We all heard how the NotPetya attack paralyzed Ukrainian companies and spread around the world to cripple shipping ports, factories and offices. Now we’re hearing how the malware is taking a toll on the earnings of several major U.S. and European organizations.
Some of the companies that have said NotPetya will impact their bottom line include shipping giant FedEx, drug maker Merck, software vendor Nuance Communications and food and beverage company Mondelez International.
So far, the June attack has cost companies an estimated $592.5 million in revenue based on calculations Cybereason made using figures from U.S. Securities and Exchange filings and investor statements. That total includes money lost in quarterly and yearly revenue as well as financial and operational losses brought on the attack. And this number is expected to grow as companies continue to calculate NotPetya’s fiscal impact.
The goal of this exercise isn’t to embarrass or shame victims. Instead, we’re hoping to show that destructive, non-targeted attacks like NotPetya can seriously harm any organization and that cyber security incidents can hit the bottom line. We also hope that linking dollar amounts to the attack will help organizations realize that information security is now a C-level and boardroom topic. Most executives and board members don’t understand the details of patch management (and why would they really need to). But they do understand the importance of mitigating risks that cut into revenue.
And, of course, CISOs and other security leaders are tasked with handling risk around information systems. If any good can come out of the NotPetya attack, maybe the incident can be used by CISOs to start conversations with other C-level leaders and the board on the fiscal impact of information security incidents.
First we looked at what companies said NotPetya impacted their bottom lines and came up with this list:
Each of these companies placed the lost revenue in one of three categories: quarterly, yearly or additional financial impacts, like the $7.1 million Mondelez incurred in incremental expenses as a result of the attack. So we added that figures from each of these categories to reach $592.5 million.
But there’s an asterisk next to this amount.
Many companies said that NotPetya would impact the following quarter’s revenue and even yearly revenue but they were still calculating the fallout and couldn’t provide a figure. Since the final number is still being tallied and will be more than $592.5 million, we added the asterisk.
The asterisk also takes into the account that we have missed other companies that said their earnings took a hit because of NotPetya. In other words, we realize that this list could be incomplete.
To see the numbers we used to reach $592.5 million (and review our math), check out an analysis we wrote on NotPetya’s financial impact.
Companies have long been knocked offline by cyber attacks that ultimately impacted their bottom lines. The 2013 Target data breach, for example, costed the retailer $291 million while Home Depot said it incurred $263 million in expenses following the 2014 data breach.
But those were targeted attacks. Criminals specifically singled out those organizations. NotPetya, by comparison, was an untargeted campaign without a specific victim. Many of the impacted companies were infected after downloading a routine update for an accounting application that, unfortunately, attackers had tainted. There was no elaborate social engineering scheme or man-in-the-middle attack or malicious USB stick. Legitimate software was updated, a routine task that companies and employees carry out on a daily basis.
And not NotPetya wasn’t an isolated incident.
Over the last two decades, there has been an increase in the quantity and specificity in destructive cyber attacks like NotPetya. Unlike other attacks, these campaigns are designed to destroy data and IT assets. And despite the level of damage caused, they weren’t carried out with advanced methods. Instead, attackers rely on relatively unsophisticated but highly effective tools that are easy to code and execute. Take NotPetya. While initial reports classified the program as ransomware, it was later determined that NotPetya’s behavior more closely matched a boot record wiper, which is a very basic technique.
Even though the majority of cyber incidents are still motivated by espionage or criminal activity, the increased use of destructive tools is an alarming and growing trend. The private sector can’t dismiss the security repercussions of this development. The fiscal fallout from destructive attacks like NotPetya has escalated information security to the level of investors, who are increasingly hearing about these incidents during earnings calls.