Global trade disrupted by cyber attacks

As an insurer we are well aware of so-called “Black Swan” events,i.e. events that are deemed so unlikely that they are not really taken seriously when calculating risks. For many years this has been the case with cyber risks. Imperceptible. Unlikely. Intangible.

Until just recently, that is. In June last year, global shipping giant Maersk Line, which handles one in seven containers shipped globally, was hit by a ransomware attack. With a fleet of more than 600 containervessels, Maersk is the world's largest shipping company.

The company handles around 25 percent of all containers shipped on the key Asia–Europe route and transports about 16 percent of the world's seaborne manufactured trade. Hence, this cyber attack had a real impact on global trade.

In the week following the cyber attack Maersk's loading volumes dipped from typical levels of around 210,000 fortyfoot containers to 160,000. The attack came at a time when Maersk had rolled out a new digitisation strategy to modernise an industry in which most orders were still placed via phone. Maersk was forced to return to manual operation and had to handle a backlog of orders.

However, just two days after the attack, Maersk Line was able to take orders from existing customers and things gradually got back to normal over the following week and returned to normal by the middle of July, according to its CEO.

Cyber security risks are growing

The cybersecurity risk was also highlighted as a major risk in the World Economic Forum's Global Risk Report, and the World Economic Forum mentioned it in their Executive Summary: "Cyber security risks are also growing, both in their prevalence and in their disruptive potential. Attacks against businesses have almost doubled in five years, and incidents that would once have been considered extraordinary are becoming more and more commonplace.

The financial impact of cyber security breaches is rising, and some of the largest costs in 2017 related to ransomware attacks, which accounted for 64% of all malicious emails. Notable examples included the WannaCry attack—which affected 300,000 computers across 150 countries— and NotPetya, which caused quarterly losses of US$300 million for a number of affected businesses.

Another growing trend is the use of cyber attacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning".

The Maersk Attack

The attack infected computers through ransomware that encrypted the hard drive – with the so- called NotPetya virus. It started due to a breach in the Ukraine and impacted the systems of Maersk’s parent companies. The breakdown affected all business units at Maersk, including container shipping, port and tug boat operations, oil and gas production, drilling services and oil tankers.

The cyber attack mainly impacted Maersk Line, APM Terminals (which reported that some 17 shipping container terminals run by APM Terminals had been hacked) and Damco, as well as negatively affecting business volumes for a couple of weeks in July last year. Maersk’s APM Terminals unit, which operates 76 port and terminal facilities in 59 countries around the globe, was impacted at a number of sites, including the Port of New York and New Jersey, the largest port on the U.S. East Coast, and Rotterdam in The Netherlands, Europe’s largest port.

The attack, similar to the WannaCry virus, reached Asia after spreading from Europe to the U.S. overnight, hitting
businesses, port operators and government systems. Hackers told their victims to pay USD 300 in cryptocurrency (Bitcoin) per infected computer to unlock their systems.

The ransomware took advantage of certain security vulnerabilities in Windows that Microsoft patched after they leaked. It was a previously unseen type of malware and updates and patches applied to both the Windows systems
and antivirus were not an effective protection  in this case, according to Maersk.

Not only Maersk was affected

Not only Maersk was affected but also Ukraine’s central bank also said a number of Ukrainian commercial banks and state and private companies had been hit by cyber-attacks via an “unknown virus”.

It is important to remember that Maersk was more likely than not collateral damage of an attack on the Ukrainian
government. To that end it is exceedingly likely we will see a repeat. Shipping company Maersk Line has said that
the June cyber-attack could cost it up to USD 300 million in lost revenue.

Maersk Line managed to stay in profit despite the attack. Maersk Line reported a net profit of USD 220 million in
the third quarter, compared with a loss of USD 122 million in Q3 16. Turnover at Maersk Line increased year-on-year by 14% to USD 6.1 billion, boosted by a 14% hike in its average freight rate to USD 2,063 per feu¹. The star performers were the carrier’s Asia–Europe and transpacific east–west trades, where average rates jumped almost 20% to USD 2,186 per feu 1).

Maersk’s operating profit before depreciation and amortisation (EBITDA) of USD 2.06 billion was in line with the USD 2.05 billion forecast by analysts.

Extremeny difficult attack

The 2017 cyberattack proved extremely difficult for Maersk Line and they have since revised and invested in
their system architecture to reduce cyber risks to ensure that its operations do not get impacted by any such global breach in the future. You can build up your cyber fortifications, but partners in trade and container supply chains need to develop contingency plans, as it is a nearcertainty that the industry will be hit by another cyber-attack.

The question is not if, the question is when. Every cloud has a "silver-lining" and for Maersk it was how all its key stakeholders, including customers, authorities and employees reacted to the attack.

Overnight, the company switched over to manual operation from its computer- based systems, while some customers supported the company by increasing their orders. Whilst Maersk had business continuity plans, it was not prepared for the total impact and has since put in place new, different and further protective measures following the attack.

As a risk manager – always expect the unexpected. Even though cybersecurity risk awareness is currently high and on the agendas of all risk-conscious companies – as shown above – having the right insurance could prove valuable. Literally.

1) Forty-Foot Equivalent Units. Refers to container size standard of 40 feet. Two 20-foot containers or TEUs equal one FEU.

Article by

Tony Schröder

Manager of Major, Complex and International Property Claims Team, If