One topic that will increasingly occupy the industry in the future is cyber security in horticulture. But how great is the danger really – and what can each individual do about it? Specialist journalist Katrin Klawitter spoke to cyber insurance expert Michael Dutz of Dr. Ing. Hörtkorn Munich GmbH.
What are the particular dangers, especially in horticultural businesses?
Michael Dutz: Horticultural businesses are no more or less at risk than other companies. In addition to personal data, attacks can negatively affect “production processes” – irrigation, air conditioning and more – causing interruptions in operation or downtime.
Could you give one or two examples of the extent to which a horticulture business in particular might be threatened here? What are the typical gaps and why do they exist?
Michael Dutz: Even a horticulture business would hardly be able to function without IT today. As mentioned earlier, business interruptions are likely to be one of the key threats. In addition, there are reputational consequences that should not be underestimated, as well as enormous costs, including for IT forensics, as well as the notification of all customers and partners of the company. Alone, this cost block can easily amount to a six-figure sum.
What does good risk management mean in this context? How and what can a “normal” medium-sized company do ensure its security?
Michael Dutz: Basically, it is crucial that the respective company is aware of the risk and faces up to it. The technical prerequisites for an adequate degree of protection must be available, meaning that the IT budget is not the place to make savings in the future.
In addition, external checks such as penetration tests and IT security audits are useful at regular intervals. Organisational measures can often be realised without great financial expense. For example, implementing an authorisation management system or, to mention the quite banal, a proper password policy, increase security immensely.
One of the key “weak spots” in IT security is humans. Here, it is important to create the appropriate awareness, for example through regular staff training or confidentiality agreements. A functioning risk management system is the responsibility of the management.
What would you advise the normal horticultural business to do right away in order to protect itself? And what should they think about and tackle in the long term?
Michael Dutz: It is important for horticultural companies to analyse their own safety or have it analysed by professional service providers and to take appropriate measures. Of course, this also includes reducing the residual risk via an insurance solution.
The digital risk is growing steadily. We assume, therefore, that cyber insurance will, of course, be part of the insurance portfolio, such as a public liability or fire insurance.
A competent contact person for IT security incidents in this context is the Central Contact Point Cybercrime (ZAC) of the LKA (State Criminal Investigations Agency), Berlin. When should a company seek the help of these agencies, and how can they help?
Michael Dutz: A cyber attack quickly leads to a business crisis that threatens our existence. Notifications to authorities such as the ZAC, the central contact points cybercrime of the police of the federal states and the federal government for the economy, not least with regard to prosecution, should be a matter of course.
Cyber insurance companies also offer a crisis hotline. This hotline gives access to highly professional IT forensic experts who are available 24/7. Individual reports are not prioritised here. Authorities and possible crisis hotlines should be contacted immediately and preferably simultaneously.
On the topics of cyber attacks: You say a comprehensive insurance solution for companies in every industry will become essential in the future. Specifically for horticulture, what is already insurable, how and at what cost? And what will happen here in the near future?
Michael Dutz: Again, the horticulture industry is no different from other business models. In addition to securing the economic risks, thus protecting the balance sheet, cyber insurance has added value for customers that should not be underestimated. This added value is provided by the assistance module. Here, our customers are supported and guided in the event of a claim by specialists from the first suspected case to the restoration of the systems.
The cost of such an insurance solution, as well as coverage, still varies greatly in the German insurance market, depending on the individual risk situation, the desired sum insured and the deductible amount. The price range for a medium-sized company, for example, with 50 million euros annual turnover, depending on the desired coverage, is between 2,500 and 7,500 euros.
Cyber insurance is still a “young product”. The conditions will continue to evolve, as will the prices. As the number of claims increases, risk-adjusted changes to insurance premiums are inevitable.