Skip to main content
Top Button
Weak Link in the Supply Chain: Why Distributors Need Cyber-Insurance Weak Link in the Supply Chain: Why Distributors Need Cyber-Insurance

Weak Link in the Supply Chain: Why Distributors Need Cyber-Insurance

In January 2020, the FBI delivered a cybersecurity alert warning private sector distributors of increased cyber-attacks against supply chains in the United States. Cyber-criminals—acting in independent groups, for state-sponsored programs, and as lone wolf attackers—target distributors to access and manipulate strategic partners and customers as well as extort money through ransomware attacks. Today, distributors and wholesalers rely heavily on software to manage supply chain logistics. Furthermore, new technologies in the supply chain industry, such as mobile devices used to confirm delivery or receipt of products and/or payment, have created new vulnerabilities and risks for distributors who rely heavily on mobile networks.

Reviewing your cybersecurity posture is an essential step to proactively safeguard your company’s data and other resources and, as Ice Miller’s Data Security and Privacy team discusses below, cyber-liability insurance is an effective tool to fill the gap between your company’s current cybersecurity procedures and potential risks.

Recent Attacks on Distributors

Two large food distributors—California-based Harvest Food Distributors and Michigan-based Sherwood Food Distributors—fell victim to a May 2020 ransomware attack that leaked more than 2,000 files containing confidential customer data and proprietary vendor information. A criminal group known as “rEvil” deployed a highly evasive ransomware called “Sodinokibi” to gain access to the distributors’ data and threatened to expose full folders unless the distributors paid rEvil’s $7.5 million ransom. Attacks on large distributors have rippled across the globe, too, as Lion Dairy and Drinks, one of the largest milk processors in Australia, was forced to completely shut down production for days after a ransomware attack on its distributors’ and suppliers’ IT systems.

Whether your company is forced to halt distribution, pay millions of dollars in ransom payments, or restore or rebuild corrupted systems, cyber-liability insurance can help you recover the costs of a devastating cyber-attack.

Tips for Acquiring Cyber-Liability Insurance

Before you explore your cyber-liability insurance options, however, it is important to select policies that address specific gaps in other insurance policies. Although many insurers have tried to move cyber-risks from traditional policies, such as property and casualty insurance, to modern cyber-policies, your general property, crime, or computer fraud policies may already cover costs to replace or rebuild system infrastructure. Nonetheless, modern cyber-policies are generally more helpful for responding to ransomware attacks, specifically. Many cyber-policies provide specific coverage for cyber-extortion, data restoration, and business interruption losses resulting from ransomware attacks. Companies should review their existing policies as well as others offered in the market to understand their current cyber-risks. In addition, while ransomware continues to grow as a threat, other attack vectors such as fraudulent transfer schemes, are very common—ensuring your coverage is comprehensive and matches your risk profile is a good investment. Here are three tips for assessing what cyber-policy is best for your company.
  1. Ensure the policy has specific provisions for funds-transfer-fraud and cyber-extortion.

    Funds-transfer-fraud (FTF) and ransomware attacks have both increased dramatically in the last year, and these attacks are typically the most costly. In a FTF attack, cyber-criminals often gain access to an employee’s email account and induce another company, such as a service provider or vendor, to transfer money to a fraudulent bank account. Not all policies cover this specific attack because they exclude losses incurred as a result of “social engineering”—in this case, the employee who allowed, intentionally or unwittingly, a criminal to access the employee’s account. Cyber-extortion coverage, on the other hand, is helpful for ransomware attacks, as it often provides relief for ransom payments, negotiation with cyber-criminals, and the cost of computer forensic investigations.
  2. Obtain retroactive coverage when possible.

    The majority of cyber-liability insurance policies limit coverage to security incidents and data breaches that occur after a “retroactive date.” Without retroactive coverage, losses incurred from a security incident that occurred before the policy was purchased may not be covered. This means that if you did not know about a data breach or security incident when you purchased the policy, but you discover it 30 days later, the insurer may not cover these losses because the breach or incident actually occurred before you purchased the policy. Although it may be harder to find retroactive cyber-coverage in common cyber-policies, ask for a retroactive date that is earlier than the purchase date.
  3. Negotiate consent provisions. Most cyber-policies demand the insurer preapprove any forensic investigators, outside counsel, or security consultants before your company may hire them to assist in data breach response. For many companies, they already have outside counsel that assist on other general legal matters or consultants that advise on information security issues. Unfamiliar attorneys and experts can create additional uncertainty at a particularly chaotic time for your company. 
If you are a distributor and require additional information about cyber-liability insurance coverage, please contact Nick Merker or Mason Clark.

Nick chairs Ice Miller’s Data Security and Privacy Practice and leads the Firm’s Esports and Video Game Law Practice. Nick’s experience is unique, as he is one of a handful of lawyers in the country who worked as a computer systems, network, and security engineer for 10 years before practicing law.

Mason is an associate in Ice Miller’s Data Security and Privacy Group. He has a master’s degree in Cybersecurity Risk Management, and he is a frequent presenter on data security and privacy issues at conferences and presentations across the country.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized