Several weeks before it got hit by a ransomware attack, Forward Air (NASDAQ: FWRD) did a “comprehensive roleplay” to prepare for a company disaster.
The event they were preparing for? A ransomware attack.
“Just six to eight weeks ago, we did a comprehensive roleplay that was customer facing on the assumption of if we go dark, what do we do?” Forward Air chairman and CEO Thomas Schmitt said in an interview with FreightWaves to discuss the company’s recent cyberattack.
“We hack ourselves all the time,” Schmitt said. “When we find a hole, we plug the hole.”
In a December 21 8-K filing with the Securities and Exchange Commission, Forward Air said it planned to be back online “within the coming week.” So while the company was largely back two days later, the prediction of possibly another week to recover was made because the company was “being overly cautious,” Schmitt said. “We wanted to make sure that when we brought our systems back up that they were safe for us and our customers to use.”
One thing that Forward Air learned in its game playing and the real-life incident: it’s good to have experienced people.
Schmitt talked about the company’s Atlanta terminal, which he had visited the day of the interview, noting that many of the staff members had been there for more than 20 years. “So when this happened, they divided up the physical space into quadrants, brought in the pen and paper and went back into their muscle memory,:” Schmitt said of the staff’s response to the ransomware attack, which first hit the company December 15. They acted with “precision execution…of the way they did things 20 plus years ago.”
But it wasn’t all just muscle memory, Schmitt said. There were plans, what he called a “cybersecurity fence” that had been put in place. That plan involved everything from how drivers continue to get paid, how other back office operations continue and steps that “show you how to move freight and how you still accept freight” in the absence of normal systems.
Schmitt said when the ransomware attack hit, Forward Air kept its operations going with what he described as “pen and paper and arms and legs.”
Schmitt declined to offer details about the attack itself. Forward Air had announced that it had brought in law enforcement and Schmitt confirmed that it was the FBI, rather than local law officials. He declined to say whether Forward Air had paid ransom.
“We were looking for the safest way to get back up and going again” was what Schmitt said in response to questions about how Forward Air reacted to the ransomware attack.
Schmitt used the interview to heap praise on his staff. When asked about the hit on profitability, Schmitt, who spent 10 years at FedEx Corp. (NYSE:FDX), said he fell back on the FedEx mantra of “people/service/profit” as the sequence that makes a company successful. “You watch and do the right thing by your people,” he said.
His staff for the two weeks of the outage and its aftermath “went above and beyond.” “We didn’t have to ask anybody, ‘are you off on the weekend? Christmas Day? They were just there.”
The response, he said, showed Forward Air is “more walk than talk.”
Asked if Forward Air had plans to pay out bonuses for the staff given their performance, Schmitt said the company has “not talked about a specific one-time bonus yet.” But he did say that the company decided to pay its drivers and other workers on the basis of the “best estimate” of their hours, given that normal record-keeping would have suffered during the outage.
Also, Schmitt added that where some drivers were not able to accumulate the normal number of hours, “we did make up for that.”
Forward Air’s approach toward communication when the outage hit was fairly open. Customers that FreightWaves spoke with said they heard from Forward Air quickly. A request by FreightWaves for confirmation of the cyberattack was answered quickly though without a great deal of detail, which tends to be normal practice for operations that have been hit by a cyberattack; they don’t want to give too much away.
The first announcement by Forward Air said nothing about ransomware. But when a later announcement said the company had called in law enforcement, it was clear that the issue was serious.
As a publicly-traded company, Forward Air is required to file an 8-K report with the SEC noting “material events.” In that report,
In its 8-K filing, Forward Air said the incident “may result in a deferral or loss of revenue as well as incremental costs that may adversely impact the Company’s financial results.”
One thing Schmitt said, he found was that customers “were cheering for us. They said, we understand it is going to be manual going forward and we need to get past it. We want you to come out strong here.”
When it comes to communicating with customers during this sort of shutdown, Schmitt said the advice he would give is “the more the better.” “It’s the perfect time to join forces with them and say we’ve been together for decades and now we’re going to get through this together,” Schmitt said. “They really appreciate it.”
What comes through from Schmitt is a feeling that while Forward Air might have gotten hit with a cyberattack, it’s not that the company was unprepared or had had fallen down in getting ready for such it. He didn’t use the term “inevitable” but he did say that the goal of preparedness is to “maximize the odds of you being in a good place when something happens.”
“Clearly, there will be a post mortem,” Schmitt said. Reviewing the forensics of what happened will be part of that, but Schmitt declared: “We have a very, very clear cybersecurity roadmap that we review with the board as part of our enterprise risk management,” he said. It’s also under the review of Forward Air’s audit committee, he said.
While the odds of getting hit again are impossible to calculate, Schmitt said one of the key indicators of odds of being hit again came from the number of people in the industry who contacted him and said some version of “this happened to us.”