Client Alert: Norsk Hydro ASA data breach

One of the world’s largest aluminium producers, Norwegian firm Norsk Hydro ASA (Hydro), reported on 19 March 2019 that their business was experiencing an extensive cyber-attack that had impacted IT systems in most of the company’s divisions. According to company CFO Eivind Kallevik, Norsk  established that the attack originated from ransomware that entered its network. The Norwegian National Security Authority confirmed the ransomware in question is LockerGoga¹, a relatively new strain of ransomware, which encrypts computer files and demands payment to unlock them.  

Immediate steps taken

Hydro is actively working to restore its operations, but in an official statement the company confirmed that they were not yet aware of the full impact of the attack². Photos have surfaced on the internet of signs posted at Hydro’s offices, advising employees not to connect any devices to the network³.

In a bid to prevent any further spread of the virus, Norwegian broadcaster NRK reported that Norway’s National Cyber Security Centre (NorCERT) had sent out warnings to all major Norwegian companies informing them of the attack.   

NorCERT’s notification advised that the ransomware attack on Norsk, which is 34 percent owned by the state, was also combined with an attack against its active directory containing user database information. NorCERT has called for information from any other organisations hit by similar attacks as it continues to assist Norsk in conjunction with Norway’s national security authority NSM4.

Official statements from Norsk advise that the company will restore systems using back-up data, and that it has not made contact with the perpetrators. To date no specific ransom demands have been made⁵ and it is understood that Norsk does purchase Cyber insurance.⁶

Cyber Insurance Response

The attack is the latest to hit the primary metals and commodities sectors, where disruptions to technology networks can quickly cascade down the supply chain and cause significant financial losses that stem from interruption to business operations.

An insurance policy can provide invaluable immediate assistance in the event of a ransomware attack, bringing in specialist vendors to work in conjunction with an insured’s IT, risk, legal and executive teams. While it should not act as the primary solution for managing a company’s exposure to cyber-attacks, the provision of response and recovery costs through insurance plays an important role in the overall risk management and disaster recovery protocols of a business.

Organisations at the start of a supply chain face a specific range of cyber and operational risks that can result in significant economic loss to a company. AI and machine learning, supply chain interconnectedness, Industrial Control and Supervisory Control and Data Acquisition (SCADA) systems are critical elements in the digital transformation of businesses in industrial sectors. However they also bring with them increasing reliance on technology and vulnerability to cyber-attacks.

Cyber insurance has evolved from a largely privacy-breach driven product to a broad solution for companies of any size that addresses key business interruption risks. Items covered by stand-alone Cyber insurance can include:

• Financial loss caused by operational disruption, voluntary shutdown or supply chain interruption following a cyber-attack
• Payment of ransom demands made by malicious external actors
• IT forensic costs to isolate, assess and remove the cause of a cyber breach
• Costs incurred to recreate and/or restore data and protect confidential information
• Legal costs and damages from liability claims due to network security failure.

Ransomware and other cyber threats will increase in frequency and sophistication. To meet these evolving risks, organisations require a comprehensive cyber risk management strategy that includes a strong understanding of risk exposures, optimised cybersecurity and risk transfer through cyber insurance programs, to ensure a quick, effective response and a timely return to normal operations.

_{1 https://www.helpnetsecurity.com/2019/03/20/norsk-hydro-cyber-attack/
2 https://www.newsinenglish.no/2019/03/19/hackers-hold-norsk-hydro-for-ransom/
3 https://www.bloomberg.com/news/articles/2019-03-19/norsk-hydro-ransomware-attack-is-severe-but-all-too-common
4 https://www.bloomberg.com/news/articles/2019-03-19/hydro-says-victim-of-extensive-cyber-attack-impacting-operations-jtfgz6td
5 https://newsweb.oslobors.no/message/472389
6 https://techcrunch.com/2019/03/19/norsk-hydro-ransomware/}