For major corporations around the world, the cost of cyber attacks and data breaches continues to grow. The cost of a coordinated cyber attack can now be measured in the tens of millions of dollars, if not higher. For proof of that, just consider the March 2019 Norsk Hydro cyber attack. The total cost of the cyber attack on the Oslo-based aluminum producer continues to grow, and is now projected to be around $75 million (or about 650 million Norwegian crowns).
Financial impact of Norsk Hydro cyber attack
It is only now, nearly five months after the initial cyber attack took place on March 19 that investors, stakeholders and company employees are finally able to place a total cost on the Norsk Hydro cyber attack. In the first quarter of the year, Norsk Hydro initially estimated the cost of the attack at around $50 million. That figure covered all of the lost revenues and associated costs from being forced to suspend operations on a global basis. But now, in reporting second quarter financial results, Norsk Hydro is putting the cost at closer to $75 million. It turns out that second quarter financial costs were about 20-25 percent higher than expected, and the financial impact of being forced to resort to manual operations for reporting, billing and invoicing and to switch off production lines continues to grow. For now, the biggest impact has been felt in the company’s Extruded Solutions division, which was particularly hard-hit by the Norsk Hydro cyber attack.
And yet, despite these staggering costs, say regulators and law enforcement authorities such as the Norwegian National Security Authority, it is far better for any company attacked by hackers to weather the storm than to pay the ransom. Paying the ransom, they say, further encourages copycat behavior from other hackers and also provides an incentive to organized crime. Thus, even though recovering from the Norsk Hydro cyber attack has been a bitter pill to swallow for corporate executives, it is still far superior to what could have happened when the hackers first presented their ransom note, telling Norsk Hydro that their computer files had been completely encrypted with military-grade cryptographic algorithms.
A model response to global hackers
Throughout the ordeal, corporate executives from the massive Norwegian aluminum giant have been universally acclaimed for their response to the Norsk Hydro cyber attack. For one, they refused to pay the ransom, even though it means that operations could have been up-and-running within days, without being forced to take any aluminum production off-line. And, secondly, they immediately reported the Norsk Hydro cyber attack to the relevant police authorities without any delay. And, thirdly, the company has been remarkably open and transparent throughout their response to the hacker attack, especially when it comes to outlining the true financial cost of the attack. Each quarter, the company has not tried to obfuscate numbers or make an end-run around nervous investors and stakeholders; instead, the company has dutifully broken out the financial impact of the Norsk Hydro cyber attack on quarterly earnings and kept investors updated with the total cost of the attack. The end result has actually been a boost to the company’s reputation. Ultimately, that boost to the reputation of the company has helped to shore up the company’s stock price, and prevented speculators in the financial marketplace from taking aim at the company.
Now contrast this response to the Norsk Hydro cyber attack to the typical approach taken by companies around the world that have been hit by a ransomware attack. The first impulse is usually to pay the ransom, just to get operations back up and running without alerting anyone else. Moreover, they sometimes call in a third party “incident response team” to handle everything very secretly and behind the scenes. The fear here is that the cyber attack might lead to all kinds of new litigation and the loss of partners, vendors and investors. And, finally, most companies wait as long as possible before reporting a cyber attack. At times, it might take months for them to report the crime to a relevant legal or law enforcement authority. By that time, of course, it’s too late to do anything.
The role of cyber insurance
In an interesting little twist to the Norsk Hydro cyber attack, it turns out the company actually had “robust” cyber attack insurance that would compensate it in the event of a major cyber attack. Clearly, what happened at aluminum producer Norsk Hydro qualifies as a major cyber attack, so it will be interesting to see if Norsk Hydro actually receives any compensation from AIG, the company’s lead insurer. Norsk Hydro notes that the cyber attack impacted 22,000 different computers in 40 different countries, across 170 different sites. That made it especially problematic for the company to restore systems. In its quarterly financial report filings, Norsk Hydro has specifically noted that it has not yet received any payout from its cyber insurance. If it eventually does, it might considerably reduce the financial impact of the cyber attack, which forced the company to resort to manual operations.
Clearly, the need is growing for major corporations around the world to at least consider the prospect of cyber insurance. Hackers appear to be shifting their focus from individuals to larger organizations and corporate entities, clearly in search of ever-larger payouts. And, according to the latest IBM Security report, the cost of a data breach has actually increased by 12 percent over the past five years, to $3.92 million on a global basis. The figure might be slightly higher or lower in different countries, but the typical company can expect to lose about $4 million as the result of a major cyber attack, such as the Norsk Hydro cyber attack.
A new paradigm for IT cyber security
The growing size and scope of cyber attacks around the world is leading to a new paradigm. When the size of a cyber attack was relatively small, it perhaps made sense to pay the ransom and move on with business as usual. But now that the cost of a cyber attack can be measured in the tens of millions of dollars (as in the case of the Norsk Hydro cyber attack), it makes sense for a new paradigm to emerge. Refusing to pay off the hackers and then working directly and transparently with regulators and law enforcement authorities seems to be the best path moving forward.