Potential $40mn loss for aluminium manufacturing giant

15 April 2019

One of the world’s largest aluminium maker heavyweights recently suffered a ransomware attack from an unknown hacker, which halted some of its key operations across 160 plants worldwide, causing a loss of USD 35-41 million in the first week.

Its systems were infected with a strain of ransomware known as LockerGoga, which immediately disrupted some production units. These units included their main source of production, which is still struggling to recover, according to an executive company representative.

Meanwhile other units, including their primary metals business, were able to switch to manual operation and workaround solutions to resume business as usual.

So far, no safety incidents have been reported for the company's employees.

High production and operational toll

The manufacturer is currently operating at 70% to 80% across three business units — Europe, North America and Tubing. However, this production excludes their building systems business unit, which is not performing at all.

The manufacturer converts aluminium blocks into components for carmakers and builders, among other industries.

This operational standstill could have a detrimental knock on effect for all of their client companies, while employees work hard to restore their IT systems back to functionality. The company hopes to achieve reasonable levels of production and shipments soon.

Refused to pay ransom demands

The company has publicly refused to give in to the hacker’s demands and pay the ransom. Instead choosing to restore their IT systems from back up servers safely and limiting the impact on staff, operations, customers, suppliers, and partners.

This plan involves screening all computers and servers across the business, cleaning and rebuilding all of those infected with ransomware from back-ups.

Public reports of the initial infection show that the attackers did not specify a ransom amount, instead specifying that the amount would depend on how fast the company contacted the criminals.

Firms in this situation have a two-fold decision to make regarding paying ransom — both principle and economic.

Some companies decide in advance that their core principles prohibit the payment of any ransom, however small, while others decide to take a balanced view in light of the specific facts of the case.

From an economic perspective, the decision to pay or attempt to recover is generally more straightforward.

Potential $40mn loss for aluminium manufacturing giantFull recovery will take weeks or more

One of the possible consequences of not paying the ransom is that the decryption process and subsequent system recovery could now take longer than if the aluminium manufacturer chose to concede. Current estimations for resuming business as usual are a few weeks or more.

In the meantime, the utility company is focused on getting all relevant IT support functions back up and running, including payroll, treasury and reporting, using interim alternative solutions where necessary and possible.

The company needs to ensure that their C-suite remains engaged throughout the process and that their backup servers remain complete, unaffected by the ransomware and functional before they attempt to restore them.

The company employed the assistance of experienced technology vendors with special knowledge on ransomware to recover their IT systems and prevent further damage occurring.

It hasn’t been revealed yet whether this panel of expert vendors were sourced by their cyber insurer or independently, but most insurers offer this form of breach recovery support.

Impressive response

Unlike some ransomware victims, this manufacturer was prepared for the attack with up-to-date, secure backups, the technology to restore the data from said backups, and a “solid” cyber insurance policy.

They had already utilised the cloud for email systems, which meant that communication continued as usual post attack via smartphones and tablet devices, despite the unfortunate system shutdown.

Following the cyber incident, they immediately sprang into action, engaging law enforcement and overseas tech vendors. They also made an admirable effort to keep stakeholders and customers informed throughout the disaster. This public response included daily social media posts and webcasts, including their recent YouTube video.

This proactivity will surely help to soften the reputational blow of the attack.

Unknown if adequate insurance is in place

Since the ransomware attack, their share value has decreased by 1.9% and there has only been a 0.5% increase in Norway’s benchmark stock index.

The majority of their USD 41+ million loss has been the result of lost profit margins and the sheer volume of clients awaiting the manufacturer's productions.

Full details of the insurance coverage are yet to be disclosed. As it stands, the company was insured for cyber risks by lead insurer AIG, but the limits and conditions of the policy are unknown. In many cases companies do not purchase adequate cyber insurance to cover catastrophic incidents like this one, even though it is commercially available.

It is prudent to consider incidents like this one when evaluating both the limits and deductibles of cyber insurance programmes.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information, learn more about cyber insurance or contact Sarah Stephens, Head of Cyber on +44 (0)20 3394 0486.

  • For more articles like this, download our Cyber Decoder

    Share this article

    Facebook Twitter LinkedIn