Downstream Impacts of NotPetya Hack on Small Businesses
Although cybersecurity experts believe that data was not stolen, nor the intent, of the late June, 2017 NotPetya cyberattack, many global companies continue to deal with the impacts. The initial damages estimate is $850 million.
Small businesses are not excluded from impacts either. The original NotPetya attack impacted a number of global companies who in turn are suppliers for small and large businesses. TNT Express International, a courier delivery service subsidiary of FedEx, was severely impacted. Deliveries to customers, including small businesses as well as their deliveries to their customers, were delayed.
Nuance, a medical transcription software vendor, recently reported they are still recovery from the attack, a month later. Their services are used by small hospitals and ambulance services, as well as large health care companies. Service was disrupted to their customers for days, in some cases.
Global shipping corporation Maersk was also hit by the NotPetya attack. The attack impacted ports where goods could not be delivered or unloaded. This in turn impacted trucking companies as well as delayed deliveries to businesses of all sizes. Some ports were able to revert to paper processing to allow cargo to move.
FedEx disclosed in their recent 10-K SEC filing the following as potential impacts to their corporation. Sadly, it is reported, they did not have cybersecurity insurance.
loss of revenue resulting from the operational disruption immediately following the cyber-attack;
loss of revenue or increased bad debt expense due to the inability to invoice properly;
loss of revenue due to permanent customer loss;
remediation costs to restore systems;
increased operational costs due to contingency plans that remain in place;
investments in enhanced systems in order to prevent future attacks;
cost of incentives offered to customers to restore confidence and maintain business relationships;
reputational damage resulting in the failure to retain or attract customers;
costs associated with potential litigation or governmental investigations;
costs associated with any data breach or data loss to third parties that is discovered;
costs associated with the potential loss of critical business data;
longer and more costly integration (due to increased expenses and capital spending requirements) of TNT Express and FedEx Express; and
other consequences of which we are not currently aware but will discover through the remediation process.
What you can do
Review your business continuity plan; what would you do to keep your customers served if a key supplier was disrupted? Consider how you would notify valuable customers and business partners. Think about how you would continue to update your customers on status of impacted business.
Review your critical suppliers list; identify alternatives you would use if a key supplier’s service was disrupted; can you quickly negotiate a service contract with another vendor or find another product provider to keep your business in operation?
Review your service contract and your supplier’s cyber security measures. You have the right to know what their business continuity plan is and how they will help you deal with any impacts.
Review your cyber insurance with your agent to ensure you have appropriate coverage if your business is a downstream impact victim.
Evaluate the impacts to the global companies such as FedEx and think how they might also become your impact as a victim. Think about preventative actions to reduce the risk.
About the Author - Carolyn Schrader is a seasoned cybersecurity professional and founder of the Cyber Security Group Inc., providing corporate cybersecurity services to high profile clients.