Although environmental consulting has been around since the early 1970s, it’s still an expanding field with unique risks and exposures.
Governmental regulations, along with public interest in conservation and sustainability, have driven the growth of this $16 billion industry providing environmental services to virtually every sector of the U.S. economy, from surveyors conducting site assessments to engineers developing remediation plans to contractors performing cleanup and pollution abatement.
At the same time, these tasks lead environmental consultants to encounter risks that are excluded under standard commercial package policies. Pollution liability can occur when faulty work is the direct cause of environmental contamination, and professional liability arises when technical errors contribute to an incident and subsequent economic losses for a client.
Even individuals who never set foot on a job site must consider their potential exposure: lab technicians analyzing soil samples for pollutants or engineers advising on regulatory compliance plans may find themselves subject to a claim. Simply put, if your operations can contribute to an environmental incident, you are exposed.
Start with documentation
Complete, consistent documentation is the basis for an effective environmental risk management strategy. This begins with preparing detailed proposals for each project, clearly defining the work to be completed, terms of successful performance, and a realistic estimate of associated costs.
Consultants should take the time to ensure that clients understand the proposed work and agree that it addresses their concerns, so as to avoid future disputes.
Recording the obligations of consultants and clients in a formal contract reduces the potential for conflict over a difference in unstated expectations. The goal of the contract should be an equitable distribution of risk for both parties.
Identify the standard of care to be applied and the limits of liability for the consultant; ideally, this will be an amount equal to the fees charged for the project. Risk professionals should be cautious about commitments exceeding industry standards and especially wary of broad indemnification language that would expose consultants to risks unrelated to the work that they have agreed to perform.
Specify the process for addressing unforeseen circumstances, such as the discovery of unanticipated hazardous materials or subsurface structures, and employ alternative dispute resolution methods in the event of an intractable disagreement. As the project gets underway, procurement should be conducted according to established procedures and criteria.
Subcontractors present additional risk
Any project relying on subcontractors opens itself to additional risk, as the same concerns that apply to the environmental consultant extend to this group as well.
Regardless of past success with a particular subcontractor, consultants must make sure that their partners possess the relevant skills and resources to conduct and supervise the work at hand. Best practices involve prequalifying subcontractors according to expertise, resources, and financial stability, including adequacy of insurance.
Subcontractor questionnaires or other evaluations can be kept on file and updated for future projects as needed.
Project work should follow the specified scope as close as possible, with quality control checks to monitor adherence to guidelines. Team members performing the work should be qualified to conduct initial quality assessments, with senior consultants reviewing calculations and results for sensitive tasks.
If work involves the risk of physical exposure to hazardous materials, site-specific plans are necessary to guarantee conformance to OSHA standards, at a minimum. Firms should have plans in place for handling and storing waste materials and other potential contaminants, as well as for spill response in the event of a breach.
All formal reviews of plans, documentation, and work performed should be recorded for later reference.
Finally, any project is likely to call for changes to at least some of the initial terms. Change requests should be documented for issues large and small, with a record of client acceptance where required. In fact, it’s wise to catalog all project-related correspondence, especially with key stakeholders such as clients or regulators. Evidence of communications and approvals can be the most effective defense against potential claims.
Mining the data in documentation
One secondary benefit to a successful documentation strategy is the wealth of information that it offers to insurance carriers and underwriters assessing the quality of a potential insured. Risk managers should review consultants’ procedures against those described and address any gaps before contacting insurers.
In addition to routine application requests for financial information and loss history, risk managers can provide copies of standard operating procedures, site reports, incident response and spill containment plans, hazardous material storage protocols, subcontractor qualifications and resumes of specialists responsible for core operational and oversight functions.
For environmental consultants, incorporating these recommendations increases the likelihood of successful projects and productive client relationships — outcomes that translate into improved availability and affordability of insurance. For insurance professionals, evaluating risks in light of these standards can reduce claim frequency and severity, improving loss experience and underwriting results.
The combined effect is enhanced profitability for carriers, producers, and consultants themselves and greater availability of essential environmental services for the economy as a whole.
The days when a hurricane, tornado, or other natural disaster is raging, along with the immediate aftermath, are both the worst and best of times. Why they are the worst is obvious. But, these moments also attract the most attention, assistance, and funding. Allow a few months or years to go by, and much of that dries up, diverted to the next disaster or event in the news, the effects of the crisis typically last a very long time.
