Liberty Street Economics

« | Main | »

June 22, 2021

Cyberattacks and Supply Chain Disruptions

Cyberattacks and Supply Chain Disruptions

Cybercrime is one of the most pressing concerns for firms. Hackers perpetrate frequent but isolated ransomware attacks mostly for financial gains, while state-actors use more sophisticated techniques to obtain strategic information such as intellectual property and, in more extreme cases, to disrupt the operations of critical organizations. Thus, they can damage firms’ productive capacity, thereby potentially affecting their customers and suppliers. In this post, which is based on a related Staff Report, we study a particularly severe cyberattack that inadvertently spread beyond its original target and disrupted the operations of several firms around the world. More recent examples of disruptive cyberattacks include the ransomware attacks on Colonial Pipeline, the largest pipeline system for refined oil products in the United States, and JBS, a global beef processing company. In both cases, operations halted for several days, causing protracted supply chain bottlenecks.

The Worst Cyberattack Ever

We examine the impact of the most damaging cyberattack in history, which caused an estimated $10 billion in damages. Named NotPetya, it was released on June 27, 2017 and targeted Ukrainian organizations in an effort by Russian military intelligence to cripple critical Ukrainian infrastructure. Even though NotPetya looked at first like a ransomware attack, its true intent was not the financial gains from ransom payments. Instead, NotPetya was designed to encrypt and paralyze the computer networks of Ukrainian banks, firms, and government.

The initial vector of infection was a software that the Ukrainian government required all vendors in the country to use for tax reporting purposes. When this software was hacked and the malware released, it spread across different entities, including a few large global firms through their Ukrainian subsidiaries. For instance, the shipping company Maersk had its operations grind to a halt, creating chaos at ports around the globe. A FedEx subsidiary was also affected, becoming unable to take and process orders. Manufacturing, research, and sales were halted at the pharmaceutical giant Merck, making it unable to supply vaccines to the Center for Disease Control and Prevention (CDC). Several other large companies (e.g., Mondelez, Reckitt Benckiser, Nuance, Beiersdorf) had their servers taken down and could not carry out essential activities. The maps below show the geographical locations of affected customers and suppliers of the firms directly hit by the cyberattack. The maps suggest the possibility that the cyberattack could affect multiple firms through supply chain relationships.


Cyberattacks and Supply Chain Disruptions


Cyberattacks and Supply Chain Disruptions

Propagation of the Cyberattack

To study the propagation of the cyberattack through firms’ supply chains, we compare the change in profitability of affected customers before and after the cyberattack to the change in profitability of similar firms that do not have supply linkages to the directly hit firms. The difference between these two changes can be then attributed to the supply chain disruptions caused by the cyberattack.

We find that the NotPetya cyberattack was propagated downstream to customers but not upstream to suppliers. Relative to otherwise similar firms, affected customers display a drop in profitability of 1.3 percentage points after the cyberattack. Interestingly, supply chain vulnerabilities play a role in determining the magnitude of the effect. This can happen in two ways. As firms need several intermediate inputs and services for their production, they become more vulnerable to sudden interruptions if they cannot easily replace the supplier that is hit by a shock. Indeed, affected customers that rely on fewer alternative suppliers in the same industry of the directly hit supplier display larger drops in profitability. In addition, customers of directly hit firms that produce more R&D-intensive products are more affected since these R&D inputs are harder to replace from substitute suppliers. We find that these customers also incur larger drops in revenues and profitability.

Liquidity Risk Management

To cope with the effect of the shock, affected customers use both internal and external liquidity. Specifically, they reduce their liquidity ratio—a measure of the internal liquidity of the firm, and defined as current assets minus inventories divided by current liabilities. In addition, affected customers increase their use of external funding, mostly by drawing down pre-existing credit lines with banks. However, this comes at a cost since banks subsequently consider the affected customers to be riskier and therefore charge them higher rates. Thanks to their access to internal and external financing, affected customers navigate the shock without cutting their investment or employment.

