The fallout from the June outbreak of the NotPetya/ExPetr wiper malware continues, with Merck’s newly released Q2 financial filings highlighting the damages that malware infections and similar incidents can have on businesses’ operations and bottom lines.
News that Merck was hit in the June 2017 outbreak of the NotPetya malware broke on June 27 after employees discovered ransom notes on their computers and were unable to access files. Other companies impacted by the outbreak included FedEx/TNT Express, advertising and communications firm WPP, and law firm DLA Piper. The extent of the damage done by NotPetya wasn’t clear at the time, but the firm’s Q2 financial report offers some more details on the impact of the attack.
“On June 27, 2017, the company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. While the company does not yet know the magnitude of the impact of the disruption, which remains ongoing in certain operations, it continues to work to minimize the effects.” the statement reads.
While it doesn’t offer a hard figure for the impact to Merck’s bottom line, the report goes on to detail the extent of the disruptions the incident caused across multiple business units:
“The company is in the process of restoring its manufacturing operations. To date, Merck has largely restored its packaging operations and has partially restored its formulation operations. The company is in the process of restoring its Active Pharmaceutical Ingredient operations but is not yet producing bulk product… The company is confident in the continuous supply of key products such as KEYTRUDA, JANUVIA and ZEPATIER. In addition, Merck does not currently expect a significant impact to sales of its other top products; however, the company anticipates that it will have temporary delays in fulfilling orders for certain other products in certain markets.”
This disclosure takes the top position in the report’s Financial Outlook section, which includes updated projections for Merck’s full-year financial performance based on “the current state of the company’s manufacturing operations as well as its plans to restore those operations and potential costs associated with the remediation efforts.”
The company doesn’t offer any estimation of what its final restoration and remediation costs will be, but the incident is expected to have a material impact for shareholders, as full-year 2017 GAAP earnings per share projections have been reduced to $1.60-1.72 from their Q1 projections of $2.51-2.63.
Merck is just the latest in a string of major, global companies feeling the impact of malware infections and other cybersecurity incidents. FedEx was forced to briefly freeze trading of its shares when its TNT Express subsidiary was crippled by NotPetya, and the company went on to say the incident “significantly affected” its worldwide operations in an SEC filing from July 5. Prior to the NotPetya outbreak, Honda had to stop production for a day at a factory in Japan after being infected with the WannaCry ransomware.
While the details around these incidents often take months or years to fully surface, one thing is for certain: these incidents are hitting companies’ bottom lines in ways that are getting harder to ignore.