“Long after the waters have receded, Americans will be grappling with the effects of Hurricanes Harvey and Irma, which broke records and ruined lives as they wreaked havoc on the United States and the Caribbean,” warns the Washington Post.
For example, reports the Post, “state and federal health authorities have warned residents to be on the lookout for mold in their homes, strange rashes on their bodies, stray jagged items in standing water that can lead to infected wounds, and depression and post-traumatic stress disorder.” Those all take a while to develop.
“As conditions dry up, we will cycle out of the weeks of floodwater mosquitoes, and then begin cycling into a period of time where the disease-transmitting mosquitoes will emerge and build up,” Sonja Swiger, a veterinary entomologist at Texas A&M AgriLife Extension Service, said in a statement. “So, the initial run of mosquitoes is not too much of a disease threat…It’s the next run we really need to be concerned about.”
Likewise, fully a year after Hurricane Katrina, residents reported an increase in suicidal thoughts, according to a 2015 paper published in the journal Nature. The same is likely to be true for Harvey.
Ben Brown from placemakers.com divides the time post-disaster into several stages. The first is the buildup to the crisis and the “hit.” During the second stage, the tragedy is offset by the rush of attention and inspiring stories of volunteers rushing to their fellow humans’ aid. However, then comes “stage three.”
Building beneath the stage two celebration of everyday heroes is the stage three inevitability of hero fatigue. The first responders, the ad hoc volunteers as well as the pros, are soon overwhelmed by the scale of demands—the logistics of organizing and managing shelter, transportation, food, medical care and clean-up. Exhaustion sets in. Fear of chaos looms. Images of neighbors helping neighbors are replaced by weary property owners sitting on porches with shotguns in their laps. It’s everybody for themselves.
Brown believes this period can also, however, be a time of fresh ideas and initiatives—new thinking that is typically squelched once the various stakeholders eventually come around and allocate the additional resources needed.
This window, this low point of hope, might also be the best opportunity for consensus on a get-something-done agenda, for committing to strategies to avoid reenacting the social and economic misery of the present in the future. As soon as the immediate emergency recedes, leaders…might be up for a talk about better planning approaches. They might even be agreeable to considering the big ideas a lot of us like—restricting building in vulnerable areas, toughening building codes, enacting zoning that encourages density for more cost-effective storm water management and less private automobile dependence.
The key, he says, is to take bite-sized steps—implementation of small components of big ideas, models that can be put in practice fast to demonstrate their utility and appeal, then replicated and scaled up when funding is obtained.
If residents and community stakeholders don’t capitalize on this opportunity for an equitable fresh start, then the result is likely a bounce back to a risk-prone status quo. Entrenched powers leverage “federal dollars to rebuild or allow to be built much of the infrastructure, housing and commercial structures that was there before—too often in the same places that were considered too risky before and are just as vulnerable going forward.”
Just how to tap into additional funding to carry communities into long-term recovery is the challenge. This is particularly true in light of President Trump’s proposed cuts in the Department of Housing and Urban Development, which helps rebuild homes, parks, hospitals and community centers.
One emerging solution is “pre-agreed financing”—such as sovereign parametric insurance, risk pools, or catastrophe bonds. (In sovereign parametric insurance, a premium is paid by a government and payouts are obtained based on an objective trigger, such as wind speed or the Richter scale for earthquakes.) For example, the Caribbean Catastrophe Risk Insurance Facility, set up 10 years ago as a risk pool with 17 member countries, already has announced it will pay out, within a fortnight, $15.6 million to the governments of Antigua and Barbuda, Anguilla, and St Kitts and Nevis—providing resources to get public services and infrastructure functioning again.
However, Lawrence Vale, author of “The Politics of Resilient Cities: Whose Resilience and Whose City?,” adds that it’s not just reducing risk that should be of concern when rebuilding. Equitable development should be a priority as well. “Who bears the brunt of the crisis and whose interests are best served by the proposed interventions?” he says we must ask. If resiliency is bouncing back, what are we bouncing back to? In too many of our communities, there already is entrenched inequality. Will we bounce back to more of the same?
