Cyber Insurance Specialist, CFC, Comments on Lessons of Norsk Hydro Cyber Attack

Norsk Hydro, one of the world’s largest aluminum producers, is still struggling to return to full production, after a ransomware attack shut down its operations on Monday.

“We are continuing to make progress towards a resolution, but the situation remains serious and we are still dependent on extraordinary measures to run many of our operations,” said CFO Eivind Kallevik, in a statement on the company’s website.

These “extraordinary measures” include running the company’s giant smelters in Norway partly on a manual basis.

The company’s Extruded Solutions business area continues to run at approximately 50 percent of normal capacity, which is unchanged from yesterday (March 21), said the company, referring to the operation that transforms aluminum ingots into car components and building products, to name a few.

The root causes of the cyber attack have been “detected and a cure has been identified, allowing Hydro’s experts to work on reverting infected systems back to a pre-infected state,” said the company.

In its March 19 comments, a day after the attack began, Hydro revealed it has cyber insurance.

Graeme Newman, chief innovation officer at CFC Underwriting, a London-based cyber liability specialist, commented on the Hydro cyber attack and the possible lessons learned for other insurance buyers.

“The long-term implications of the cyber-attack on Norsk Hydro will depend on whether it affected solely the corporate network or industrial control systems too. If the former, the initial investigation and remediation costs could potentially run into the millions,” said Newman in an emailed statement.

“The company will also likely be hit with lost production value (which, based on their gross profit could equate to more than $5 million per day),” he added. “If ransomware has infected Hydro’s industrial control systems, the consequences could be severe. For example, if aluminum smelting pots freeze they can be out of action for almost two years.”

While cyber insurance is designed to cover this form of attack and help ensure the impact on business operations is limited, if a company only has bought traditional property policy insurance, then coverage for this type of event would likely be excluded, which could create “devastating” losses, Newman continued.