I discovered an article on Databreachtoday.com that immediately grab bed my attention: “The Financial Fallout of Data Breaches”. I’ve researched the costs of breaches recently, but most estimates seem to offer an average cost perspective on breeches. The databreechtoday.com article was different because it gave a specific cost that a large corporation with local presence incurred because of the Notpetya ransomware attacks in 2017. That company is Merck Pharmaceuticals.
It’s important to understand that notwithstanding the reputational cost associated with the attack itself, Merck also incurred losses related to IT infrastructure, drug sales, drug manufacturing and research, and drug inventories. But it doesn’t stop there. There’s additional legal and regulatory costs after the Federal and State governments investigate and access fines in the future. Then there’s costs, to be determined later, resulting from lawsuits from other companies or people harmed by Merck because of the breach.
I apologize for copying and pasting the relevant section from Merck’s recent Annual Report, but it’s so succinct in it’s legalize explanation of how much the attack cost the company.
Merck’s Annual Report, form 10K, revealed that: “On June 27, 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. All of the Company’s manufacturing sites are now operational, manufacturing active pharmaceutical ingredient (API), formulating, packaging and shipping product. The Company’s external manufacturing was not impacted. Throughout this time, Merck continued to fulfill orders and ship product. Due to the cyber-attack, as anticipated, the Company was unable to fulfill orders for certain products in certain markets, which had an unfavorable effect on sales in 2017 of approximately $260 million. In addition, the Company recorded manufacturing-related expenses, primarily unfavorable manufacturing variances, in Materials and Production costs, as well as expenses related to remediation efforts in Marketing and Administrative expenses and Research and Development expenses, which aggregated $285 million in 2017, net of insurance recoveries of approximately $45 million. Due to a residual backlog of orders, the Company anticipates that in 2018 sales will be unfavorably affected in certain markets by approximately $200 million from the cyber-attack. Merck does not expect a significant impairment to the value of intangible assets related to marketed products or inventories as a result of the cyber-attack”
Lastly, Merck indicated that it is engaging in an ‘enterprise wide’ effort to improve its resiliency against future attacks and improve the speed at which they can recover in the future. That cost will likely be detailed in next year’s Annual Report.
My math puts the cost at $745M and still counting.