Or, even worse, resources may be used for what Naomi Klein has called “disaster capitalism”—remaking the community to advantage the privileged classes at the expense of the “less desirable.”—Pam Bailey
In May, a strain of ransomware known as WannaCry infected more than 230,000 computers in 150 countries, demanding about $300 in the cryptocurrency bitcoin to restore access. Primarily striking Europe and Asia, the attack crippled operations for a wide swath of enterprises, from the U.K.’s National Health Service to German state railways to thousands of private businesses. Although the buzz had died down, some businesses were still struggling to recover over a month later. On June 21, for example, despite efforts to secure its systems at the height of the attacks, Honda had to halt production at one of its vehicle plants in Japan after finding the ransomware in its network.
While most ransomware is spread through phishing, the WannaCry attack used an exploit called EternalBlue that takes advantage of a vulnerability in computers running outdated, unpatched versions of Microsoft Windows. The exploit is one of the National Security Agency-developed hacking tools leaked last year by hacker group the Shadow Brokers.
Experts warned that WannaCry may be a test balloon of sorts—cybercriminals trying to see just how much worldwide havoc they could wreak. Given the relative technical ease of launching a ransomware attack, the hackers netted a decent haul: At the beginning of July, bitcoin wallets associated with WannaCry had accrued a little over $120,000.
It has become a cliché with so many cyberrisks that the question is when, not if, a business will face the threat, but this aphorism is perhaps most accurate when it comes to ransomware. Last year, the FBI recorded more than 4,000 attacks a day, a 300% increase over 2015, and cybersecurity firm Kaspersky Lab reported that ransomware attacks on businesses went from one every two minutes in January 2016 to one every 40 seconds in October. Whether deployed for strategic disruption or for quick cash-grabs, with ransomware available for purchase on the dark web and the considerable efficacy and ease of launching attacks, the threat only grows.
“With the onset of ransomware as a very volatile yet easily findable tool to deploy without much sophistication from a hacking standpoint, it has really become about knocking on as many doors as possible to see if someone answers,” said Bob Wice, U.S. focus group leader for cyber insurance at Beazley.
Ultimately, a ransom payment is the tip of the iceberg when it comes to cost. Cybersecurity Ventures predicts that ransomware damages will exceed $5 billion in 2017, more than 15 times greater than the total from 2015. These costs include damage and loss of data, downtime, lost productivity, post-attack business disruption, forensic investigation, restoration of data and systems, reputation damage, and employee training in direct response to an attack.
Indeed, watching recent attacks unfold, the true toll of WannaCry for organizations may be forcing recognition of these real risks and escalating the conversation—and perhaps panic—over a critical threat that demands preparation.
“WannaCry and other ransomware has demonstrated that the biggest impact to an organization is not the ransom itself, but the associated business interruption, and that has really changed the dialogue because more companies are realizing that the potential financial statement impact is something they really need to be focusing on,” said Stephanie Snyder, national sales leader for cyber insurance at Aon Risk Solutions.
If At First You Don’t Prepare…
Because the stakes are so high, it is critical for organizations to have a clear strategy for responding to a ransomware attack. The first step happens long before you ever see a lock screen and a bitcoin demand—planning for it.
In a June survey by ISACA, an international association of IT governance professionals, 62% of respondents reported experiencing ransomware in 2016, but only 53% have a formal process in place to address it, and 16% have no incident response plan at all. Deloitte also recently found that, despite notable confidence from business leaders, preparation for a cyber crisis lags. While 76% of executives felt highly confident in their ability to respond to a cyber incident, 82% said their organization has not documented and tested cyber response plans involving business stakeholders within the past year, and 21% lack clarity on cyber mandates, roles and responsibilities.
“Having an incident response plan is synonymous with cyber resilience,” said Rocco Grillo, executive managing director and cyber resilience global leader at cyberrisk management and incident response firm Stroz Friedberg. “Strategically, when we’re talking about the incident response plan, you should also be thinking in terms of how updated it is, whether it has been tested, and if it has been tested for situations like this.”
An incident response plan is a repeatable process that serves as a framework to guide companies through a crisis. Forging relationships proactively and gathering these resources in the incident response plan is key. Grillo called the core team needed in the room for crisis management “the six in the box: an outside forensics investigator, outside counsel, crisis communications, your cyber insurer or broker, notification and communications companies, and some type of relationship with law enforcement.”
