Wednesday, February 28, 2018

What Russian State Actors' Hacking Hath Wrought: Merck's Overnight SEC Form 10-K Disclosures


I must admit -- it is extremely unfortunate that our own federal actors have not been formally tasked by 45 -- to do anything about this attack.

Official British intel has absolutely confirmed it was state sponsored. Kenilworth was merely "collateral damage" -- in a very costly (but ultimately immaterial) way -- due to Merck's size, flexibility (in alternate sourcing logistics) and global reach. Here's the bit -- do go read it all (beginning on page 24 and running through page 25):

. . . .The Company is increasingly dependent on sophisticated software applications and computing infrastructure.

In 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. The Company could be a target of future cyber-attacks. The Company is increasingly dependent on sophisticated software applications and complex information technology systems and computing infrastructure (collectively, “IT systems”) to conduct critical operations. Disruption, degradation, or manipulation of these IT systems through intentional or accidental means could impact key business processes. Cyber-attacks against the Company’s IT systems could result in exposure of confidential information, the modification of critical data, and/or the failure of critical operations. Misuse of these IT systems could result in the disclosure of sensitive personal information or the theft of trade secrets, intellectual property, or other confidential business information. The Company continues to leverage new and innovative technologies across the enterprise to improve the efficacy and efficiency of its business processes; the use of which can create new risks.

On June 27, 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. All of the Company’s manufacturing sites are now operational, manufacturing active pharmaceutical ingredient (API), formulating, packaging and shipping product. The Company’s external manufacturing was not impacted. Throughout this time, Merck continued to fulfill orders and ship product.

Due to the cyber-attack, as anticipated, the Company was unable to fulfill orders for certain products in certain markets, which had an unfavorable effect on sales in 2017 of approximately $260 million. In addition, the Company recorded manufacturing-related expenses, primarily unfavorable manufacturing variances, in Materials and Production costs, as well as expenses related to remediation efforts in Marketing and Administrative expenses and Research and Development expenses, which aggregated $285 million in 2017, net of insurance recoveries of approximately $45 million. Due to a residual backlog of orders, the Company anticipates that in 2018 sales will be unfavorably affected in certain markets by approximately $200 million from the cyber-attack. Merck does not expect a significant impairment to the value of intangible assets related to marketed products or inventories as a result of the cyber-attack.

The Company has insurance coverage insuring against costs resulting from cyber-attacks and has received proceeds. However, there may be disputes with the insurers about the availability of the insurance coverage for claims related to this incident. Additionally, the temporary production shut-down from the cyber-attack contributed to the Company’s inability to meet higher than expected demand for Gardasil 9, which resulted in Merck’s decision to borrow doses of Gardasil 9 from the U.S. Centers for Disease Control and Prevention Pediatric Vaccine Stockpile. The Company subsequently replenished a portion of the borrowed doses in 2017. The net effect of the borrowing and subsequent partial replenishment was a reduction in sales of $125 million in 2017. The Company anticipates it will replenish the remaining borrowed doses in the second half of 2018.

The Company has implemented a variety of measures to further enhance its systems to guard against similar attacks in the future, and also is pursuing an enterprise-wide effort to enhance the Company's resiliency against future cyber-attacks, including incidents similar to the June 2017 attack. The objective of these efforts is not only to protect against future cyber-attacks, but also to improve the speed of the Company’s recovery from such attacks and enable continued business operations to the greatest extent possible during any recovery period.

Although the aggregate impact of cyber-attacks and network disruptions, including the June 2017 cyber-attack, on the Company’s operations and financial condition has not been material to date, the Company continues to be a target of events of this nature and expects them to continue. The Company monitors its data, information technology and personnel usage of Company IT systems to reduce these risks and continues to do so on an ongoing basis for any current or potential threats. There can be no assurance that the Company’s efforts to protect its data and IT systems will be successful in preventing disruptions to its operations, including its manufacturing, research and sales operations. Any such disruption could result in loss of revenue, or the loss of critical or sensitive information from the Company’s or the Company’s third party providers’ databases or IT systems and could also result in financial, legal, business or reputational harm to the Company and potentially substantial remediation costs. . . .


Gee -- thanks, 45. Those are your pals, and influencers, at work. To this date, you have yet to direct the Secretary for Homeland Security to do anything -- about state-actors, and state-sponsored cyber attacks emanating out of Russia (cough! Vlad). That is. . . deplorable, regardless of party affiliations.

As ever. . . onward. It is clouding up here now, but quite warm and humid, for February, at over 60 degrees (above even the rainy Music City) -- at the lunch hour -- so out. . . for a walk-about I go! Grin -- food trucks?

नमस्ते

No comments: