Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Maersk Notpetya Crisis Response Case Study

316 views

Published on

Case study detailing how shipping and logistics company Maersk responded to its NotPetya 2017 cyber attack

Published in: Leadership & Management
  • Be the first to comment

Maersk Notpetya Crisis Response Case Study

  1. 1. NotPetya cyber attack June 2017 Reputation risk management / Crisis management / Cyber and data privacy communications
  2. 2. 2 Background
  3. 3. 3Source: The Economist - 2015, 2016 • The world’s no. 1 shipping company by volume • But global shipping industry in crisis due to weak economic growth, overcapacity, localisation, shift to mail, etc • Declining profitability, pressure to consolidate and/or refocus • Maersk seen as strong in shipping, terminals and logistics; weaker in oil exploration and drilling • Pressure on Maersk to separate, spin-off or sell oil businesses • Maersk Line starting to focus on digitisation to improve efficiencies and cut costs AP Moller-Maersk – early 2017
  4. 4. 4Source: AP Moller-Maersk Annual Report 2016 AP Moller-Maersk – financials (FY 2016)
  5. 5. 5Sources: Brand Finance, 2018 AP Moller-Maersk – brand value (2017)
  6. 6. 6Sources: Reputation Institute, 2016 AP Moller-Maersk – corporate reputation (2016)
  7. 7. 7 Incident
  8. 8. Maersk cyber attack – overview 8 • Maersk infected via Ukrainian tax return vendor MeDoc • Collateral damage from geo-political attack on Ukraine government, infrastructure and financial system • Full propagation of virus across whole company IT network within 7 minutes • Affected all core business units • 49,000 laptops destroyed, 1,200 apps instantly inaccessible and 1,000 destroyed, incl. the company’s central booking website Maerskline.com • Required immediate (within 2 hours) disconnection of global network • Reverted to manual systems, resulting in 20% reduction in trading volumes • Online bookings mostly resumed after 8 days • 10 days to rebuild 4,000 servers and 45,000 PCs, and restore 2,500 applications • Full IT network restored after four weeks
  9. 9. Maersk cyber attack – day one timeline 9 June 27 (GMT+1) • 04.00 - Ransomware attack on Ukrainian banks, power companies etc • 11.30 - Ukraine Central Bank confirms attack on IT systems • 13.21 - Maersk publicly confirms IT systems are down • 14.02 - Symantec confirms use of Petya ransomware for attacks • 16.12 - Kapersky says NotPetya wiper destroys data, affects ~2,000 organisations • 18.15 – German email provider Posteo confirms it blocked ransom email address • 19.46 - Ukraine police confirm MeDoc is infected by NotPetya • 21.03 - MeDoc denies responsibility for attacks
  10. 10. Maersk cyber attack – communications 10 • Opted for transparent communications – Regular public updates via website, Twitter – Media relations and customer communications via Whatsapp, personal email – Constant internal communications across the world – Consistent messaging across all channels and to all audiences – All communications were fact-based as opposed to misleading speculative • Led from the top – CEO and senior leadership involved in communications response from the outse – CTIO assumed control of crisis team after four days • Apologised upfront – And then focused on the fixing the hole and getting back to business as usual
  11. 11. 11
  12. 12. 12
  13. 13. 13
  14. 14. 14 Impact
  15. 15. Immediate financial impact 15
  16. 16. Six-month business and reputational impact 16 • Revenue (FY 2017): 30.9 bn (35.5 bn) • Operating profit/loss: -USD 1.2 bn (-1.9 bn) • Underlying profit: USD 356 m (711 m) • Market cap (after 1 year): -27% • Cyberattack costs: USD 300-350m • Global damages (est): USD 10bn+ • Brand value: +43% Sources: AP Moller Maersk Annual Report 2017; Reputation Institute, March 2019; Brand Finance, Feb 2019
  17. 17. 17 Strong relative share price performance
  18. 18. 18 2018 share price collapse
  19. 19. 19 Lessons & Implications
  20. 20. Maersk cyber attack lessons – 1 20 • High quality response is essential – Maersk moved quickly and decisively – Top management involved from the outset – Transparency and openness cushioned Maersk from regulators, suppliers, employees, media, etc • Ad hoc, flexible approach to crisis management can work – Incl. business continuity, incident/crisis management, leadership and other communications – So long as the incident/crisis team is experienced, methodical, objective, proactive, and decisive
  21. 21. Maersk cyber attack lessons – 2 21 • Total prevention is impossible – Every organisation is exposed to cyber attacks and data breaches – No organisation is exempt from nation state attacks, which tend to be more damaging than other attacks • Historic reputation counts – Maersk’s reputation as a strong, successful industry leader helped it weather the storm • Financial impact of cyber attacks is mostly fairly limited – Goodwill often exists due to volume and nature
  22. 22. Maersk cyber attack lessons – 3 22 • Learn from the incident – At all levels of the organisation – Be seen to be listening and learning from all relevant audiences on an ongoing basis – Document actions and impact carefully during and after the incident, collate and examine thoroughly, and implement the learnings
  23. 23. Implications for Maersk 23 • Stronger, more comprehensive cyber protection – Need for automated cyber detection and response – Business continuity and crisis plans must be comprehensive (as opposed to asset-based), global and up-to-date – Keep business continuity and service resumption plans separate – Need for regular cyber awareness updates and incident training – Cyber insurance protection can help reduce incident costs • Allow for ad hoc response – Permit and be prepared to use non-official communications channels during an incident/crisis when necessary
  24. 24. 24 FURTHER INFO +44 20 3856 3599 cp@charliepownall.com linkedin.com/in/charliepownall charliepownall.com

×