The cyber attack that crippled Ukraine businesses and spread worldwide to shut down shipping ports, factories, and corporate offices has taken a costly toll on the results of major U.S. and European companies in the latest quarter, with more to come.
While individual companies have been laid low by hacking attacks in the past, this financial reporting season marks the first time that major players across a range of industries have blamed them for significant financial damage to their results.
On Thursday, German consumer products maker Beiersdorf AG blamed the attack for a shortfall in its half-year financial results, which caused 5 to 10 days of shipping and production delays after its computer and communications froze.
Six more major international companies, four based in Europe and two in Russia, which acknowledged they suffered disruption, are due to report quarterly results later in August.
The June 27 attack, dubbed NotPetya, first targeted Ukraine, taking down many government agencies and businesses there, before spreading rapidly through corporate networks of multinationals with operations or suppliers in eastern Europe.
Beiersdorf, the maker of Nivea cosmetics, said 35 million euros ($41 million) worth of second-quarter sales were delayed to the third quarter and it was totting up the costs of the attack for items such as calling in outside experts, promotions and using other production sites to make up for shortfalls.
“It is very important to stress there is a cost and there will be a cost associated with this,” Chief Financial Officer Jesper Andersen said. “We are still working our way through it. Our focus so far has been on recovery.”
Beiersdorf said the costs would not have a material impact on its profit outlook for the full year. Its shares were down 3.1 percent in Frankfurt at 1010 GMT.
Cadbury chocolate maker Mondelez and freight logistics company FedEx Corp are among five multinational firms, three from the United States and two in Europe, which have previously reported material financial damage from the cyber “worm” that hit on June 27, in the closing days of the quarter.
Mondelez, formerly known as Kraft and the world’s second-largest confectionery company, reported a 5 percent drop in quarterly sales on Wednesday, blaming shipping and invoicing delays caused by the June attack.
Growing risk factors
Investors should get used to hearing about cyber attacks during earnings calls, said Ian Winer, equity co-head at Wedbush Securities.
“The trend is accelerating,” he said. “As hackers get more sophisticated they are taking shots at major companies.”
More hackers are becoming adept at developing or finding malware to wipe data on computers, making them inoperable.
Danish shipping company AP Moller-Maersk S/A, which handles one out of seven containers shipped globally, said on July 20 that operations worldwide had been significantly affected, but that it lost no corporate data to outside parties.
Maersk declined to comment and said it would address the impact on Aug. 16, when it reports second-quarter results.
“We anticipate a limited impact from the cyber attack (estimates range from $50-$450 million) as it started towards the end of (the second quarter),” Jefferies analyst David Kerstens said in a note to clients. Analysts, on average, estimate the hit to Maersk results in a range of $100-$200 million.
German mail and logistics firm Deutsche Post DHL Group and retailer Metro AG also said their Ukrainian operations were infected, but have provided no further details. Deutsche Post reports results on Aug. 8 and Metro Group is expected to report results later in August.
Other NotPetya victims include Merck & Co Inc, which last week warned the attack had halted production of some drugs, saying it had yet to understand the full costs associated with it.
The attack slowed deliveries at FedEx and halted production lines at British consumer goods maker Reckitt Benckiser, according to accounts by those companies. FedEx said the attack would have a “material” effect on its full-year results.
Nasty line items
Jake Dollarhide, head of Longbow Asset Management in Tulsa, Oklahoma, which manages $85 million in assets, said he expects cyber attacks to become as common as reports that a storm or oil prices hurt results.
Cyence, a firm that helps insurers measure cyber risk, estimated that economic costs from NotPetya would total $850 million.
Major global cyber attacks have the potential to cause economic losses on par with catastrophic natural disasters such as U.S. Superstorm Sandy in 2012, Cyence and Lloyd’s of London Ltd [SOLYD.UL] said in a joint report in July. Average economic losses caused by such disruptions could range from $4.6 billion to $121 billion, the report said.
One mysterious group known as The Shadow Brokers in April dumped a trove of powerful hacking tools on the Internet, which security experts said were developed by the U.S. National Security Agency. Code the group released was used for spreading NotPetya and in the “WannaCry” attack in May on hospitals, businesses, and governments worldwide.
“As stock market investors we have to accept this brand new reality in this new digital age,” Longbow’s Dollarhide said.
Most businesses are inadequately protected from cyber attacks, said Tom Kellermann, chief executive of investment firm Strategic Cyber Ventures.
“The day of reckoning has come for shareholders,” Kellermann said.