Case study detailing how shipping and logistics company Maersk responded to its NotPetya 2017 cyber attack

1. NotPetya cyber attack
June 2017
Reputation risk management / Crisis management / Cyber and data privacy communications

2. 2
Background

3. 3Source: The Economist - 2015, 2016
• The world’s no. 1 shipping company by volume
• But global shipping industry in crisis due to
weak economic growth, overcapacity,
localisation, shift to mail, etc
• Declining profitability, pressure to consolidate
and/or refocus
• Maersk seen as strong in shipping, terminals
and logistics; weaker in oil exploration and
drilling
• Pressure on Maersk to separate, spin-off or
sell oil businesses
• Maersk Line starting to focus on digitisation to
improve efficiencies and cut costs
AP Moller-Maersk – early 2017

4. 4Source: AP Moller-Maersk Annual Report 2016
AP Moller-Maersk – financials (FY 2016)

5. 5Sources: Brand Finance, 2018
AP Moller-Maersk – brand value (2017)

6. 6Sources: Reputation Institute, 2016
AP Moller-Maersk – corporate reputation (2016)

7. 7
Incident

8. Maersk cyber attack – overview
8
• Maersk infected via Ukrainian tax return vendor MeDoc
• Collateral damage from geo-political attack on Ukraine government, infrastructure
and financial system
• Full propagation of virus across whole company IT network within 7 minutes
• Affected all core business units
• 49,000 laptops destroyed, 1,200 apps instantly inaccessible and 1,000 destroyed,
incl. the company’s central booking website Maerskline.com
• Required immediate (within 2 hours) disconnection of global network
• Reverted to manual systems, resulting in 20% reduction in trading volumes
• Online bookings mostly resumed after 8 days
• 10 days to rebuild 4,000 servers and 45,000 PCs, and restore 2,500 applications
• Full IT network restored after four weeks

9. Maersk cyber attack – day one timeline
9
June 27 (GMT+1)
• 04.00 - Ransomware attack on Ukrainian banks, power companies etc
• 11.30 - Ukraine Central Bank confirms attack on IT systems
• 13.21 - Maersk publicly confirms IT systems are down
• 14.02 - Symantec confirms use of Petya ransomware for attacks
• 16.12 - Kapersky says NotPetya wiper destroys data, affects ~2,000 organisations
• 18.15 – German email provider Posteo confirms it blocked ransom email address
• 19.46 - Ukraine police confirm MeDoc is infected by NotPetya
• 21.03 - MeDoc denies responsibility for attacks

10. Maersk cyber attack – communications
10
• Opted for transparent communications
– Regular public updates via website, Twitter
– Media relations and customer communications via Whatsapp, personal email
– Constant internal communications across the world
– Consistent messaging across all channels and to all audiences
– All communications were fact-based as opposed to misleading speculative
• Led from the top
– CEO and senior leadership involved in communications response from the outse
– CTIO assumed control of crisis team after four days
• Apologised upfront
– And then focused on the fixing the hole and getting back to business as usual

11. 11

12. 12

13. 13

14. 14
Impact

15. Immediate financial impact
15

16. Six-month business and reputational impact
16
• Revenue (FY 2017): 30.9 bn (35.5 bn)
• Operating profit/loss: -USD 1.2 bn
(-1.9 bn)
• Underlying profit: USD 356 m (711 m)
• Market cap (after 1 year): -27%
• Cyberattack costs: USD 300-350m
• Global damages (est): USD 10bn+
• Brand value: +43%
Sources: AP Moller Maersk Annual Report 2017; Reputation Institute, March 2019; Brand Finance, Feb 2019

17. 17
Strong relative share price performance

18. 18
2018 share price collapse

19. 19
Lessons
& Implications

20. Maersk cyber attack lessons – 1
20
• High quality response is essential
– Maersk moved quickly and decisively
– Top management involved from the outset
– Transparency and openness cushioned Maersk from regulators, suppliers,
employees, media, etc
• Ad hoc, flexible approach to crisis management can work
– Incl. business continuity, incident/crisis management, leadership and
other communications
– So long as the incident/crisis team is experienced, methodical, objective,
proactive, and decisive

21. Maersk cyber attack lessons – 2
21
• Total prevention is impossible
– Every organisation is exposed to cyber attacks and data breaches
– No organisation is exempt from nation state attacks, which tend to be
more damaging than other attacks
• Historic reputation counts
– Maersk’s reputation as a strong, successful industry leader helped it
weather the storm
• Financial impact of cyber attacks is mostly fairly limited
– Goodwill often exists due to volume and nature

22. Maersk cyber attack lessons – 3
22
• Learn from the incident
– At all levels of the organisation
– Be seen to be listening and learning from all relevant audiences on an
ongoing basis
– Document actions and impact carefully during and after the incident, collate
and examine thoroughly, and implement the learnings

23. Implications for Maersk
23
• Stronger, more comprehensive cyber protection
– Need for automated cyber detection and response
– Business continuity and crisis plans must be comprehensive (as opposed to
asset-based), global and up-to-date
– Keep business continuity and service resumption plans separate
– Need for regular cyber awareness updates and incident training
– Cyber insurance protection can help reduce incident costs
• Allow for ad hoc response
– Permit and be prepared to use non-official communications channels during an
incident/crisis when necessary

24. 24
FURTHER INFO
+44 20 3856 3599
cp@charliepownall.com
linkedin.com/in/charliepownall
charliepownall.com