French shipping giant CMA CGM, the world’s fourth largest shipping company, announced it was hit by a ransomware attack on September 28th. The attack reportedly paralyzed much of its global IT infrastructure. Although the company has indicated that operations have not been adversely impacted, as of today the company’s e-commerce website is still not fully operational.
CMA CGM, a private company, will not see the shareholder value losses experienced by Maersk, the world’s largest shipper, during the WannaCry ransomware attack in 2016. That NotPetya attack disrupted Maersk’s operations for 2 weeks, resulted in a 20% reduction in shipping volume during the outage, caused $300m in direct economic damage, and by Cyberhedge’s analysis led to $8.4b in value loss to Maersk shareholders.
But CMA CGM will see a drop in revenues and other adverse financial impacts in the months to come. Contrary to company statements about minimal negative impact on operations and quickly isolating the damage, company operations are always adversely impacted during ransomware attacks. This is why the financial costs are far higher and longer lasting from ransomware than from any other form of cyber-attack.
Shipping companies are increasingly susceptible to damaging operational disruptions like this as a result of years of digital transformation which has resulted in core operations being reliant on digital technology through the merging of OT and IT. CMA CGM joins MSC as high-profile breach victims in 2020. The Maersk story should have been a warning for the industry to redouble investments in security to prevent against and minimize incidents like this one. But the CMA CGM breach is a reminder that large, well-capitalized companies remain vulnerable to attack.
Once operations are fully restored, the company’s C-suite would be wise to look beyond the immediate remediation of this incident and examine its overall cyber posture, key weaknesses, and the investments not just in technology but more importantly in the ‘people, policy and process’ that underpins strong cyber governance.
And CMA CGM’s peers would also be wise to examine this incident and take the opportunity to do some scenario planning around how they would minimize the likelihood of a similar result.