author photo
By Bruce Sussman
Thu | Mar 21, 2019 | 9:19 AM PDT

It was a bit of a surprise for us as we connected to a cyber attack update from global power and aluminum giant Norsk Hydro.

It was the company's Chief Financial Officer—not the CIO, CISO, or CEO—giving the update on this week's ransomware attack. The attack stopped some operations and required a global IT system shutdown.

It's an interesting strategy to consider for publicly-held organizations, especially because there were questions about the material impact of the attack from analysts who joined the press conference as well.

However, CFO Eivind Kallevic also discussed all sides of the ransomware attack, with a short slide deck and a split-screen webcast with reporter Q&A. This is how it looked:

ransomware-webcast-update

So what did we learn about this ransomware attack from Norsk Hydro's CFO? At least five key things:

  1. The incident was significant in impact: "Yesterday was hectic day for all of us at Hydro, with considerable uncertainty across our global organization. An enormous collective effort has been carried out."
  2. The company had backups that worked: "No ransom has been paid. Restoring data from backup systems."
  3. Some operations remain shut down: "There are limited stoppages in the US and EU in extrusion services... some systems remain unavailable"
  4. Unknowns continue: "We don't have a timeline to restore and stabilize all systems but we are pleased to report progress. It is too early to estimate any operational or financial impact of this attack."
  5. Yes, the impacts of the ransomware attack are insured: "We do have a good and strong cyber insurance policy in place with reputable international insurance firms, and they do cover business interruption, as such."

Just as interesting are the questions he refused to answer: how did attackers get in, and how long were they in the system before the attack?; which cybersecurity vendors did the company use prior to the attack, and which vendors is it using now?; is there anything that would suggest who is behind the attack?

Personality should direct who leads incident response

Beyond who your spokesperson is in cyber incident response, the leader of your incident response behind the scenes should be carefully chosen.

And it is key to consider that person's personality.

We learned about this from our conversation with nationally-recognized cyber lawyer Shawn Tuma, who will keynote SecureWorld Houston on April 18th. Watch him explain what he has seen in his client work:

He says you need someone who is both decisive and level-headed.

"When you have that kind of person, you give yourself your best chance of having a sensible, coordinated response that does the things you need to do in the time period you need to do them in," says Tuma.

Comments