June’s NotPetya attack has cost companies an estimated $892.5 million in lost revenue based on calculations made using figures from quarterly earnings reports and investor notices.
Previously, Cybereason calculated that the untargeted, destructive attack cost companies $592.5 million. Our analysis included the caveat that the figure will need to be revised as more organizations tally the attack’s impact on their bottom line. We're making our first revision after shipping giant FedEx said on Sept. 19 that NotPetya cost the company $300 million in quarterly earnings. FedEx subsidiary TNT Express was greatly impacted by NotPetya, which infected machines during a routine accounting software update. According to news reports, TNT was still trying to restore computer systems a month after the attack and packages were backing up at the company’s processing facilities.
"The impact of the cyberattack on TNT Express and lower-than-expected results at FedEx Ground reduced our first quarter earnings," said FedEx CFO Alan Graf, who indicated that NotPetya could potentially hurt yearly revenue. "We are currently executing plans to mitigate the full-year impact of these issues."
And, unfortunately, this isn’t the last time NotPetya will be mentioned in an earnings report. Like we said in our analysis, the fiscal repercussions maybe felt in future quarters and potentially cut into yearly revenue. So expect us to revise the $892.5 million figure in the coming months.
For example, Maersk, one of the world’s largest container shipping operators and one of the first organizations victimized by NotPetya, warned investors in August that it would lose between $200 million and $300 million in quarterly revenue as a result of the malware. Expect Maersk to provide more information on NotPetya's impact on Nov. 7 when it releases its third quarter results.
Some of the organizations that said NotPetya would impact revenue in more than one quarter include software vendor Nuance Communications, which already reported that NotPetya would cost it $15.4 million in quarterly revenue, and snack maker Mondelez International, which already lost $150 million in quarterly revenue. Neither company provided figures on how much they could possibly lose in future quarters.
Other companies, such as drug maker Merck and U.K. consumer goods company Reckitt Benckiser, said that NotPetya would cut into yearly revenue but had yet to determine the fallout. However, Reckitt Benckiser said that annual sales would increase by two percent instead of three percent as a result of the attack. Using 2016’s sales figures, a 1 percent drop in yearly sales would equal approximately £100 million (US$129 million).
The goal isn’t to shame or embarrass the victims by attaching dollar amounts to the attack. Instead, we’re hoping to show that destructive, non-targeted attacks like NotPetya can seriously harm any organization and that cyber security incidents can hit the bottom line.
We’re also hoping that having a figure linked to a cyber security attack can help CISO, CSOs and anyone else handling enterprise security quantify why information security matters when talking to CEOs and boards. After all, executives and board members think in dollar signs, business impact and risk mitigation. Security executives who speak the same language will have an easier time connecting with their business-minded colleagues.