author photo
By Bruce Sussman
Mon | May 11, 2020 | 9:32 AM PDT

Talk about kicking a company when it's down.

First, the coronavirus pandemic cuts into profits.

Then, a ransomware attack adds tens of millions in financial damage to your company.

And finally, the attack hits you where it really hurts: your roll out of work-from-home for the team.

This is Cognizant's story, revealed during its most recent earnings call.

The world's largest IT managed services firm confirmed in mid-April that hackers were hitting it with a Maze ransomware attack.

And now, CEO Brian Humphries is telling analysts the attack's timing was part of a perfect storm.

"Not only were we dealing with COVID, but then we had a ransomware attack that encrypted our servers, which actually took out some of the work-from-home capabilities that we had enabled in the prior weeks and also slowed our ability to enable further work-from-home because of some of the systems and tools we would have used to automate and provision laptops were no longer functioning.

So we had a perfect storm in which we still had costs without revenue."

Part of that cost without revenue picture, he says, involved clients rapidly revoking Cognizant's access into their systems until the ransomware attack was contained and certain conditions were met.

Containment is achieved, the company says, but it is still working on related client concerns.

Cognizant ransomware attack: at least a $50 million earnings impact

On the earnings call, Cognizant CFO Karen Anne McLoughlin spelled out the financial impact of the Maze ransomware attack:

"As a result of this ransomware attack, our Q2 revenue and margins will both be negatively impacted. While we anticipate that the revenue impact related to this issue will be largely resolved by the middle of the quarter, we do anticipate the revenue and corresponding margin impact to be in the range of $50 million to $70 million for the quarter."

And while that's the biggest financial hit, there is likely more to come:

"Additionally, we expect to incur certain legal, consulting, and other costs associated with the investigation, service restoration, and remediation of the breach. While we have restored the majority of our services and we are moving quickly to complete the investigation, it is likely that costs related to the ransomware attack will continue to negatively impact our financial results beyond Q2."

What happened in the Cognizant ransomware attack?

Humphries shared additional thoughts on the ransomware attack during the call, which gives us some new insights into this cyber incident:

"The attack encrypted some of our internal systems, effectively disabling them, and we proactively took other systems offline. This disruption included both select systems supporting our work-from-home enablement, such as VDI  (desktop virtualization) and the provisioning of laptops that had been expected to further increase our work-from-home capabilities in April.

Second, in the wake of the ransomware attack, some clients opted to suspend our access to their networks. Billing was therefore impacted for a period of time, yet the cost of stopping these projects remained on our books."

What was Cognizant's ransomware response?

Cognizant's CEO laid out a wide-ranging response to the ransomware attack, which he says focused on transparency with clients. This included calls with clients and the security team and sharing the Indicators of Compromise (IOCs) uncovered during the ransomware attack:

"We responded immediately by mobilizing our entire leadership team, drawing on the expertise of our IT and security teams, and bringing in leading cybersecurity experts to help us investigate and respond to the attack. We also contacted appropriate law enforcement agencies.

From the start, we decided to communicate rightly and transparently with our clients. In addition to hundreds of individual client calls conducted by our security organization, cybersecurity experts, and our executive team, we held two client conference calls in April.

Retaining client trust is of paramount importance, so we erred on the side of over-communicating the details of what we knew and how are we working to contain and mitigate this incident.

We proactively provided clients with indicators of compromise for so-called IoCs, namely forensic data that companies can use to identify potentially malicious activity and defend against attacks from external actors. Earlier this week, in our third conference call with clients, we confirmed the containment of the ransomware attack."

What are ongoing impacts from the Maze ransomware attack?

"Along with the containment of the ransomware attack, we have meaningfully progressed in addressing the concerns of clients that had suspended our access to their networks. We expect to substantially complete this by the end of the month.

We expect the vast majority of revenue and margin impact from the ransomware impact to be in the second quarter. However, ongoing remediation cost will ensue through subsequent quarters."

How is cybersecurity changing at Cognizant due to the ransomware?

"Ransomware attacks are becoming all too frequent across industries. We're using this experience as an opportunity to refresh and strengthen our approach to security.

We're already applying what we've learned to further harden and strengthen our security environments, and we are further leveraging our external security experts to help inform and guide our long term security strategy. Cybersecurity will continue to be a top priority for us in the years ahead."

And if you're wondering how Humphries would rate the organization's response to the cyber attack, this statement sums it up:

"Nobody wants to be dealt with a ransomware attack. I personally don't believe anybody is truly impervious to it, but the difference is how you manage it. And we tried to manage it professionally and maturely."