Collateral Damage in Cyber Warfare

Hot on the heels of the infamous WannaCry ransomware attack came the less heralded and seemingly less consequential Petya cyberattack. WannaCry was big and bold, and obviously well named. Petya didn’t seem to measure up, and researchers noted that less than $10,000 was paid in ransom. However, it soon became apparent that Petya was not a ransomware attack, but actually aimed at destroying data. Given that much of the damage associated with Petya focused on Ukraine, suspicion quickly turned to Russia, the assumption being the attack was part of Russia’s ongoing efforts to destabilize Ukraine. Whether the attack actually was carried out by individuals acting on behalf of Russia remains unproven, but what is clear is that, as is the case in all conflicts, there are ancillary casualties.

Take, for example, FedEx, which acquired Dutch shipping company TNT Express for $4.8 billion last year to compete with United Parcel Service Inc. and Deutsche Post AG’s DHL. What seemed like a good aggressive business move now has become a major headache. TNT operations were completely disrupted by the Petya attack, and FedEx now says it has not been able to recover some systems, and may never be able to recover some critical business data.

FedEx just filed its Securities and Exchange Commission (SEC) 10k, and it forecasts material losses. The list of reasons why those losses are mounting is instructive:

⋄ loss of revenue resulting from the operational disruption immediately following the cyber-attack;
⋄ loss of revenue or increased bad debt expense due to the inability to invoice properly;
⋄ loss of revenue due to permanent customer loss;
⋄ remediation costs to restore systems;
⋄ increased operational costs due to contingency plans that remain in place;
⋄ investments in enhanced systems in order to prevent future attacks;
⋄ cost of incentives offered to customers to restore confidence and maintain business relationships;
⋄ reputational damage resulting in the failure to retain or attract customers;
⋄ costs associated with potential litigation or governmental investigations;
⋄ costs associated with any data breach or data loss to third parties that is discovered;
⋄ costs associated with the potential loss of critical business data;
⋄ longer and more costly integration (due to increased expenses and capital spending requirements) of TNT Express and FedEx Express; and
⋄ other consequences of which we are not currently aware but will discover through the remediation process.

Oh, and FedEx also noted it did not have insurance against these losses. Going forward, FedEx may become the poster child for why cyber insurance makes sense.

By Tom Davis, SDI Cyber Risk Practice

July 25, 2017