Europeans, North American individuals phoning up help desks, impersonating genuine employees, then used that to get people's passwords reset, maybe get MFA tokens reset, which then allows them to log in with a genuine credential, which can then make detecting malicious activity very difficult for cybersecurity defense teams, and it gives them that lateral movement around an organization.
So therefore, they can then start stealing information. They could potentially start modifying how operational technologies performing its role. They could tamper with data, as Matt alluded to earlier, the deaths of livestock in Switzerland and that was ransomware, which led to that. And again, once they're into the system, lock up data, steal data, cause issues with systems. They may not have the intended effect of what the attacker wanted, but certainly, they caused disruption. It makes the news, and unintentionally, they may get something. They may get a high profile from that.
SUE NEWTON: Sure. And obviously, we've seen an increase in automation in food production, all aspects of food production, over recent years, and that's continuing and growing. And also the use of AI now in production, logistics, and supply chain systems. How does this change in use of technology impact upon that risk, that cyber risk?
IAN CAIRNS: I think if we tackle AI, the AI element first is to be mindful when we're talking about artificial intelligence. It is not just your Copilot, ChatGPT, that generative AI piece. There is also the artificial intelligence used for logistic companies to plan routes most efficiently. So therefore, they need the least number of vehicles use the least fuel, maximize how they're doing this.
Previously, it would have been maybe a group of people working in a room together, planning routes, and now it is handed over to AI. So there is the risk there that maybe the logistics side doesn't work quite as smoothly because there's something tampered with the AI or maybe the AI does something unexpected because it's working to the parameters the user sets it versus coming up with its own idea.
With regards to what that would then look like for the production side of things, if you can't get a product out because the logistics side of things isn't working, does that become spoil? Is that wasted product? But then also, if you can't get product in, what would that look like, again, because then, do you have to shut down production lines? When we look at the automation piece, is there a risk that the production line
if someone tampers with the automation, does the production line do something unexpected? What does the shutdown restart process look like for some of these production lines, because some of them can be incredibly difficult to shut down and bring back online quickly. And so therefore, we need to be considering, if we have to bring a production line to a halt, do we have a good plan and process in place to bring it back online? Can we just slow the production line around viruses completely shutting it down?
SUE NEWTON: Yeah, and I think, we've seen examples of companies which have had their entire production shut down sometimes for quite lengthy periods. So financial impact, reputational impact, and an impact on their customers and suppliers, I guess, obviously, very serious when it happens. So could you talk a little bit about risk management, Ian? And can we talk about some of the practical risk management measures that businesses should be either taking or considering taking.
IAN CAIRNS: Yeah. From a risk management point of view, having a list of your critical systems and understanding which are your critical systems, that also then would extend out to your critical suppliers, and so who is critical within your supply chain? Maybe consider customers as well depending on the size of the organization. If you have a customer who takes 75% of your produce end product, does that pose a risk to you, if they said, well, we can't take anything for a couple of weeks because we've experienced a cyber attack?
And then with that, the due diligence work that comes with it. So understanding what controls are in place at what supplier, what contractual obligations can you put in place? Rights to audit springs to mind. It's always a good one to be able to check and go and see what is actually happening there. Yeah, I think that would be really important. But also, it's a bit like, you can't really build a house without the foundations. And a lot of the time the governance piece is really important.
So having the policies, procedures, processes in place to allow all this activity to take place, sometimes we can see people try and put some really good processes in place, but there isn't actually a policy underlying it. And so that governance piece then without actually being defined, what we're going to do, and how we're going to do it, sometimes, that falls apart a little bit. I don't know what Matt's take on risk management processes would be.
MATT ELLIS: Yeah thanks, Ian. I agree with everything you've said on this, really. I think the preparation piece from a risk management side of things and making sure the right stakeholders know what the actions are, if there was to be a cyber event, whether that's a malicious event, a hacker or even a system failure type event that causes a shutdown of a production plant or something in the logistics chain and so on.
So I think understanding that and really looking at scenarios that are unique to your business and how your business operates and using those scenarios not only in this development of how you manage your risk, but also when we come on to talk a little bit about cyber insurance, these scenarios will be important to use when you look at the way that your insurance could respond here or how you mitigate.
