Putting cyber costs in perspective

Malcolm Latarche
Malcolm Latarche

17 August 2017


When reporting its first half figures earlier this week, Maersk revealed that it would be factoring in a $300m loss in revenue triggered by the NotPetya cyberattack at the end of June. The actual costs would have been incurred during July. Maersk put some of the blame for the problems it encountered down to vulnerabilities in its Microsoft Windows operating system saying, “This cyber-attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and antivirus were not an effective protection in this case". That information alone should be sufficient for other shipping companies to begin examining their own vulnerability. Many companies rely on Windows and off the shelf protection products and in smaller set-ups with only a few vessels their IT skills will be quite basic. Put in perspective against the company’s revenue of $9.6bn for the quarter, $300m does not seem a massive amount but it effectively wiped out any profit for the quarter from Maersk’s liner business. Measured another way, the scale becomes more worrying. With the capital cost of scrubbers and ballast water treatment systems both running at around $4-5m for the largest systems, a $300m loss translates into between 60 and 75 systems of one kind or the other. That is the same as fitting both systems to 30-35 ships. Considering that in a few years from now both may be necessary for a ship to continue trading and with finance for installing equipment tight, any loss of income is unaffordable. Thankfully for some of the smaller operators, they do not have the volume of customers that a container service the size of Maersk’s has, neither do they need complex IT systems to manage the accounting and cash flows if their fleet is a dozen or so ships making ten voyages each per year. Nevertheless the loss of operational data could be an issue for them and perhaps the time has come to consider their cyber defences.