In guiding companies through both preparation and crisis response, Grillo finds perhaps the biggest determinant in crafting a strong plan is communication between risk managers and chief information security officers. “One of the biggest things companies come up short on is not including the appropriate stakeholders from both IT security and the business—and when I say business, it’s not just the C-suite, but specifically risk managers,” he said. “That’s one of the paramount things we are striving to do: get all the risk managers and CISOs better aligned and tackling situations like this.”
Snyder agreed, “There has to be appropriate alignment and I think it comes down to the risk manager and CISO having a partnership and being able to have a dialogue to ensure the organization is protected, not just from an IT standpoint, but also from an enterprise risk standpoint.”
Once developed, it is critical that stakeholders go through and practice the plan, explore the decision paths that might arise from different cybersecurity scenarios, and ensure all necessary resources are identified and contact information collected for when disaster strikes.
“A crucial mistake we see is a company buying an insurance policy or saying they have done [the right preparation], but they are not communicating the incident response plan or they are not formalizing it adequately,” Wice said. “When a bad event does happen, they are still in a spot where they aren’t making the right phone calls, getting coordinated, or making a concerted effort to communicate internally about what’s happening. That results in mistakes being made and, probably, costs incurred that don’t need to be.”
To ensure maximum coverage for those costs, the plan should also detail when to contact insurers. “Organizations must be mindful of the notice clause and cooperation clause under their policy,” Snyder explained, urging policyholders to err on the side of notifying as early as possible when contemplating any action in the event of a ransomware attack.
The planning stage is also a good time to reach out to law enforcement, namely establishing a relationship with a local FBI office. Doing so in advance, rather than searching for a contact during a crisis and going in cold, can be very helpful, Grillo said, and the FBI is often aware of emerging threats and industry-specific incidents that have not yet been made public.
It Happened. Now What?
When an attack hits, crisis responders—hopefully with incident response plan in hand—will need to call on the right resources as quickly as possible.
If the company has a cyber liability policy, the first step is contacting the insurer with notice of a potential incident, which will prompt the insurer to activate its network of third-party resources to begin or even lead incident response. It is also time to activate the organization’s established external network, should it have one.
“We first need to hire attorneys to make sure that we understand the legal obligations,” Wice said. “The attorneys will assess the associated risk, hire the forensics firm under privilege, and get them a master services agreement connected with the insured and start conducting a forensics analysis.” Forensics experts must establish how the ransomware entered the system, answering: when did the infection happen, who was affected, how many nodes were affected, and does it impact the entire network?
According to security intelligence firm LogRhythm, 72% of companies attacked could not access their data for at least two days, and 32% could not for five days or more.
“All too often, companies jump off-plan and try to go to containment immediately—they find a system has been exploited or compromised and zero in on that,” Grillo said. “The investigation step is critical to any incident response plan. You need to know what is going on and how widespread it is, then you can move to containment.” This investigation, paired with the efficacy of existing cyber hygiene practices, will determine the decision path from there. “If they’ve got your data and it’s encrypted, your options are limited. If your systems have been patched and your data is backed up, you’ve got other options to take on,” he explained.
Last summer, RIMS, the publisher of this magazine, experienced a ransomware attack. As in the majority of cases, an employee fell for a phishing email and clicked a malicious link. When the attackers struck, Mike Peters, vice president of information technology, quickly isolated the infected machine, informed key stakeholders within the organization, communicated with staff about the crisis and any appropriate action from users, and carried out the key tasks to assess, contain, mitigate and remove the threat. In short, he said, “the logical steps to take were: 1. Identify, 2. Stop and mitigate the attack, 3. Develop a plan to combat it, and 4. Recover our data.”
Peters and his team were able to get RIMS back up and running in six hours with no data loss and no ransom paid. For this successful and rather fast recovery cycle, Peters credits rigorous baseline cyber hygiene practices, including his data retention plan and approach to backups, annual disaster recovery testing, periodic spot testing, and daily monitoring for network intrusion. Paired with his own considerable training and certification as a chief information security officer, ethical hacker, and data forensics examiner, these measures negated the need to bring in forensics consultants, speeding the investigation and mitigation process.
