Cyber incidents are an unfortunate common occurrence in today’s marketplace and can negatively impact a company’s bottom line. A recent cyber incident shows just how quickly that can happen. In January 2016, there were a number of reports concerning a cyber incident at FACC AG, an Austrian airplane component maker, that resulted in damages exceeding $50 million. Specifically, it appears FACC AG’s accounting department fell prey to a Business E-mail Compromise (BEC) scam.
The BEC scam targets businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. FACC AG moved quickly and by January 20, 2016, had already provided the following information related to the incident on its website:
On January 19, 2016, FACC AG announced that it became a victim of fraudulent activities involving communication- an information technologies. To the current state of the forensic and criminal investigations, the financial accounting department of FACC Operations GmbH was the target of cyber fraud. FACC’s IT infrastructure, data security, IP rights as well as the operational business of the group are not affected by the criminal activities. The damage is an outflow of approx. EUR 50 mio of liquid funds.
A few weeks later FACC AG’s quarterly financial report for Q3 addressed its loss related to this scam as follows:
…The management board has taken immediate structural measures and is evaluating damages and insurance claims. All production- and engineering units operate in an unaffected and normal way. An economic threat to company concerning liquidity does not exist. The management board will decide on further actions after the outcome of the forensic investigations is available.
Since the fraud, FACC AG’s share price has reportedly fallen nearly 17% in response to news that it fell victim to a BEC scam.
While it may have been too late to save FACC AG, on January 22, 2016, the FBI issued a Public Service Announcement describing BEC scams in greater detail and provided suggestions to protect against these scams. Additionally, the FBI PSA provided a number of suggestions to limit information used in these scams including avoiding free web-based e-mail, monitoring social media and company websites, and to be aware of any business contacts making sudden changes in their business practices.
This incident at FACC AG demonstrates that cyber security and cyber insurance are necessities rather than luxuries. The value of cyber security and insurance will become better understood as we see more examples of cyber incidents having an immediate negative impact on the value of a company. Further, it still remains to be seen what impact this incident will have on FACC AG’s relationship with its customers.