What does the JBS ransomware attack mean for companies in meat & livestock?
It seems like the public conversation following the JBS ransomware attack has largely centered around the market implications of packer consolidation yada yada, with little attention to the fact that cyber security risks just punched the meat industry in the face and chances are strong to quite strong that ‘cybersecurity’ will be at the top of the agenda for executive teams and boards of directors for a while. Cyber attacks are in the news all the time and it’s easy to think of it as something for only CIOs of global corporations to grapple with. But this week the nebulous, hypothetical, happens-to-other-companies-not-us risk got very real.
Let me first say that this is *not* my area of expertise nor a topic I’d planned on diving into. And the dynamics around cyber security are wildly complex, I don’t know if the technical jargon or the geopolitics makes my head spin more. But my goal is to use Prime Future to explore the questions that matter to leaders across animal protein…and this one matters.
As a first principle:
we operate in a physical world that’s increasingly powered by digital infrastructure. That is not going to change, except to accelerate. Tin foil hats are not the answer, doubling down on risk management is…and if any segment knows about managing risk, it’s agriculture.
Cyber security risks are not going away, for $50B companies
or for 500 cow producers.
To put this whole topic in context, I want to share 2 helpful (or at least interesting!) resources that some generous Twitter friends pointed me towards.
The first is a report from the US Department of Homeland Security & USDA on cyber threats in ag, particularly given the rise of precision agriculture.
TLDR: Cyber security risk is industry agnostic. Ag companies are not unique snowflakes, which means mitigation strategies put to work in other industries also work in ag.
‘Most of the information management / cyber threats facing precision agriculture’s embedded and digital tools are consistent with threat vectors in all other connected industries. Malicious actors are also generally the same: data theft, stealing resources, reputation loss, destruction of equipment, or gaining an improper financial advantage over a competitor. Therefore, improper use of USB thumb drives, spear-phishing, and other malicious cyber-attacks, are readily available threat vectors for an attack; and the generally accepted mitigation techniques in other industries are largely sufficient for creating a successful defense-in-depth strategy for precision agriculture. ‘
However the report highlights that players across the ag industry may not be sufficiently equipped because of the rapid digital transition happening:
‘Precision agriculture is unique, however, because it took a highly mechanical labor-intensive industry and connected it online, dramatically increasing the attack space available to threat actors. Due to this, otherwise common threats may have unique and far-reaching consequences on the agricultural industry.’
(On page 20 there are some practical mitigation steps you might be interested in.)
The second great resource is a video of a conversation between Perdue Farms Director of Information Security, and FBI agents from the cyber security division. This conversation happened last month at the CyberAg Symposium…ironic timing, eh?
If you want a healthy dose of paranoia, I highly recommend watching the first 20 minutes. Here were my takeaways:
- ‘Cyber hygiene’ is a critical capability for businesses of all sizes. Cyber risk is not specific to the largest oil pipeline on the east coast or the largest global meat company, sometimes small to midsize businesses are the target of hackers precisely because they are less likely to have rigorous security in place, making them easier targets. And cyber hygiene extends to every employee, not just those in IT setting up systems and protocols.
- Business email compromise is the most common threat… No surprise there. But these attempts are increasingly low tech, but elegant and harder to detect. Quick story: I know a super tech savvy guy who works for a tech startup and yet found himself on the wrong end of a ‘business email compromise’ only after he’d purchased $2k of gift cards at what he thought was the request of his manager.
Cue the paranoia - it can happen to anyone.
- …but ransomware is, of course, the mega threat. The monetary loss from reported ransomware attacks was up 225% in 2020 compared to 2019, and the FBI agents in the video speculate that only a small % of attacks are even reported to the FBI.
- ‘‘Ransomware is when a malicious cyber actor gets into your system and takes it hostage until they are paid. It happens less often than email compromise but can be crippling to an organization.” ….or an industry, or an entire food chain.
- “Why would hackers attack an agribusiness with ransomware? Ag is a significant target because disruption is a large part of what they’re trying to create. Higher disruption increases the likelihood of the target paying the ransom. Hackers are looking for 3 characteristics in a target: 1) access, 2) vulnerability, 3) impact. Agribusinesses are highly likely to pay ransoms because you can’t have a manufacturing plant(s) down for 5 days while you wait for the FBI to investigate.”
