Insurance Pays Out a Sliver of Norsk Hydro’s Cyberattack Damages | Threatpost

On the heels of a severe cyberattack, aluminum giant Norsk Hydro has received only $3.6 million in cyber-insurance – just a fraction of the total costs in damage.

Overall, the Oslo, Norway-based company incurred between $60 million to $71 million in damages from the incident, which forced it to shut down or isolate several plants and send several more into manual mode. While Norsk Hydro said it expects more future compensation from its lead cyberinsurer, AIG, the payment received so far covers only 6 percent of the total damages.

“The cyberattack on Hydro on March 19 affected the entire global organization, with Extruded Solutions having suffered the most significant operational challenges and financial losses,” according to Norsk Hydro’s 2019 third-quarter report. “The financial impact of the cyberattack is estimated to around NOK 550-650 million [$60 to 70 million USD] in the first half year with limited financial effects for the third quarter. Hydro has a robust cyber-insurance in place with recognized insurers. Hydro has recognized NOK 33 million [$3.6 million USD] insurance compensation in the third quarter.”

Extruded solutions is the company’s business around transforming aluminum alloy into objects “with a definitive cross-sectional profile for a wide range of uses” (making the most of aluminum’s physical characteristics). The segment has 22,236 employees and 140 production sites worldwide — representing a large chunk of the company’s overall business, which employs 35,000 people total in up to 40 countries.

The cyberattack, first detected by the company’s IT experts in March, left the aluminum producer struggling to maintain operations. At the time, the company said that IT systems in most business areas were impacted, including the digital systems at its smelting plants (used to produce a base metal from its ore): Norsk Hydro switched to manual operations for those, including several in Norway, Qatar and Brazil. The company also had to shut down several metal extrusion (a type of metal forming process) plants.

On Wednesday, the company told Threatpost that estimated costs of damage stem from lost revenue, hardware and consultancy cost to mitigate and recover from the attack. At this time, the company’s operations are fully functional, it said.

The incident sheds light on the state of the still-nascent cyber-insurance market. Cyber-insurance has drawn concerns about how it will change the overall security landscape — for instance, some have wondered if companies could slack on proactive security measures if they have a fallback buffer of cyber-insurance.

When Lake City, Fla. was hit by ransomware, for instance, the city ended up paying and the incident was covered in part by their cyber-insurance provider.

Trent Cooksley, COO at Cowbell Cyber, told Threatpost that cyber-risks should be measured on a continuous basis – and coverage defined at a more granular level – in order to close today’s insurability gaps.

“Cyber-insurance is still a nascent market, and every policy aspect is being tested (coverage definition, premiums, limits and sublimits, and more) as more enterprises adopt insurance to help mitigate incident-related losses,” he told Threatpost. “Silent cyber and coverage obtained as an endorsement to a general commercial liability policy or E&O [Errors and Omission] is often not enough. There are obvious disambiguation benefits to policyholders and insurance providers to evolve to a model where enterprises can subscribe to a ‘true’ cyber-liability policy.”

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.