In a May 5 earnings call for WestRock, Wall Street analysts got a rundown of losses resulting from a ransomware attack that hit the corrugated packaging company in January. When combined with the impact of severe weather disruptions, the incident caused a hit of $189 million to revenue, and $80 million to cash flow. Earnings per share was adjusted down by 23 cents. And that did not factor in $20 million paid in ransomware recovery costs.
WestRock, the second largest packaging company in the U.S., expects to begin to recover the losses in quarters three and four, largely through insurance coverage. But the tangible impact to the bottom line, even in the short term, combined with the multi-million dollar ransom payouts by Colonial Pipeline and JBS, demonstrate a reality that more and more in the cybersecurity community are beginning to acknowledge: Ransomware is emerging as a cost of doing business, grabbing the attention not just of security leaders, but the entire C-suite, boards and even investors.
“We’re a 250-year-old company. We won’t ruin our reputation” with a security failure, said Benjamin Corll, vice president of cyber security and data protection at industrial thread company Coats. “The news is making my executives come to me. I’m not selling fear, uncertainty and doubt. I’m not going to educate them, to say ‘Can I have your attention?’ The news has their attention.”
Coats is a member of the Cybersecurity Collaborative, a chief information security officer membership organization owned by SC Media parent company CyberRisk Alliance.
Of course, costs tied to ransomware come in many flavors. Colonial Pipeline and JPS indeed opted to pay the attackers, $5 million and $11 million respectively. But that does not account for direct and indirect losses tied to downtime, disruption of supply chains, or the inability to deliver product to customers.
And while insurance, and even law enforcement in the case of Colonial, can recover some losses, investor concern about hits to the bottom line and reputational damage can be lasting.
WestRock, for one, faced an endless stream of questions from the Wall Street analyst community about the implications of the ransomware attack during earnings calls in January, while attempting to recover from the impact on operational technology systems, which crippled factory processes, and again in May, when the financial hit was more discernible.
“We have fully restored our IT systems with all sites up and running, and we continue to make excellent progress on restoring our supply chain and customer service levels,” CEO David Sewell told analysts during the May call. “During the time we were dealing with this incident, we prioritized serving our customers and incurred additional costs that impacted earnings in the quarter. We are accelerating investments that were on our IT development timeline to further strengthen our infrastructure.”
That latter point about accelerating IT investments is a notable one, mirroring one of the specifics shifts that are emerging as companies recognize the potential implications of a ransomware attack.
"Are we asking for them to set aside $10 million, just in case, to buy and invest it bitcoin? No,” said Corll. “But we’re now in June, second half of the year, when executives say, 'What spends do we have? No more if we don’t have to.' It’s the games that companies play. Yet I report to the CIO, and I am the only one whose budget was not even reviewed. If I have spend for June, it’s not questioned.”
In that sense, leaders across the executive team are being briefed about the likelihood of attack, and weighing potential costs tied to risk against nearer term cybersecurity investments. And they're taking fewer chances.
"I don’t believe any executive right now, including the CFO, could say ‘Yeah, three weeks is going to help with financial reporting numbers; we’re going to accept the risk.’ They’re not going to save $250,000 at the risk of, say, $5 million,” Corll added. “I do believe wholeheartedly that companies are waking up to recognize that cyber is a business driver and a business risk, and ransomware is [a] cost of doing business. And that’s going to continue.”
Dawn Cappelli, vice president of global security and chief information security officer at Rockwell Automation, said that the spike in ransomware attacks, particularly in manufacturing, inspired a tabletop exercise in December with her CEO and all his direct reports to walk through various ransomware scenarios. Cappelli and her team were very granular on details, including how much downtime would result from each scenario, which would result in a massive attack that takes down the whole infrastructure, and which would impact particular plants. The exercise was an opportunity for the security team to press leadership about priorities.
“That makes them think," said Cappelli, another member of the Cybersecurity Collaborative. "Is the priority to support customers, or recover our plant or both? And if all our plants are hit, which do we focus on first? From a financial perspective, if we did have to pay the ransomware, do we know how to buy cryptocurrency? Will our cyber insurer buy it or would we?"
“We do approach it on a risk basis,” she continued, noting that the risk assessments extend to suppliers – ensuring their own security gaps don’t create vulnerabilities for Rockwell or its customers. “We do this every year as part of annual strategic planning. We look at the risk posed by an issue, what the probability may be that it will happen, and what the impact would be if it did. If it costs $1 million to address the risk up front, but $10 million to mitigate, [not investing in the necessary tools] doesn’t make sense.”
Even before the recent high-profile attack, industrial giant Hitachi put in place a trusted endpoint solution to provide maximum security against ransomware, and also backup systems and business continuity procedures along with cyber insurance to reduce the risk as much as possible.
This was at the endorsement of CFO Mark Serway, a veteran financial chief for technology companies, many of which have counted the federal government as a customer.
“Businesses need to assess the potential risk emanating from ransomware attacks by looking at factors as it relates to the payout, downtime, damage to business reputation, data loss and many other factors,” said Serway, who concedes that the positive outcome of increased awareness among executives may not prove universal. In his case, “it might be due to the fact that IT reports into me, and my educational background was IT and finance versus purely accounting with some CFOs.”