These potential scenarios are very useful in all sorts of ways, whether the insurance side of things or what your potential loss could be, how you look at your mitigations, how you look at responding to the different scenarios so that you don't impact the way that your business operates, or you have as limited impact as possible.
SUE NEWTON: So, Matt, could you take us on to consider cyber insurance and what cyber insurance covers, please? And also, could you talk a little bit about what support cyber insurance provides to clients in the event of an incident as well?
MATT ELLIS: Yeah, of course, Sue. So cyber insurance when you're considering cyber insurance and how you might want to place a program or even whether it's something that you want to move forward with, as I mentioned a little bit earlier, building out your scenarios is a really important element to this because it not only helps you with understanding how much limit you might want or how you want to structure your retention, but it also enables your broker or the cyber policy for you to really understand where cover may exist or that your broker can build for you within your policy.
So generally speaking, the coverage that you would receive from a cyber insurance policy falls into two main buckets. You have your liability, which is predominantly around your responsibilities over the data that you hold for consumers or for clients, for customers, and also your employees, includes things like the liability you might have if you inadvertently pass a virus, or a piece of ransomware from you to one of your consumers, or to a business partner, one of your suppliers.
And then on the second half of the coin, you have your first party cost, which would be likely be the most important element for a food and beverage company operating in this space of the business to business space, where you would receive cover for an interruption that's caused by a cyber event, and then that can be caused either through hacking, a malicious event, or even if your IT systems or your operational technology systems were to go down through what's sometimes known as an unplanned outage.
And this would be your loss of profit for that period of time that you're out. And it can also include costs for mitigating that loss. So if for example, you need to move your warehousing to a different location or you need to move your production to a different location, those costs can be included there. You can also get costs covered or replacement hardware for what's known as bricking cover.
So if somebody was to lock up your IT systems or your systems, it's actually cheaper to replace the laptop or the desktop or the server or whatever it might well be. You can get those replaced instead of going through the additional costs of trying to get an expert in to unlock it, because it's more expensive to do that than to buy the new hardware. The third element that comes into cyber insurance policy is, as you mentioned, is this support piece. And this is where insurers find an awful lot of value because you don't just get the forensic support, but you also get your legal advice, and you can get even more specialist advice around things like ransomware.
So ransomware experts will come in and talk to you about what's happening. They'll give you advice around who the bad actors are, the likelihood of you being able to recover your systems, what the likelihood is of these people being honorable. If you like, for want of a better term, it's an honor amongst thieves. It used to be a lot more prevalent within the hacking community that if they said they were going to destroy the data, they would usually destroy the data. There's been a trend recently where this isn't happening as much as it used to be.
So when a bad actor turns around and says, why don't you pay us X amount of money, and we'll unlock your system, and we'll also give you back your data and destroy the data. There are occasions where that they are not following through on that word, and then they come back and they ask you for more money at a later date, because they haven't destroyed that data like they originally said they would, but you get all sorts of advice around this.
You'd also get additional services, like public relations specialists, who help you manage the message both internally and externally and various other things like platforms to help you have secure communication when you're down because you don't when a bad actor is sitting in your system and listening to your communications.
So certain insurers nowadays and certain third-party providers can give you these offline platforms or these out-of-band platforms that enable you to communicate securely so that you can manage the way that your process and how you're dealing with the event is kept between the people that need to about it, probably the main elements to summarize that. Ian, I don't know if there's anything you needed to touch on around the ransomware piece, any the advice that you can get around that?
IAN CAIRNS: I think, it's difficult with ransomware piece. We're seeing more of that double, triple extortion going on because it's a way of making more money. I think it's always important that you maybe have a policy in place. As an organization, you've made a decision on what you're willing to do in that scenario, but be mindful that if you come up with a number, don't save it on the computer somewhere in your IT networks. That then gives the malicious actors a definitive guide to how much you're willing to pay.
It's difficult to what is the right decision to make as far as ransomware goes and payments and recovering data, etc , because it will be different for every business, and it will be unique in every situation. And yeah, I think it's just worth having a discussion whether you'd have a policy as a business to pay or not to pay before the worst case happened.