Endogenous Network Response

The NotPetya cyberattack exposed the possibility of protracted business interruptions and served as a wake-up call for affected customers. Accordingly, we find that affected customers are more likely to form new relations with alternative suppliers after the shock—that is, other suppliers in the same industry where the directly hit firms are located. Over time, they are also more likely to terminate the supply relation with the directly hit supplier.

Takeaways

As cybercrime becomes a greater source of risk for corporations and governments, it is of utmost importance to study the potential effects of severe cyberattacks. In this post, we show that certain malicious cyberattacks designed to paralyze IT infrastructures can have devastating effects not only on the directly hit firms, but also on other firms through supply chain linkages. In doing so, we document the advantages of well diversified supply chains with several alternative suppliers. We also point out the role of bank credit in enabling affected customers to absorb the shock. Importantly, in this specific event, banks were not hit by the NotPetya cyberattack and could provide credit to firms. A potentially more devastating scenario could have occurred had banks been hit as well, potentially making them unwilling or unable to provide additional credit.

Matteo CrosignaniMatteo Crosignani is an economist in the Federal Reserve Bank of New York’s Research and Statistics Group.

Marco MacchiavelliMarco Macchiavelli is a senior economist at the Board of Governors of the Federal Reserve System.

André F. SilvaAndré F. Silva is an economist at the Board of Governors of the Federal Reserve System.

How to cite this post:
Matteo Crosignani, Marco Macchiavelli, and André F. Silva, “Cyberattacks and Supply Chain Disruptions,” Federal Reserve Bank of New York Liberty Street Economics, June 22, 2021, https://libertystreeteconomics.newyorkfed.org/2021/06/cyberattacks-and-supply-chain-disruptions.html.

Related Reading
Pirates without Borders: The Propagation of Cyberattacks through Firms’ Supply Chains (Staff Report)


Disclaimer
The views expressed in this post are those of the authors and do not necessarily reflect the position of the Federal Reserve Bank of New York or the Federal Reserve System. Any errors or omissions are the responsibility of the authors.

About the Blog

Liberty Street Economics features insight and analysis from New York Fed economists working at the intersection of research and policy. Launched in 2011, the blog takes its name from the Bank’s headquarters at 33 Liberty Street in Manhattan’s Financial District.

The editors are Michael Fleming, Andrew Haughwout, Thomas Klitgaard, and Asani Sarkar, all economists in the Bank’s Research Group.

Liberty Street Economics does not publish new posts during the blackout periods surrounding Federal Open Market Committee meetings.

The views expressed are those of the authors, and do not necessarily reflect the position of the New York Fed or the Federal Reserve System.

Economic Research Tracker

Liberty Street Economics is now available on the iPhone® and iPad® and can be customized by economic research topic or economist.

Comment Guidelines

We encourage your comments and queries on our posts and will publish them (below the post) subject to the following guidelines:

Please be brief: Comments are limited to 1500 characters.

Please be quick: Comments submitted after COB on Friday will not be published until Monday morning.

Please be aware: Comments submitted shortly before or during the FOMC blackout may not be published until after the blackout.

Please be on-topic and patient: Comments are moderated and will not appear until they have been reviewed to ensure that they are substantive and clearly related to the topic of the post. We reserve the right not to post any comment, and will not post comments that are abusive, harassing, obscene, or commercial in nature. No notice will be given regarding whether a submission will or will not be posted.‎

Send Us Feedback

Disclosure Policy

The LSE editors ask authors submitting a post to the blog to confirm that they have no conflicts of interest as defined by the American Economic Association in its Disclosure Policy. If an author has sources of financial support or other interests that could be perceived as influencing the research presented in the post, we disclose that fact in a statement prepared by the author and appended to the author information at the end of the post. If the author has no such interests to disclose, no statement is provided. Note, however, that we do indicate in all cases if a data vendor or other party has a right to review a post.

Archives