Cyber security considerations for Australian agriculture supply chains

In recent years, Australian agriculture has seen considerable growth in investment in technology (Agtech). Agtech, including artificial intelligence (AI) tools, digital agronomy and precision agriculture hardware, together with the digitisation of contract management and trade, have advanced the industry, with some benefits including increased productivity, enhanced sustainability, reductions in costs and general improvements in efficiency.

Significantly, the market for use of AI tools in the global agriculture industry is set to grow from USD1.7 billion in 2023 to USD4.7 billion by 2028¹, highlighting the increasing role of technologies in the sector and also signalling a period of significant industry transformation.

Increased digitisation creates greater opportunity for criminals to target individual businesses – and supply chain vulnerabilities – through cyber attacks. Over the past five years, the Australian agriculture industry has faced major cyber attacks affecting the grain, beef and wool trades and resulting in considerable disruption as well as substantial financial losses. As such, it is clear that the technological advancements across the agriculture industry necessitate a corresponding significant increase in cybersecurity for all stakeholders across supply chains, in order to minimise risk.

With the above in mind, cyber security risk management has become central to business operations and, where needed, expert advice from specialised cybersecurity companies and consultants should be considered to ensure optimal risk mitigation. An effective cyber security plan – including a cyber incident response strategy – is critical to minimising disruption and potential financial losses.

Such plans are likely to include a number of straightforward practical actions, including:

• Installing firewalls and third party anti-virus software
• Enabling multi-factor authentication
• Downloading software updates promptly
• Restricting access to sensitive data and documents
• Utilising cloud storage
• Using a password manager

• Utilising external hard drives to back up data
• Using secure payment platforms

From a legal and compliance perspective, we recommend that clients consider the following:

Staff Training: Human beings can be the vulnerable link in an organisation because a subtle change is hard to spot, particularly in familiar and routine messages which are perhaps not scrutinised in detail. Training to identify phishing attacks and establishing good practices such as checking with a counterparty on receipt of new account details can prevent attacks from succeeding.

Third Party Providers: Another vulnerability can be third party providers. If you use brokers or agents, it would be advisable to conduct due diligence on their cyber security protection and where possible, require them to obtain a recognised cyber security certification. Many trading companies and banks now place a greater emphasis on information and cyber security in their onboarding processes.

Contractual counterparties: As well as protecting your own organisation, in some circumstances – where regular or high value trading is involved and depending on your commercial bargaining power – you may also want to consider including an express contractual requirement that your counterparties obtain recognised cyber security certification.

Contractual protections: The allocation of risk if a phishing attack succeeds can be expressly agreed in your contracts in advance. A number of traders are introducing clauses into their standard form contracts which specifically require that parties who receive a request to make payment to a new account must independently verify the new account details with their usual contact at the counterparty entity. Whilst this ought to form part of standard good practice in any event, such clauses seek to allocate risk if a party makes payment to an unverified account without conducting proper checks.

Recent case law

The importance of what parties agree in their contracts is illustrated by an England & Wales court judgment, K v A.²

A contracted to sell sunflower meal to K on a FOB basis under GAFTA Form 119. They used a third party intermediary broker, V. After loading the goods, A sent V two emails with invoices and bank account details for payment and V forwarded them to K. K denied receiving these emails – instead, it received emails appearing to come from V with attachments directing payment to the right bank but to a different account. Without realising that a fraud was underway (and without checking), K made payment to the different account. Once the fraud was discovered, payment was made to the correct account but with a shortfall caused by currency conversions. A claimed the shortfall against K in a GAFTA arbitration which was ultimately appealed to the English Commercial Court.

At first instance, the tribunal had ruled that the loss should be borne by the party whose account was hacked (being A). On appeal, the GAFTA Board of Appeal held that under clause 18 of GAFTA 119, the emails with the correct account details sent by A to V constituted good notice. K therefore bore the risk of receiving the wrong account details. A had sent valid and correct notices and K had failed to pay.

K appealed to the English Commercial Court. Ultimately the Court focused on the contractual payment obligation, which was to pay the price in “net cash: to A’s bank within 2 days of presentation of documents, which must include a commercial invoice“. It held that the contractual obligation was to make payment to A’s bank for A’s account in the sense that it must be accompanied by the account details which A had notified. K had failed to do this and so K carried the risk of the loss.

HFW Comment

Given the risk of cyber attacks is widely known, the best protection is to take steps in advance – both practical and legal – to prevent cyber attacks and/or to minimise the risk of damage. Preparedness is key.

Footnote

1. The Future Of Farming: AI Innovations That Are Transforming Agriculture
2. K v A [2019] EWHC 118 (Comm)