MATT ELLIS: Yeah. So it's not quite as straightforward as that. But yes, there is cover for this, the ransom payment under a cyber policy, but it has to be where it is. You're legally allowed to do so. There's also all sorts of things to take into consideration to do with sanctions about who you're paying, the attribution element of who is requesting that ransom, and where that money ultimately ends up, so it's not going somewhere that funds terrorism and those types of things.
But there is cover for that ransom payment, and there's also help to make that ransom payment, so the setting up of Bitcoin wallets and bits and pieces along those lines. But each circumstance needs to be taken under its own merit, and different geographies as well have different views on the settlement of ransom demands, whether it's legally allowed or it's not allowed. And that it's obviously been a recent discussion in the UK about the settlement of ransom for certain industries.
So having the right people in the room to advise you at that time for that specific situation is really important. It all comes out in the underwriting process about what you've done if you've been impacted before, whether it's still part of that same event. There are lots of considerations around that. How long they've been in the system for. And obviously, if you've already had one event, and you were insured for that, how much, and it happens again in the same year. How much limit you've got left?
But there's all sorts of different things that you can buy to protect yourself or to give you more protection from a limit point of view, things like reinstatements and so on and so forth. But speaking to your broker about what the best way of structuring a program around this potential second event or a continuation of the first event and advice around that, your broker is going to be the best person to talk to you about your unique scenarios, if you like.
SUE NEWTON: To finish off, could we have a piece of advice from each of you if you were to focus on either one or a couple of things that you would advise businesses to be doing as we head into 2026?
MATT ELLIS: From my point of view, one of the key elements that an organization needs to look at is their scenarios that I mentioned a little bit earlier on. So really understanding how a cyber event could impact your organization really gives you that foundation to then go forward and look at the ability to understand where you currently have cyber cover, because you may have cover under existing insurances in your portfolio. You can then understand these gaps and then look at any overlaps that you may have.
You can look to mitigate or fill those gaps with suitable insurance, and make sure that you're not paying for dual insurance in two places. Everybody's got budgets that they need to adhere to. So the scenario piece for me is from an insurance point of view, the most important. It also gives you the ability to look at how much limit you may want to buy from a quantification point of view, and making sure that the coverage that you get is fit for your organization and not something that's just off the shelf.
IAN CAIRNS: My point of view, I would recommend understanding where your risks are. Have a clear, concise cyber risk register that is reviewed often. And then once you have your understand what your risks are, then use something like a crisis management workshop to actually test the response to them risks and understand who has the roles and responsibilities for each action, what that would look like, what the impact may be on the business if we have to take decisions.
Because it's better to have that consideration in a realistic environment, be it slow time, versus having to make a decision in a very emotive-driven environment when this happens for real. And decisions could be people's livelihoods and potentially, it could even result in the business ceasing to exist, which we have seen. There was a haulage company last year that had an issue with ransomware through phishing.
And after 150 years in business, the haulage company went out of business because unfortunately, there wasn't a plan in place. There wasn't that incident response. They didn't how they would respond and what that would look like, ended up the business being folded. And so having that plan is really important and testing it. And the best way to test it is through things like crisis management workshops.
SUE NEWTON: That brings us to the end of today's podcast. Thanks to Matt and to Ian for your insights and to you for joining us. If you enjoyed today's discussion, please subscribe, rate, and share this podcast. Thank you and goodbye.
Thank you for listening to this podcast from Willis, a WTW business. The information in this podcast is believed to be accurate at the date of publication. This information may have subsequently changed or have been superseded and should not be relied upon to be accurate or suitable after this date. This podcast offers a general overview of its subject matter. It does not necessarily address every aspect of its subject or every product available in the market.
It is not intended to be, and should not be used to replace specific advice relating to individual situations. We do not offer, and this should not be taken as legal, accounting, or tax advice. If you intend to take action or make any decision on the basis of the content of this publication, you should first seek specific advice from an appropriate professional.
Some of the information in this publication may be compiled from third party sources we consider to be reliable. However, we do not guarantee and are not responsible for the accuracy of such. The views expressed are not necessarily those of Willis Towers Watson. For further authorization and regulatory details about our Willis Towers Watson legal entities operating in your country, please refer to our Willis Towers Watson website. It is a regulatory requirement for us to consider our local licensing requirements.
