Tierney - stock.adobe.com

Norsk Hydro cyber attack cost estimates up to $41m

Initial estimates have put the financial impact of last week’s ransomware attack on the Norwegian aluminium producer of up to nearly $41m, raising questions about cyber insurance coverage

A week after reporting a ransomware attack, Norsk Hydro has reported that most operations are running at normal capacity, but it is counting the cost of lost production – despite electing not to pay the ransom, but to restore systems using backup data.

In the latest update on the ransomware attack, the firm said production was normal in its energy, bauxite and alumina, primary metal and rolled products divisions, but there is still a higher degree of manual operations in the last two.

In the most affected business area, extruded solutions, production is now at 70-80%, except for the building systems business unit, where operations remain almost at a standstill, the company said.

“Hydro’s global IT organisation is working continuously to resolve the situation together with external expertise. The company has now entered the recovery phase following the attack, gradually restoring IT systems in a safe and secure manner to ensure progress toward normal business while limiting the impact for people, operations, customers, suppliers and other partners,” the company said in a statement.

Although stating that it was still “premature” to give any precise or detailed overview of the financial impact at this point, the company said the preliminary estimated financial impact for the first full week following the cyber attack is $35m to $40.8m, the majority stemming from lost margins and volumes in the extruded solutions business area.

The company said it has “a solid cyber risk insurance policy with recognised insurers, with global insurer AIG as lead,” but chief financial officer Eivind Kallevik told a news conference that the insurance “has a ceiling” although he declined to be more specific.

Read more about cyber insurance

In light of the fact that the preliminary cost estimate is “based on a high-level evaluation” and the fact that Kallevik said that a full recovery of all systems would take “weeks or longer” it is likely that subsequent evaluations will revise the estimated financial impact upwards.

“I think it may be just a tip of the iceberg,” said Ilia Kolochenko, CEO of web security firm High-Tech Bridge. “In addition to the direct losses, we have to consider loss of business opportunities and reputational damage, increase of insurance premiums and many other indirect but palpable costs.

“Worse, this type of damage may last many years, undermining overall competitive advantage on the global market. Cyber security has become a major issue for all types of companies, even a relatively short weekly shutdown may cause irrecoverable financial injury today,” he said.

Recovering costs far from guaranteed

Oleg Kolesnikov, vice-president of threat research and head of the research labs at Securonix, said it is far from guaranteed that Norsk Hydro will be able to recover the costs of the attack from is insurer, even with a solid cyber insurance policy.

“The case of the Mondelez’s NotPetya cyber attack, which reportedly resulted in over $100m in damages, is in many ways similar to the Norsk Hydro LockerGoga ransomware attack, but the claim is being disputed by the Mondelez’s cyber security insurer Zurich because the insurer is citing the so called ‘war exclusion’ in the policy language for hostile acts by a government or sovereign power.

“While the cost of the Norsk Hydro attack is significantly lower, recovering the costs of the cyber attack even with reputable cyber security insurers can be non-trivial. Fortunately, NotPetya had a number of differences from LockerGoga, particularly in that, as the UK officials believed, a nation-state-level malicious threat actor was involved with NotPetya, and the purpose of the NotPetya attack was more along the lines of a cyber sabotage than a classic ransomware attack.

“In contrast, LockerGaga currently looks much more like a traditional ransomware attack than a nation-state-sponsored malicious breach, so this is something that Norsk Hydro might be looking into further once they are able to fully restore their normal business operations.”

Highlighting risk

Deborah Chang, vice-president of business development and policy at HackerOne, said the Norsk Hydro case highlights the issue of cyber security risk to all organisations.

“No matter the outcome of this claim, it is clear the team responsible for the purchase of an insurance policy must now be hyper-aware of cyber security risk,” she said.

“Specifically, how a cyber security breach or cyber attack, even if it is not as public and not as large as the one that targeted Norsk Hydro, will be covered under a policy, what tools are in place to prevent loss from bad actors, what the threats are, how vulnerabilities are mediated, where the threats could be and most importantly and what tools need to be in place to prevent the breach.

“We encourage more cooperation and collaboration between all functions in an organisation around the issue of cyber security and cyber risk,” said Chang.

“Insurers like AIG are most likely invested in encouraging or requiring post breach cyber security practices that can limit the extent of the breach as much as possible and ensure a company is as secure as it possibly can be. 

“The question that will most likely be asked is how AIG and other insurers do this post-breach, and pre-breach, when the insurance buyer or risk team doesn’t necessarily have the influence or ability to collaborate with the security team,” she concluded. 

Read more on Hackers and cybercrime prevention

Data Center
Data Management