The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies continue to be affected by ransomware. One of the unique aspects of ransomware is that it does not involve just stealing information, but makes the information unavailable to the business. If critical information is unavailable, there is operational impact and often a material effect that companies must disclose publicly.
Most recently, WannaCry and Petya demonstrated the ability of ransomware to exploit security vulnerabilities, spread quickly and, in some cases, cripple company operations. Here is how some companies have addressed it.
General ransomware risk disclosures
In the energy sector, at least two companies — Concho Resources and Repsol — have disclosed ransomware risks. Concho’s 8-Ks from Q1 and Q2 2017 reference ransomware in the “Forward Looking and Cautionary Statements” section, where the company lists events and developments “regarding the Company’s future financial position, operations, performance, business strategy…” There, Concho lists cybersecurity risks, specifically ransomware, phishing, and data breaches as potential threats that could adversely affect the company.
Similarly, Repsol addresses ransomware in its 40-F filings as one of the cyber risk factors for the company. The company discloses that cyber risk factors, including ransomware, result in increased industry-wide concern about cyber threats intended to disrupt business that “could have a negative financial effect on the Company’s operational performance and earnings, as well as the Company’s reputation.”
IBM’s most recent 10-K identifies ransomware as a cyber risk that could impact the company’s business by causing “the loss of access to critical data or systems.”
Ransomware incident disclosures
Companies have also made specific disclosures about ransomware after experiencing an attack.
In one example of a post-attack disclosure, FedEx’s most recent 10-K (May 2017) discusses the impact of the WannaCry and Petya attacks on FedEx systems and subsidiaries. Specifically, the disclosure states that a FedEx subsidiary “TNT Express experienced a significant cyber-attack” but that the company was at the time still unable “to determine the full extent of its impact, including the impact on … results of operations and financial condition,” concluding that likely “the financial impact will be material.” The 10-K also warns that FedEx is unable to “estimate when TNT Express services will be fully restored” and that it may be “unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted.”
It has been about 10 years since the TJX breach opened companies’ eyes to potential risks of not being vigilant in protecting their data and systems. As attackers have become more discerning and sophisticated, the impact of breaches on companies has moved from the realm of plaintiffs’ counsel imagination to real operational impact. Ransomware locks up important data that can stop a company in its tracks, and massive breaches like the one impacting Equifax create existential threats for companies that live and die by data. Companies that have avoided experiencing serious harm from breaches should use every publicized incident as an opportunity to remind management that more can and should be done to protect critical data and systems. And, in the aftermath of such an attack, companies must consider whether they have a duty to report the potential harm from the attack to the public and shareholders.
Norton Rose Fulbright nominated for Cyber Law Firm of the Year
Norton Rose Fulbright has been shortlisted for ‘Cyber law firm of the year’ at the Insurance Insider Cyber Ranking Awards 2017. Voting is now open, and you can show your support for Norton Rose Fulbright by casting your vote ahead of the award ceremony on 29 September 2017.
The category of “Cyber law firm of the year” is a new addition to the Cyber Ranking Awards and provides brokers and underwriters with a chance to vote for the law firm that they believe has contributed the most to bringing innovative solutions to market over the past 12 months. We are honored to be included as a nominee, and believe that it reflects our leading experience within the cyber insurance sector.
Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.