EXCLUSIVE: Lessons Learned After UNFI's Cyber Incident
Progressive Grocer recently had the opportunity to sit down with United Natural Foods Inc. (UNFI) CEO Sandy Douglas to discuss how the company weathered the cyber incident that caused it to briefly shut down its business in June, what learnings it took away from the event, and how it hopes to help the industry deal with such issues. The interview took place during UNFI’s Holiday and Winter Selling Show at the Mohegan Sun resort, in Uncasville, Conn., which took place July 29-31. The following responses have been edited for greater clarity.
Progressive Grocer: First, are you able to talk about the company’s cybersecurity preparedness before this particular incident?
Sandy Douglas: Like any company our size, cybersecurity is a major priority. We had significant and modern investments in technology and process protocols, and you need it. This is an incredibly rapidly moving and unfortunately innovative area. But we had a good process in place and third-party experts at the ready. And, as you know, we moved within less than a day to completely shut the company down, based on the advice of the experts, which allowed us to recover faster, even though it was a significantly challenging experience for our customers. We were able to react based on good advice from experts and ultimately worked hard to get our customer-facing systems back up as fast as possible.
PG: Could you walk me through what happened when the cyber incident was discovered, what the response was and where you are now?
SD: The most important thing to say about what happened is that our retail customers and suppliers were incredible. They were resilient, creative, they worked closely with us. It was late in the week that ended on June 6 [that] we learned through monitoring in one of our outer environments that there was unauthorized activity. That activated our process – the experts, everybody.
Less than a day later, the CIO called me and said: “We’re uncomfortable. This is going to be difficult, but we need to shut down.” And so we did, on the spot. And from that point forward, we were in contain, eradicate and then restore [mode]. And we had made significant investments in backups. So we were able to get our electronic delivery system – think the brawn of the system – back up within about 10 days. In between then and the start, we were doing manual workarounds – that’s where I talk about resiliency and creativity. Our people and our customers did everything possible to get them product in whatever way worked. And we started to bring electronic ordering on in 10 days.
Then, over the next few weeks, the application layer, which is what makes us smart, was brought back up, always focused on [what’s] best for the customer, and [safety]. And as we sit here today, we’re 100% technologically restored. There are a handful of DCs [distribution centers] that still have some inventories that are being worked through to make sure everything is performing at the full performance rates that our customers expect.
[RELATED: UNFI Back to Normal Operations After Cyberattack]
PG: So what did the company do to reassure customers, suppliers, stakeholders in general and to return to normal operations?
SD: I think the most important thing we did and continue to do is communicate [in] real time in a transparent way. One of the things about the cyber situation is you don’t know a lot early, and admitting you don’t know feels bad, but is good. And this is a core value of ours. We told everybody what we could as we knew it, and we worked really hard to come up with solutions that worked for them creatively. One of the things that a number of folks asked is, “Are you safe to do business with?” When the electronic ordering came back up, were we safe? And we made experts available, we did our best to answer all their questions. And then we continued to give them different modes of support as their comfort level rose.
And I think the final step in the process will be to share learnings with customers. The experts will tell you that we were reasonably well prepared. We had the right infrastructure and the right process, but we got penetrated. And even though it was short, it still was very challenging. And so we will continue our policy of transparency with customers, and frankly, when it’s appropriate, with the whole industry in different environments at FMI or NGA to just share what we learned, because there’s some things we learned through this that others might be interested in, or they may already have it.
PG: Leading right into that question, what were the company’s chief learnings from the event, both in terms of protecting itself from any future incidents and building resilience in the face of operational challenges?
SD: Internally, we learned a lot about our team and how we show up when we have a crisis event that is impacting our customers. And it puts a lot of pressure on the team, and the resiliency, the communication, it was extraordinary to watch and be a part of. And I was proud of our team from the beginning.
Externally, the resiliency and incredible relationships that we have with our customers and suppliers. And it wasn’t easy. This was not something they wanted to do this June, and yet we worked closely with them. I think that was an important learning – not a surprise, but it reinforced how important that is.
From a cyber standpoint, the thing that we learned that is probably going to be the most interesting to share is that having fully at-standard infrastructure and process is a foundational element, but you don’t want to be like everyone else. You want to be up with best practice, and then you want to go beyond, because then you’re [in] a unique situation as opposed to you’re using the same tools that everybody else has.
There’s a couple of tricks of the trade using outside experts that all of us have, cybersecurity reviews with our management teams on a regular basis and with our boards and our audit committees, but there’s a presence and an opportunity for outside experts to point us toward the direction where nobody’s been. And I would argue from a practice standpoint, that’s something that companies should do.
PG: What would you like your customers and suppliers to know in the wake of this incident, going forward?
SD: The most important thing I want them to feel is our appreciation. I think they know how hard we worked to make this right as fast as possible, but we just appreciate their patience, their resilience. We will be as transparent as we can possibly be, because we want them to have the same confidence that we would have, that our audit committee will have, in the company’s resiliency going forward. And then lastly, I think appropriate – and here we are at the Winter Selling Show – is we want to get back to helping them sell food and get their businesses growing profitably. That’s what our focus was before recovering and now as we go forward.
PG: So it’s about maintaining that trust, and about going forward and proving that every day.
SD: You bet. Trust is about both character and competence. I think we showed up very strong on character. What we need to ensure is that they have the confidence in us to know that we have a highly resilient technology, and that they can count on us to do that going forward.
PG: Now, you had touched on this earlier, but what would you like your food industry peers to learn from your experience, particularly food and logistics companies that may face similar risks?
SD: We collaborated openly with industry associations from the beginning and had zero barriers to customers sourcing from our competitors during the process, simply because that’s what they needed to do to have the food that their guests wanted. When one of your competitors has a challenge like that, you probably breathe a little sigh of relief that it wasn’t you.
On the other hand, what we’re going to do, as I mentioned, is share our learnings, [working with] Leslie Sarasin at FMI and Greg Ferrara at NGA. We talked openly about the fact that there were competitors of ours that would help and step in. But then separately, we’re all collectively agreeing that this is a noncompetitive issue, like violence. We have lots of collaboration going on about keeping people safe, and this would be a parallel. And so we’re happy to have others see what they can learn from our experience.
PG: The last time you spoke with Progressive Grocer, with my esteemed colleague, Gina Acosta, you talked about your new business strategy. So now that you’re almost a year into it, how is it going and what are the biggest challenges or opportunities you see ahead?
SD: Until six weeks ago, it was going amazingly well. And I think regardless, it’s going quite well. Growth through the third quarter of our fiscal year was stronger than we expected. Our strategy is based on helping customers differentiate and win in an incredibly competitive market, and that, by definition, is the biggest challenge and opportunity.
Our heritage in natural, organic and specialty makes us a differentiating partner, because as you saw on the show floor, products that are not resident in some sectors of the market that you can have your guests feel are special and whatever your strategy to win is, we’re in the business of helping you achieve that. I think the customers that want what we can do, and who are focused on differentiation have been doing well.
Ultimately, the thing that drives our success is their success. And if you measure it in sales growth, we’re off to a good start because of them and because of what we’re doing together. The biggest opportunity continues to be being better at that. Back in a previous life, we used to say that a brand needs to be different, better and special. Our customers all have different answers to how they [fulfill those qualities], and our success, or lack thereof, will be how well we show up for them and help them do that.