That idea of correlation between impact of the disruption and likelihood of ransom payment makes the meat industry seem particularly at risk. The just in time nature of poultry and swine value chains, increased consolidation, and perishability of fresh meat are all factors that play into the ‘impact of disruption’ equation….it’s high, really high.
And while the biggest companies in this space are rallying all the resources to prepare for the risk, this is a risk for small to midsize businesses as well.
This whole thing kinda reminds me of post-9/11 when everyone was talking about bioterrorism risks in the food system.
This seems like a reasonable summary of the situation:
A final note on Honeycrisps & meat
‘Where’s the meat case equivalent of the Honeycrisp apple?‘ took a fun turn this week as folks pointed to multiple Honeycrisps in the dairy case. You may already have some of these in your fridge but let’s look at them in the aggregate for any relevant takeaways for meat & poultry processors.
(1) Fairlife: “We ultra-filter real milk to concentrate the naturally occurring protein and calcium. We do not add additional proteins of any kind. The proteins found in fairlife ultra-filtered milk reflect the natural whey and casein proteins found in milk: 80% casein and 20% whey. These are concentrated through the ultra-filtration process. Our filtration process removes most of the lactose and the remaining lactose is converted by adding lactase enzyme to ensure our products are lactose-free. This combination allows our milk to maintain the creamy and classic taste you love.”
In 2020 Coca Cola purchased the remaining shares of the company and said in the press release, “Value-added dairy products have been growing steadily in the United States, in contrast to the traditional fluid milk category.” 👀
(2) The A2 Milk Company: “The a2 Milk Company works with local U.S. dairy farmers to identify cows that naturally only produce the A2 protein type and process their milk separately, making it possible for those with sensitivities to enjoy 100% real cows’ milk.” The company reported $1.73B in sales last fiscal year.
(3) Maple Hill just launched net zero sugar milk. “Kinderhook, N.Y.-based Maple Hill Creamery says it released the nation’s first zero-sugar organic ultrafiltered milk. The average serving of milk has 12 grams of sugar; Maple Hill’s soft-filtering process skims out the sugar, carbs and lactose from the milk, but retains the farm-fresh taste and nutrition.”
- While FairLife and Maple Hill’s net zero sugar milk are a function of how the milk is processed, A2 is a function of genetic decisions.
- These plays all tap into the macro themes playing out in food (higher protein, lower sugar, health conscious, etc) without sacrificing taste. That seems like the right formula.
- Product differentiation only works when paired up with a strong marketing capability. The snazzy packaging and branding around FairLife tell a story that that private label gallon of milk or traypack chicken just…don’t. Buying or building a marketing capability is no easy task, especially for organizations that have traditionally prioritized operations above all else….but it’s a critical part of the equation for ‘Honeycrisp’ creators.
- You don’t often see upstarts in these markets going after the commodity business, upstarts instead look like A2MC or Shenandoah Valley Organic (chicken) going after high value markets. The irony is that in the packing industry, there are new players coming to the game with regional plants expecting to compete with large scale plants on efficiency alone. That is…puzzling. With current margin structures, it might work in the short run but it’s hard to imagine that play working out in the long run when the cattle cycle does what the cattle cycle does.
A final note in this discussion: Cattle Grading
From a beef perspective, one indicator of improved quality in the meat case is the % of cattle that grade prime/choice. That % has steadily increased in recent years. The question is, how much of that is as a result of how cattle are fed and how long cattle are fed, and how much is due to genetics?
The truth is that it’s some of both, though my hypothesis is that a significant portion of that shift is based on what happens in the feed yard.
But in most cases, data about how an animal performs in the feed yard or how they grade in the plant never makes its way upstream to the cow-calf producer making breeding decisions….and if the data doesn’t flow upstream, the incentives don’t flow upstream….which is a key reason that most producers make genetic decisions based on live performance metrics. You might even say that, to the extent the increase in prime/choice cattle is due to genetics, it’s due to the aggregate improvement of cattle genetics not due to specific decisions made by producers. On the one hand, maybe that’s a win despite the lack of market signals….but imagine how progress will accelerate as more supply chains align directly around specific product attributes for specific commercial objectives.
On the other hand, if 70+% of cattle grade prime & choice maybe it’s time to begin further distinguishing the upper end to increase potential value capture?
Prime Future Summary
You can get the first 47 editions of Prime Future in 1 PDF:
Prime Future is where I learn out loud about the big dynamics around livestock & meat. I’m on the Merck Animal Health Ventures team but this newsletter represents my personal views only.