For bigger organizations and those without such internal resources, the process can take far longer and involve a wide range of internal and external stakeholders. According to security intelligence firm LogRhythm, 72% of companies attacked could not access their data for at least two days, and 32% could not for five days or more.
When the University of Calgary suffered a ransomware attack in May 2016, investigation, response and recovery was a considerably longer process, including a week of extensive forensics and crisis management. They brought in a breach coach, retained and engaged security specialists, and assembled an emergency response team and IT incident command that worked around the clock for days on end, according to Janet Stein, the university’s director of risk management and insurance and a member of the RIMS board of directors. Communicating with thousands of users involved both high- and low-tech solutions, from the university’s emergency notification app to posters on doors around campus. Affected computers and file servers were physically unplugged or virtually sandboxed and forensics specialists traced the malware, retaining relevant forensic evidence. The team met three to four times a day, focusing on specific deliverables related to investigation, workaround solutions for users, and next steps.
Once an organization regains access to its data and systems, the response process is not quite over—refining an incident response plan is both the first and last step in any cyber crisis. “It is very easy to overlook one thing that is key in developing a truly formidable incident response plan: lessons learned,” Grillo said.
Somebody will always click the link. Or in our case, when it happened, click the link 12 times.
Such review added concrete value in the wake of the RIMS attack, Peters said. The organization assessed the existing strategy and schedule for backups, contracted with an email filtering vendor to help head off future attacks via phishing, and implemented anti-malware software. These, he said, “have made a difference by leaps and bounds.”
While Peters periodically conducts phishing tests on employees, even within a risk management association, the weakest link will always be end users, and he believes the experience has also made a significant impact on improving awareness and education internally.
“Somebody will always click the link. Or in our case, when it happened, click the link 12 times,” he said. “I don’t think we’ll ever be 100% out of the woods with our end-user community, but I think our awareness has increased tenfold.”
To Pay or Not to Pay?
It is hard to say how many ransomware victims pay the ransom. The FBI believes only a quarter of attacks are reported at all, and insurers do not necessarily hear about ransoms paid. Many victims have immature cyberrisk programs to begin with, so they are not reporting, Snyder said, and even among more prepared companies, ransoms that do not meet the deductible or concerns over the impact on premiums lead some to keep quiet.
The middle of a crisis is not the time to have that debate—those conversations need to be had in advance and a decision made about whether you will pay.
Estimates vary widely: In a study by cybersecurity firm Carbonite, 45% of businesses that had suffered an attack paid up, usually citing lack of preparation as a top determinant. Fortinet pegged the number at 42%, while 70% of respondents surveyed by IBM Security said they paid. In its 2017 Cyberthreat Defense Report, security industry research firm CyberEdge Group found that 61% of its 1,100 respondents were compromised by ransomware in 2016, of whom 33% paid the ransom and recovered their data, 54% refused to pay but successfully recovered their data anyway, and 13% refused to pay and subsequently lost their data.
“The question of whether to pay often comes up, and there are differences of opinion, not to mention the legal and law enforcement aspects of paying cyber thieves,” Grillo said. He advises that companies assess the business implications, get counsel involved, and decide on a policy before an incident ever occurs. “The middle of a crisis is not the time to have that debate—those conversations need to be had in advance and a decision made about whether you will pay.”
For Peters, it was never an option. “We never thought about paying and as long as I’m here, we will never pay,” he said. “I have the utmost confidence in our backups because we do a disaster recovery test once a year and do periodic spot tests to ensure that we can recover servers, files, computers, work stations—the necessary things to keep us running.”
According to Wice, such appropriate and adequate backups are the key factor to avoid paying. Most of Beazley’s insureds rely on their backups and as a result, he estimated the number of clients that suffered an attack and paid a ransom is “less than double-digits.”
“I wouldn’t say that we, as an insurer, should be influencing that decision, but I will say—and most of the security industry would say—as long as you have the appropriate backups in place, don’t pay,” he said. “There’s nothing you could say that would make me comfortable that, should a company pay the ransom, they are going to just get back decrypted data. You’re talking about honor among thieves here. And if you do pay, how do you know that you’re not going to be tabbed as a mark for the next exploit?”
