It has been reported that Norsk Hydro may have lost $40 million following last week’s ransomware attack. On a preliminary basis, the financial impact during the first week was estimated at between 300 million and 350 million Norwegian crowns ($35 million-$41 million).
Experts Comments Below:
Oleg Kolesnikov, VP of Threat Research and Head of Securonix Research Labs at Securonix:
“We’ve been closely monitoring the Norsk Hydro ransomware attack, and one thing to note in terms of being able to recover the costs of the attack from a cyber insurer is that this can be far from guaranteed, even with a solid cyber insurance policy.
To illustrate, in case of the Mondelez’s NotPetya cyberattack that reportedly resulted in over US$100 million in damages that was in many ways similar to the Norsk Hydro LockerGoga ransomware attack, the claim was being disputed by the Mondelez’s cybersecurity insurer Zurich citing the so called “war exclusion” in the policy language for hostile acts by sovereign actors.
While the cost of the Norsk Hydro attack is significantly lower, at roughly US$35-41 million, recovering the costs of the cyberattack even with reputable cybersecurity insurers can be non-trivial. Fortunately, NotPetya had a number of differences from LockerGoga, particularly in that, as the UK officials believed, a nation-state-level malicious threat actor was involved with NotPetya, and the purpose of the NotPetya attack was more along the lines of a cyber sabotage than a classic ransomware attack.
In contrast, LockerGaga currently looks much more like a traditional ransomware attack than a nation-state-sponsored malicious breach, so this is something that Norsk Hydro might be looking into further once they are able to fully restore their normal business operations.”
Deborah Chang, Vice President of Business Development and Policy at HackerOne:
“The Norsk Hydro case highlights the issue of cybersecurity risk to the forefront of all organizations. No matter what the outcome of this claim is, it is clear that the team responsible for the purchase of an insurance policy must now be hyperaware of cybersecurity risk. Specifically, how a cybersecurity breach or cyberattack, even if it is not as public and not as large as the one that targeted Norsk Hydro , will be covered under a policy, what tools are in place to prevent loss from bad actors, what the threats are, how vulnerabilities are mediated, where the threats could be and most importantly, what tools need to be in place to prevent the breach.
We encourage more cooperation and collaboration between all functions with an organization to the issue of cybersecurity and cyber risk.
Insurers like AIG are most likely invested in encouraging or requiring post breach cybersecurity practices that can limit the extent of the breach as much as possible and ensure a company is as secure as it possibly can be. The question that will most likely be asked is how AIG and other insurers do this post-breach, and pre-breach, when the insurance buyer or risk team doesn’t necessarily have the influence or ability to collaborate with the security team.”
Ilia Kolochenko, CEO at High-Tech Bridge:
“I think it may be just a tip of the iceberg. In addition to the direct losses, we have to consider loss of business opportunities and reputational damage, increase of insurance premiums and many other indirect but palpable costs. Worse, this type of damage may last many years, undermining overall competitive advantage on the global market. Cybersecurity has become a major issue for all types of companies, even a relatively short weekly shutdown may cause irrecoverable financial injury today.”