Eurofins struggles with cyber-attack

Eurofins reported a cyber-attack on its IT systems a few days back. The recovery work is ongoing and no unauthorised theft or loss of confidential client data has been reported to date. Although there is no clarity on the financial impact so far, management has alluded to it being ‘material’. We attempt to estimate this loss in a scenario-based model, but conclude that the share price correction was an overreaction.

On 3 June 2019, Eurofins Scientific reported an attack by some ransomware on its IT systems (on 1 and 2 June), thereby disrupting its operations. In the subsequent press release on 10 June 2019, it said that no evidence of any unauthorised theft or transfer of confidential client data was noted to date. The investigation is still ongoing and, since many of the affected IT systems or subsidiaries are yet to resume operations fully, the company guided that the total financial impact may be material. It expects to share the details in its H1 FY19 results publication in August.

We attempt to estimate the financial impact (which, we expect, mainly to be one-off in nature), considering the best and worst case scenarios. Our total net cost estimate (revenue loss + data-breach fine + security systems enhancement costs – insurance reimbursements) comes out to be €4-163m. Note that these estimates involve a lot of assumptions and should be viewed in the light of very limited available information on the matter.

Revenue loss:

• Eurofins’ statements:
  – ‘Eurofins Scientific was affected by a ransomware attack which caused disruption to many of its IT systems in several countries.’
  – ‘One week after the attack, substantial progress has been made to put our systems back on line and we continue to put all our efforts to get things back to normal as soon as possible.’
• Our calculation:
  – Per day sales in FY19 (estimated): €12.3m (€4.5bn/365)
  – Percentage of revenue being impacted: 5% (best case); 15% (worst case)
  – Disruption days: 15-20 (12 days have already passed since the incident)
• Estimated FY19 revenue loss:
  – Best case: c.€10m (€12.3m X 5% X 15 days)
  – Worst case: c.€37m (€12.3m X 15% X 20 days)

Data-breach fine in Europe:

• Eurofins’ statement:
  – ‘The investigations conducted so far by our internal and external IT forensics experts have not found evidence of any unauthorised theft or transfer of confidential client data.’
• Estimated fine/penalty:
  – Best case: no penalty, if no data-breach is concluded
  – Worst case: GDPR regulation is likely to come into picture in the case of a data-breach: there will be two levels of fines based on the GDPR: 1) up to €10m or 2% of the company’s global annual turnover of the previous financial year, whichever is higher; and 2) up to €20m or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. Source: https://www.gdpr.associates/data-breach-penalties/
  – c.€75m (2% of FY18 global turnover of €3.78bn)
  – c.€150m (4% of FY18 global turnover of €3.78bn)

Security systems enhancement cost:

• Eurofins’ statement:
  – ‘Additional security tools we are deploying since then as well as the world class cyber security experts who are supporting us are and will be providing additional protection and monitoring. We are continuing to work intensively with leading cybersecurity experts to further secure our current systems and infrastructure and to add enhanced security features and measures to protect our systems and data.’
• Our calculation:
  – Eurofins capitalises over €40m annually for software development cost (FY18: €42m, FY17: €44m).
• Estimated additional capex requirement:
  – Best case: c.€2m (5% of total annual software development cost)
  – Worst case: c.€6m (15% of total annual software development cost)

In addition to the above-mentioned costs, we believe Eurofins might face reputational damage, impacting clients’ confidence in its ability to protect their personal and confidential information and, consequently, costing it some customers. The most impacted product/service line would, probably, be the company’s Cyber Security Solutions. Moreover, if a data-breach is reported, it might have to pay for settling some lawsuits. However, we have not yet factored in these two elements in our calculation.

Cyber insurance reimbursement:

• Eurofins’ statement:
  – ‘The impact of this attack on our financial results may unfortunately be material but, at this point, it is still too early to evaluate the net potential financial impact of this incident on our operations as well as the proportion of revenue losses that will be mitigated by reimbursement from our insurers.’
• Our calculation:
  – Our interpretation from the company’s statement is that only revenue loss is covered by insurance (fine and other costs are excluded).
• Estimated reimbursement: assumed 80% recovery
  – Best case: c.€8m (80% of €10m revenue loss)
  – Worst case: c.€30m (80% of €37m revenue loss)

Moreover, it is also possible that Eurofins would be able to recover partially/fully the lost sales (due to the disruption) over the next few days through additional shifts and weekend work. This is not factored in our calculations

Post the announcement, Eurofins’ share price collapsed by c.13%, wiping out c.€1bn from the market cap over the span of a few days. We also note that, although the direct financial impact would be one-off, a bigger/longer impact could emanate from the loss of trust amongst the customers. Even then, however, we see the market reaction as over-done, opening up a good entry opportunity. We wait for some more clarity in terms of impact, before revisiting our estimates. Stock recommendation maintained.