CMA-CGA announced online services are now functional again, two weeks after the world’s fourth largest shipper suffered a ransomware attack that paralyzed web-based services and prompted a shutdown of parts of the internal corporate network.
Separately, a new Atlantic Council note calls attention to the rising cyber threats in the maritime sector, stating, “with greater than 90 percent of all global trade tonnage transported by sea and vital global energy networks, maritime infrastructure has never been more essential and yet also more at risk.” One key reason cited by industry experts for the rising threat is the accelerated merging of OT and IT underpinning shipping company operations globally.
The paper also cited a senior official from the Office of Maritime Security, Maritime Administration, US Department of Transportation, as saying "robust, real-time, maritime-specific cyber threat and incident information sharing between maritime industry stakeholders, and between those stakeholders and the US government."
Days after the CMA breach — contrary to statements made by the company—we stated CMA CGM will likely see a drop in revenues and other adverse financial impacts in the months to come. This is even more true today considering that online services took approximately two weeks to restore. Cyberhedge data indicates that if operational disruption events like this are fully resolved within 1-2 days, negative financial impacts like a reduction in revenues and erosion in cashflows can be minimized. But breaches that take more than 5-7 days to resolve tend to cause much more serious and longer lasting financial damage.
CMA CGA shareholders should:
- Pay close attention to the next earnings announcement to size up the $ impact of this incident, beyond ransom payment or related fines. This is a risk area with significant downside potential for the company moving forward.
- Investors should also seek answers from the C-suite on how the likelihood of a ransomware attack can be minimized in future.
The systemic challenge posed by the merging of OT and IT places increased onus on good cyber governance in the maritime sector. Laggards in this realm will continue to be at increased risk of disruptions like those experienced by CMA-CGA and Maersk years earlier. Shareholders will absorb losses due to poor cyber that could otherwise have been avoided if the right investments were made in lowering the risks.
The US Government is also right to call for more information disclosure on threats and incidents in the sector. But it should go one step further and require company disclosures on performance metrics that demonstrate how cyber resilient organizations are before an attack occurs so steps can be taken by company C-suites to proactively lower risks. Proactive audits are conducted and shared in areas such as operational integrity and health and safety. The same should apply to cybersecurity in order to better protect global trade, shareholders and other stakeholders.
The right kinds of cyber disclosure will incentivize better company performance, including investments in areas C-suites may otherwise not allocate sufficient resources to.