Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Food and agriculture critical infrastructure operators matching Mackay Sugar's profile — large-scale OT-dependent production, time-sensitive seasonal operations, and known targeting by ransomware groups — face elevated likelihood given demonstrated active threat actor interest in this sector; impact is high because a mill shutdown during crushing season translates directly to irreversible production loss (cane cannot be stored indefinitely), contracted grower obligations, and potential export commitment failures that compound beyond the initial downtime window.
Treatment rationale: The combination of OT exposure, seasonal production dependency, and extended recovery timelines for physical plant recommissioning makes acceptance untenable and avoidance impractical for a core production operator, placing active risk reduction — OT network segmentation, resilience controls, and incident response preparedness — as the only viable primary treatment.
Third-Party / Supply-Chain Risk
Contracted cane growers depend on mill availability for crop delivery and payment timing; a prolonged shutdown creates upstream supply-chain disruption to growers with their own financial exposure. Export customers and commodity brokers holding forward contracts face delivery risk. Shared industrial control system vendors or remote-access service providers (common in distributed OT environments across multi-mill operations) represent a potential lateral or initial-access exposure that warrants third-party access review under NIST SP 800-161 supplier risk management practices.
Loss Exposure (illustrative)
Magnitude: High — illustrative $5M–$50M+ range for a multi-mill, multi-week shutdown during peak crushing season
Frequency: For an OT-dependent food and agriculture operator with this profile and sector targeting trends, an illustrative primary event frequency of once in 3–7 years is plausible; secondary loss events (grower disputes, contract penalties) could follow independently.
Annualized: Illustrative ALE framing: at a midpoint loss of ~$20M and a 1-in-5-year frequency, an illustrative annualized figure approaches $4M — this is directional only and should not be used for financial reporting or insurance placement.
Basis: Loss magnitude driven by: (1) crushing season revenue concentration — Australian sugar mills operate a defined seasonal window where halted production is not recoverable; (2) OT recommissioning timelines typically extend recovery by days to weeks beyond IT restoration; (3) contracted grower and export obligations create secondary financial exposure beyond direct production loss. Frequency framing based on observed ransomware campaign cadence against food and agriculture critical infrastructure as a sector, not Mackay Sugar's specific historical incident rate, which is not available.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Ransomware-forced operational shutdown may trigger business interruption provisions under a cyber insurance policy — verify with broker whether OT-driven production loss is covered under the policy's definition of 'computer fraud' or 'system failure'.
• Export supply contracts with force majeure or delivery-guarantee clauses may be implicated by a prolonged mill shutdown — verify with counsel whether the ransomware event qualifies as a triggering condition and what notice obligations apply.
• If any grower payment systems or personal financial data were resident on affected business systems, Australian Privacy Act notification obligations may be relevant — verify with counsel and the Office of the Australian Information Commissioner (OAIC) guidance on eligible data breaches.
