FedEx operating income takes $300M hit after Nyetya

Dive Brief:

FedEx lost a combined $0.81 per diluted share due to the effects of the June 27 cyberattack on TNT express (Nyetya) and Hurricane Harvey, the company reported in its 2018 Q1 earnings release.
The two events contributed to an 11% decline in operating income and 17% decrease in diluted earnings per share (EPS) during the last quarter, compared to the same period last year.
The larger hit, however, came not from the natural disaster but the man-made one. The cyberattack cost the company $0.79 in EPS and an estimated operating income loss of $300 million, according to FedEx Executive Vice President and CFO Alan Graf. The company continues to recover from the attack.

Dive Insight:

Earthquakes in Mexico, Typhoon Hato and Hurricanes Harvey and Irma reminded supply chain managers natural risk always lurks as a threat to business operations worldwide. Yet, FedEx's earnings report reveal man-made risks such as cyberattacks can have a far greater impact on the bottom line.

"The net impact of the cyberattack on Q1 operating income was predominantly lost revenue, much of which dropped to the bottom line due to the fixed cost nature of the TNT Network," Graf said during the earnings call. "Also, we incurred incremental third-party costs related to the recovery effort," and reduced international earnings affected the company's tax rate for the quarter, leading to an estimated total cost of $300 million from the event.

The effects from the cyberattack were more disastrous, then, as a result of a loss of business. Although the attack took place late June, the company is still suffering from side effects or costs. Graf said FedEx had to hire additional staff to recover volumes and protect from service failures, and invest in IT infrastructure enhancements after the attack.

"As we look ahead to the remainder of FY18, we expect to experience ongoing but diminishing financial impacts from the cyberattack in the form of lower revenues and higher investments to further improve and strengthen our IT infrastructure," said Graf.

When compared to Hurricane Harvey, FedEx was far less prepared to respond to a cyberattack. After all, storms come and go each year, allowing companies to gain the resilience tools needed for a speedy recovery. "When the storm hit, we (had) to close down. We opened up right away," sad Raj Subramaniam, executive vice president and chief marketing and communications officer at FedEx. "We had pre-staged materials for our employees and for the communities in advance of the storms. Those things we could do."

However, it is difficult to pre-stage a cyberattack, or even an earthquake, as they come without warning. When such a disaster strikes, the response becomes about mitigating the impact. "Immediately following the attacks, we implemented contingency plans that leveraged our global networks to minimize the impacts to customers, including transporting TNT Express packages with the FedEx Express network," Dave Bronczek, president and COO of FedEx said during the call.

Nyetya may have been the first major cyberattack on FedEx, but the company is not expecting it to be the last. For resilience, a company must learn from risk events and invest in future mitigation strategies. A roadmap for action, laid out by Bronczek, is a temporary fix. But Graf says the company is also looking at insurance options, to help respond more effectively to future attacks, if necessary.

"For a number of years we have examined the cyber insurance market. For a long period of time it was very thin," Graf said. "However, as a result of this attack, of course, we are re-examining where the market is."

"So, as a result of this crisis, we have emerged stronger, said Bronczek. "We remain laser focused on delivering the Purple Promise to our customers, the IT environment and TNT Express is more secure and with operational capabilities near normal and service at pre-crisis levels."