Global hackers have unleashed a brace of attacks in recent months, but while their haul in bitcoin has been paltry, the revenue hit to companies infected is reaching into the hundreds of millions of dollars.
The WannaCry ransomware that spread in May featured a flawed design that led to its prompt shutdown, and June’s computer virus called Petya was designed to wipe data rather than collect money. The two attacks netted the attackers around $140,000, according to analysis of their bitcoin wallets.
The fallout for companies affected is proving costlier. Nivea skin-cream maker Beiersdorf said last Thursday that Petya cost 35 million euros ($41.5 million) in first-half sales. The company has yet to report the costs of held inventory and halted production in 17 plants. Computers at its Hamburg, Germany, headquarters and nearly 160 global offices were also knocked off-line. “We have worked here day and night, 24-7, across the globe," CEO Stefan Heidenreich told analysts.
Reckitt Benckiser, the U.K.-based maker of Dettol cleaners and Durex condoms, last month lopped 90 million pounds off its expected sales this year after the June attack knocked 2,000 servers and 15,000 company laptops out of commission. The company was still manufacturing at less than full capacity in July. French building materials manufacturer Cie. de Saint-Gobain said July 27 the cyberattack would drain about 250 million euros in sales this year.
“I don’t think you can model a cyberattack,” said Robert Waldschmidt, an analyst at Liberum Capital in London, who covers Reckitt and Beiersdorf. “Companies can only try their best to prepare defenses. This may mean that IT and consulting costs need to rise a bit to improve these defenses and or implement new ones."
Danish shipping company A.P. Moller-Maersk told customers last week it’s still clearing backlog from a shutdown of its online ordering system after its machines were infected by malware.
Companies are now piling up the sandbags in the expectation of another attack. Germany’s national Deutsche Bahn railroad created a “cyber rapid deployment force” of highly trained IT specialists with computer-threat experience to be available around the clock against future attacks, a spokesman said. The group restored service to ticket machines and departure boards after the WannaCry attack, he said.
U.K. advertising agency WPP Plc plans to invest more in thwarting hackers after a Petya infection spread across the group, which Chief Executive Officer Martin Sorrell called “an increased cost of doing business.”
These costs can be hard for investors to estimate. “Saint-Gobain has spent some cash to respond to the attack and says it’s in a more solid position now to face future attacks," said Eric Lemarie, an analyst at Bryan Garnier & Co. in Paris. “They say they will implement some IT programs a bit differently, but that’s it, really. The group hasn’t really provided a specific figure that would need to be spent in the future to manage this risk."
The resulting hundreds of millions in lost sales among European groups may be dwarfed by the disruptions at American firms including FedEx Corp., Merck & Co. and speech software maker Nuance Communications Inc.
However, fewer European companies are insured against cyberattacks than American groups, creating market opportunity for insurers including Allianz, Zurich Insurance Group, Munich Re and Swiss Re, Charles Graham, an analyst at Bloomberg Intelligence, said. Saint-Gobain’s CFO last week said cyberattack-related damage isn’t typically covered by insurance contracts.
Lloyd’s of London said in a report last month a potential global cyber attack could wreak as much financial damage as Hurricane Katrina, and estimates the the worldwide cyber-insurance market is worth between $3 billion and $3.5 billion. It could rise to between $8.5 billion and $10 billion by 2020, according to Munich Re.
Spending by companies and governments to update old systems like ones that fell prey to WannaCry and Petya makes cybersecurity “an attractive multiyear” investment, said Patrick Kolb, who manages a $520 million IT security and safety fund at Credit Suisse.
“‘If it’s not broken do not fix it’ simply doesn’t work for IT security,” he said. “The financial impact from business disruption is likely to be far larger than $300 of ransom.”
It could cost companies a few million euros in the short term to gird IT systems against further attacks, and expenditures could hit the bottom line each year if the breaches keep coming, said Liberum’s Waldschmidt. “After the attack you can endeavor to model it and need to consider how extensive the hit was and how long business will be impacted,” he said “It’s similar to modeling a holiday such as Easter.”