3. 3Source: The Economist - 2015, 2016
• The world’s no. 1 shipping company by volume
• But global shipping industry in crisis due to
weak economic growth, overcapacity,
localisation, shift to mail, etc
• Declining profitability, pressure to consolidate
and/or refocus
• Maersk seen as strong in shipping, terminals
and logistics; weaker in oil exploration and
drilling
• Pressure on Maersk to separate, spin-off or
sell oil businesses
• Maersk Line starting to focus on digitisation to
improve efficiencies and cut costs
AP Moller-Maersk – early 2017
8. Maersk cyber attack – overview
8
• Maersk infected via Ukrainian tax return vendor MeDoc
• Collateral damage from geo-political attack on Ukraine government, infrastructure
and financial system
• Full propagation of virus across whole company IT network within 7 minutes
• Affected all core business units
• 49,000 laptops destroyed, 1,200 apps instantly inaccessible and 1,000 destroyed,
incl. the company’s central booking website Maerskline.com
• Required immediate (within 2 hours) disconnection of global network
• Reverted to manual systems, resulting in 20% reduction in trading volumes
• Online bookings mostly resumed after 8 days
• 10 days to rebuild 4,000 servers and 45,000 PCs, and restore 2,500 applications
• Full IT network restored after four weeks
9. Maersk cyber attack – day one timeline
9
June 27 (GMT+1)
• 04.00 - Ransomware attack on Ukrainian banks, power companies etc
• 11.30 - Ukraine Central Bank confirms attack on IT systems
• 13.21 - Maersk publicly confirms IT systems are down
• 14.02 - Symantec confirms use of Petya ransomware for attacks
• 16.12 - Kapersky says NotPetya wiper destroys data, affects ~2,000 organisations
• 18.15 – German email provider Posteo confirms it blocked ransom email address
• 19.46 - Ukraine police confirm MeDoc is infected by NotPetya
• 21.03 - MeDoc denies responsibility for attacks
10. Maersk cyber attack – communications
10
• Opted for transparent communications
– Regular public updates via website, Twitter
– Media relations and customer communications via Whatsapp, personal email
– Constant internal communications across the world
– Consistent messaging across all channels and to all audiences
– All communications were fact-based as opposed to misleading speculative
• Led from the top
– CEO and senior leadership involved in communications response from the outse
– CTIO assumed control of crisis team after four days
• Apologised upfront
– And then focused on the fixing the hole and getting back to business as usual
20. Maersk cyber attack lessons – 1
20
• High quality response is essential
– Maersk moved quickly and decisively
– Top management involved from the outset
– Transparency and openness cushioned Maersk from regulators, suppliers,
employees, media, etc
• Ad hoc, flexible approach to crisis management can work
– Incl. business continuity, incident/crisis management, leadership and
other communications
– So long as the incident/crisis team is experienced, methodical, objective,
proactive, and decisive
21. Maersk cyber attack lessons – 2
21
• Total prevention is impossible
– Every organisation is exposed to cyber attacks and data breaches
– No organisation is exempt from nation state attacks, which tend to be
more damaging than other attacks
• Historic reputation counts
– Maersk’s reputation as a strong, successful industry leader helped it
weather the storm
• Financial impact of cyber attacks is mostly fairly limited
– Goodwill often exists due to volume and nature
22. Maersk cyber attack lessons – 3
22
• Learn from the incident
– At all levels of the organisation
– Be seen to be listening and learning from all relevant audiences on an
ongoing basis
– Document actions and impact carefully during and after the incident, collate
and examine thoroughly, and implement the learnings
23. Implications for Maersk
23
• Stronger, more comprehensive cyber protection
– Need for automated cyber detection and response
– Business continuity and crisis plans must be comprehensive (as opposed to
asset-based), global and up-to-date
– Keep business continuity and service resumption plans separate
– Need for regular cyber awareness updates and incident training
– Cyber insurance protection can help reduce incident costs
• Allow for ad hoc response
– Permit and be prepared to use non-official communications channels during an
incident/crisis when necessary
24. 24
FURTHER INFO
+44 20 3856 3599
cp@charliepownall.com
linkedin.com/in/charliepownall
charliepownall.com