There’s nothing you could say that would make me comfortable that, should a company pay the ransom, they are going to just get back decrypted data. You’re talking about honor among thieves here.
Indeed, the FBI, which officially discourages payment, has cited several recurring problems experienced by those who do. Paying a ransom does not guarantee an organization will regain access to its data—in fact, some never received decryption keys after paying, and there are reports of malware simply deleting the files after decryption. Upon initial payment, some enterprises were pressed for more money, while other victims who paid reported being the target of cybercriminals again soon thereafter. The FBI also points out that payments “embolden the adversary to target organizations for profit” and create a lucrative environment that may draw in more criminals.
Cyberrisk experts acknowledge, however, that from a financial standpoint, paying may be the only practical option for some enterprises.
Despite extensive incident response efforts and temporary solutions like issuing 8,000 new email addresses so users could work, the University of Calgary ultimately paid a ransom of 27 bitcoin (then about $15,000, or CAN $20,000). While Stein said the response was largely considered successful, the university endured a week of disruption and had to evaluate all the data potentially not backed up, including academic research conducted on campus. The university’s board decided that access to data and services—and mitigating the potential costs of data loss—made paying worthwhile.
“As much as you would like to take the prudent position not to pay, that may not outweigh the company’s losses, and it really becomes a business decision,” Grillo said. “Ultimately, if your data is impacted and you can’t get it back, if it’s interrupting your business or impacting your clients, there are some serious business decisions that need to be made.”
If planning to pay, the organization should involve counsel and seriously consider contacting law enforcement, Grillo advised. “You’re negotiating with criminals at this point,” he said. “When you get that far into extortion situations, it’s likely beneficial to have law enforcement involved.”
Insurance: Beyond the Bitcoin
If an organization does pay, the ransom can be covered by a cyber insurance policy. In some cases, however, since the sums requested are so low, it may not meet the deductible. “We certainly have paid cyberextortion on the cyberextortion insuring agreement, but it’s not as much as one might think,” Wice said.
Covered losses specifically from ransoms remain low at Willis Towers Watson as well. “At this early stage, it seems to be sort of a high-frequency, low-severity issue—the extortion demands are relatively low, so a lot of times, it likely falls within the retentions,” said Jason Krauss, cyber/E&O thought and product leader for FINEX North America.
Beyond the ransom funds, cyber insurance can help companies manage and recover from a variety of ransomware-related losses. Carriers and brokers have even cited such cases as the best encapsulation of the growing insurance line.
A ransomware event is really the perfect scenario to illustrate the coverages in a standalone cyber insurance policy.
“A ransomware event is really the perfect scenario to illustrate the coverages in a standalone cyber insurance policy: you have, obviously, the extortion demand, the cost to investigate the potential breach, a business interruption situation that could arise, and potential third-party claims,” Krauss said.
These cases may also be broadening the way organizations assess their own cyberrisk exposure, and impacting insurance penetration as WannaCry primarily struck regions with very low take-up rates to date. “Because of the broad nature of the attack and the fact that it spread to so many countries, WannaCry certainly got organizations’ attention,” Snyder said. “Right now, roughly 30% of organizations of all revenue sizes purchase a cyber insurance policy and 90% of those organizations are inside the United States. This attack has changed the dialogue because it’s an example for organizations that may have previously thought about cyber insurance solely as coverage for privacy risk.”
While high-profile attacks prompt companies to assess the different kinds of loss a cyber policy would cover, these ransomware cases are helping firm up answers from insurers as well. As a burgeoning line that continually evolves to catch up with the changing threat landscape, some cyber insurance provisions remain relatively untested. Particularly given the increased potential exposure for insurers, Krauss said the recent widespread attacks have prompted conversations with the market about how every insuring agreement within a cyber policy would respond and how coverage will actually hold up to claims.
Although take-up rates are rising—and the attacks and subsequent losses continue to mount—there are no signs that ransomware claims will significantly impact pricing in the near future.
“The cyber insurance marketplace is becoming much more robust, including a number of new market entrants in both the London and U.S. markets, and it’s become rather competitive,” Snyder said. “Because it’s so competitive, we haven’t seen any type of rate impact arising out of ransomware losses. Right now, we continue to see a flattening of rates and a broadening of coverage in the cyber market, and that really has not changed as a result of the increase in losses.”
