Back to Aon Insights

Bridging the Gap Between Innovation and Cyber Risk in New Zealand’s Food Agribusiness and Beverage Industry 

Key takeaways

  • To stay competitive in domestic and export markets, New Zealand’s food, agribusiness and beverage (FAB) sector is onboarding new technology across their operations. 

  • This creates potential exposure to cyber attacks, on an organisation’s own technology and infrastructure and across their whole supply chain.

  • By taking a connected approach to modelling and managing cyber risk, FAB sector organisations can better understand where their operations are vulnerable and how they, their customers, suppliers and insurance cover can respond.  


As a key industry for New Zealand's economy, the food, agribusiness and beverage (FAB) sector has always been driven by innovation. From robotic milking systems and packhouse automation to cold-chain monitoring, digital connectivity now underpins every part of production and delivery. This creates a complex web of risks and a business can experience severe operational and financial impacts even when not directly attacked.

This growing reliance on technology throughout the FAB value chain is creating pressure on boards, executives and risk professionals to better understand the nature of cyber threats, where exposure lies across their operation and supply chain and how they can address it. 


Technology Investment Is Outpacing Risk Awareness

The NZ FAB sector has undergone rapid, sustained technology investment driven by the need to increase efficiency and protect margins in the face of persistent uncertainty coming from shipping disruption, oil prices and tariff volatility and weather events. Technology has become one of the most reliable levers for businesses looking to offset rising costs and maintain their competitive position in domestic and export markets.

But that investment has not been matched by a proportional uplift in cyber risk awareness, management or transfer. Just 12 percent of SMEs — which make up 97 percent of businesses in New Zealand — carry cyber insurance, and only 7 percent feel prepared to respond to a cyber event. 

Historically, insurance programs for the sector have focused on protecting physical assets including land, infrastructure and livestock. With technology now equally critical to operations, risk leaders and boards need to extend that same rigour to assessing and mitigating cyber risk, across their own operations and their entire supply chain. 

The New Zealand government's recently released four-year cyber resilience strategy signals that regulatory scrutiny is increasing, particularly for critical and commercially significant industries. As a major contributor to the New Zealand economy and a supplier of essential goods to its population, the FAB sector is likely to be subject to the highest standards introduced under future legislation.
 

"There is a disproportionate gap between the value of what organisations have from a technology perspective and the protection they're getting, either from the insurance market or through risk management controls."

Duncan Morrison, Cyber Practice Leader, Aon New Zealand
 

The Supply Chain as Cyber Attack Surface

Many FAB businesses face significant risk exposure from cyber attacks on technology that isn't their own. Failure of systems they depend on, including packhouses, cool stores, logistics platforms, inventory management software, can result in significant downtime and lost revenue, regardless of whether the business itself has been targeted.

“Consider the grower,” says Duncan Morrison, Cyber Practice Leader, Aon New Zealand. “They may harvest their crop manually, but it can still be vulnerable to cyber threats, to operating systems and third party applications at the processing, storage and transport stages. If the packhouse that grades and stores produce experiences a cyber event, the consequences flow directly back to the grower and their customers.” 

The Marks & Spencer (M&S) cyber breach in the UK shows the cascade effect of an attack on a major FAB customer . After a ransomware attack forced the retailer to suspend automated ordering systems, primary suppliers were left unable to find alternative buyers for time and temperature-sensitive goods. 
Closer to home, third-party technology breaches in New Zealand's health sector demonstrated how quickly attacks on a platform providers can create widespread disruption. When data held by Medimap and Manage My Health was compromised, this exposed their customers to a failure to meet notification obligations, resulting in reputational damage for multiple organisations that experienced no breach of their own. These two events and their consequences offer a clear lesson for FAB businesses relying on shared platforms for export compliance, animal health records or inventory management.
 

“It only takes one part of the whole production cycle to be to be relying on technology. That single pinch point can put multiple businesses at risk. Few businesses have mapped what a cyber event at a key third party, whether customer or supplier, would mean for their operations, revenue or contractual obligations.”

Stephen Price, Senior Executive Director, Aon New Zealand


Changing Focus from Owned Systems to Operational Impact

Like most businesses, FAB organisations focus on foundational cyber security measures, such as multi-factor authentication, endpoint detection and user training to protect their operations. These measures are critical and should continue to be a priority, but business need to look beyond protection measures. 

“What is often missing is a clear understanding of the operational impact of a breach,” says Morrison. “Which functions would be affected, how quickly production could resume, and what the potential financial consequences would be. That analysis needs to extend upstream and downstream, to understand what happens if a supplier or customer has a cyber event and the knock-on effects through the organisation.”

“It makes sense for supplier due diligence to include cyber preparedness,” adds Stephen Price, Senior Executive Director at Aon New Zealand. “Business should be routinely asking suppliers whether they have cyber insurance, and to what limit. Their answer tells you whether they’ll have the resources and specialist support to respond and recover quickly, and to limit the impact on their customers.”


How Cyber Risk Solutions are Responding

In the past, cyber policies would typically cover the costs of responding to a breach, legal liability and business interruption from a direct attack on the insured. More recently, the market is offering innovative solutions to match the real-world exposure seen in events like the M&S incident.

Dependent business interruption cover is now available for losses coming from a cyber event at a supplier or customer. Physical property and stock damage exclusions that have long been a feature of cyber policies are also on the table for some insurers and their FAB clients. Cover for stock spoilage, for example, when a cool store or logistics platform is shut down by a cyber attack, can now be arranged.
 

"Over the last couple of years cyber insurance policies have innovated to keep pace with the rise in dependent business technology risk. It is now possible to get that cover in the market."

Duncan Morrison, Cyber Practice Leader, Aon New Zealand


In a sector used to managing uncertainty from commodity pricing and weather events to biosecurity threats, cyber risk is now creating new exposures up and down the supply chain that demand the same level of attention. A program-wide review of current insurance that maps cyber risk across property, marine, stock, liability and cyber policies can help optimise investment in risk transfer and close gaps in cover before they are tested.

Talk to Duncan today to find out more about ensuring your agribusiness is cyber risk resilient.

 


Related Articles

Manage My Health and MediMap: New Zealand’s Cyber Wake-Up Call
Laying In Wait: What On-farm Cyber Crime Looks Like
Building Climate Resilience in Global Food, Agribusiness & Beverage

1 Aon 2025 Global Risk Management Survey
2 Britain's M&S restores click and collect services 15 weeks after systems hacked

© 2024 Aon plc

This website contains general information only and does not take into account your individual needs or financial situation. It is important to note that limits, excesses, terms and conditions and exclusions apply to the products and services outlined on this website. Please refer to the relevant policy documents for details of cover, the provision of which is subject to the insurer’s underwriting criteria that apply at the time. Please contact us if you have any questions.