The last few months have seen a series of high profile ransomware attacks strike businesses across Asia, Europe, and North America. Large numbers of businesses have seen significant losses as a result of these attacks. Losses have stacked up, and companies without cyber insurance are now facing hefty bills.
The original version of one of these types of ransomware, known as Petya, first appeared in March 2016. The attack that occurred in late June 2017, now known as NotPetya, exploited a similar vulnerability to the Petya ransomware. However, some cybersecurity experts and intelligence agencies believe NotPetya was as much an incident of cyberwarfare rather than a traditional hacking event. NotPetya seemed particularly to target computers and networks in Ukraine with the follow-on effects felt elsewhere acting as collateral damage.
The NotPetya attack hit on June 28, 2017 with 80% of affected systems being located within Ukraine. Still, the attack also hit major international companies such as pharmaceutical giant Merck, food maker Mondelez, the law firm DLA Piper, and two major shipping and logisitics companies, DHL and FedEx. Several of these companies have already placed the cost of lost business as the result of the NotPetya attack in the nine figures. WIth multiple companies reporting losses over one hundred million dollars, the total cost of the attack could easily surpass one billion dollars.
FedEx faces some particular difficulties as a result of the NotPetya attack. FedEx had acquired a small package delivery company known as TNT Express in May 2016. TNT Express was particularly hard hit by the NotPetya attack. The company was still trying to sort out deliveries a month after the attack and it eventually had to disclose that it would be unable to fully restore its critical systems or data impacted by the attack.
The damage from the attack for FedEx was so bad that it devoted a whole section of its 10-K report to assessing costs, damages, and ongoing risk. In the weeks following the release of that 10-k, FedEx shares have lost over $15 a share in value, costing the company approximately $4 billion in market capitalization. The company failed to defray the costs of the attack through the purchase of cyber insurance.
Charlie E. Bernier Principal Consultant and Cyber Insurance Expert at ECBM points out that "Many companies still continue to carry no cyberinsurance despite the proliferation of large losses to major international corporations from these attacks. These attacks seem unlikely to abate anytime soon and the financial consequences of the attacks have increased significantly in the past few years. On top of that, investors, vendors, and customers are punishing companies more harshly for their failure to mitigate against these attacks." Charlie advises that companies without cyber insurance coverage need to begin looking at purchasing cyber insurance now, with a focus on understanding what coverage they are obtaining and how to protect themselves against these massive losses.