Garmin confirmed yesterday that a cyberattack that caused widespread disruptions over the past 5 days across its IT network — to website functions, customer support, company communications and customer facing applications — was a ransomware attack. Services are starting to be restored, but questions remain about the extent of the penetration into Garmin’s network, and how the attack was resolved. Garmin is due to report 2Q20 earnings tomorrow (Wednesday, July 29).
Garmin’s initial response to the July 23 attack was to describe the disruption to its operations as an ‘outage’. While the company did disclose that it was in fact a ransomware attack, many details remain unknown. The incident highlights the problem of a lack of disclosure by companies that experience cyber incidents such as ransomware attacks.
While some jurisdictions require specific disclosures after personal data leaks (see yesterday’s comment about GDPR), others do not. And no jurisdiction requires companies to report ransomware attacks that do not result in personal data leaks. Companies are also not required to report operational disruption incidents like this to authorities, or report whether or not they paid ransomware to resolve the attacks. And there are no clear legal policies or guidelines in the US, UK or Europe about how companies should respond to ransomware attacks. With ransomware attacks increasing greatly in frequency — one recent survey reports a doubling in attacks in the first half of 2020 compared to a year earlier—there is an urgent need for clear guidance in this area from authorities and regulators. According to a recent FireEye report, 68% of ransomware attacks go undetected by companies altogether.
Considering the financial damage ransomware driven operational shutdowns cause, this is a serious issue which investors and company boards should prioritize as well. Garmin is a $19bn company that leverages its customers’ behavioral data to build and improve products to in turn build greater market share. Customer data loss events and operational disruptions like this damage its brand and undercut its business strategy. This is why cyber is the primary business risk for Garmin, and this incident is an indication that the company is not effectively managing it.
While data breaches involving loss of personal information impose costs to companies such as systems repair costs, fines and paid monitoring service for affected users, ransomware is the most damaging and costly type of breach event for companies and their shareholders. According to Cyberhedge data, there is an average 20% drop in operating margins for companies experiencing a cyber-related operational disruption like ransomware.
As we have highlighted before, with greater transparency around the risks, including ransomware incidents, the losses of poor performers can be better mitigated by companies and avoided by investors.