Wice agreed the surge in ransomware attacks will likely not impact pricing, but he believes it may help shape the growing cyber insurance market more broadly. “Ransomware is probably going to affect capacity,” he said. “Just like with large breaches in point-of-sale for retailers, just like in the managed care space, just like in the large hospital space, once large losses hit a tower of insurance, insurers take notice. A lot of the players that recently came into the marketplace because they thought there was a growth opportunity…history would dictate that they would leave and capacity would shrink.”
Author: Hilary Tuttle
(Bloomberg) — A new cyberattack similar to WannaCry is spreading from Europe to the U.S., hitting port operators in New York and Rotterdam, disrupting government systems in Kiev, and disabling operations at companies including Rosneft PJSC and advertiser WPP Plc.
More than 80 companies in Russia and Ukraine — and the Chernobyl nuclear plant — were initially affected by the Petya virus that disabled computers Tuesday and told users to pay $300 in cryptocurrency to unlock them. Telecommunications operators and retailers were also affected and the virus is spreading in a similar way to the WannaCry attack in May, Moscow-based cybersecurity company Group-IB said.
Rob Wainwright, executive director at Europol, said the agency is “urgently responding” to reports of the new cyber attack. In a separate statement, Europol said it’s in talks with “member states and key industry partners to establish the full nature of this attack at this time.”
Kremlin-controlled Rosneft, Russia’s largest crude producer, said in a statement that it avoided “serious consequences” from the “hacker attack” by switching to “a backup system for managing production processes.”
U.K. media company WPP’s website is down, and employees have been told to turn off their computers and not use WiFi, according to a person familiar with the matter. Sea Containers, the London building that houses WPP and agencies including Ogilvy & Mather, has been shut down, another person said. “IT systems in several WPP companies have been affected,” the company said in emailed statement.
The hack has quickly spread from Russia and the Ukraine, through Europe and into the U.S. A.P. Moller-Maersk, operator of the world’s largest container line, said its customers can’t use online booking tools and its internal systems are down. The attack is affecting multiple sites and units, which include a major port operator and an oil and gas producer, spokeswoman Concepcion Boo Arias said by phone.
APM Terminals, owned by Maersk, is experiencing system issues at multiple terminals, including the Port of New York and New Jersey, the largest port on the U.S. East Coast, and Rotterdam in The Netherlands, Europe’s largest harbor. APM Terminals at the Port of New York and New Jersey will be closed for the rest of the day “due to the extent of the system impact,” the Port said.
Cie de Saint-Gobain, a French manufacturer, said its systems had also been infected, though a spokeswoman declined to elaborate, and the French national railway system, the SNCF, was also affected, according to Le Parisien. Mondelez International Inc. said it was also experiencing a global IT outage and was looking into the cause. Merck & Co. Inc., based in Kenilworth, New Jersey, reported that its computer network was compromised due to the hack.
New virus called Petya
The strikes follow the global ransomware assault involving the WannaCry virus that affected hundreds of thousands of computers in more than 150 countries as extortionists demanded $300 in Bitcoin from victims. Ransomware attacks have been soaring and the number of such incidents increased by 50% in 2016, according to Verizon Communications Inc.
Analysts at Symantec Corp., have said the new virus, called Petya, uses an exploit called EternalBlue to spread, much like WannaCry. EternalBlue works on vulnerabilities in Microsoft Corp.’s Windows operating system.
The new virus has a fake Microsoft digital signature appended to it and the attack is spreading to many countries, Costin Raiu, director of the global research and analysis team at Moscow-based Kaspersky Lab, said on Twitter.
The attack has hit Ukraine particularly hard. The intrusion is “the biggest in Ukraine’s history,” Anton Gerashchenko, an aide to the Interior Ministry, wrote on Facebook. The goal was “the destabilization of the economic situation and in the civic consciousness of Ukraine,” though it was “disguised as an extortion attempt,” he said.
Kyivenergo, a Ukrainian utility, switched off all computers after the hack, while another power company, Ukrenergo, was also affected, though “not seriously,” the Interfax news service reported.
Ukrainian delivery network Nova Poshta halted service to clients after its network was infected, the company said on Facebook. Ukraine’s Central Bank warned on its website that several banks had been targeted by hackers.