Reckitt’s vulnerability to a virus is a wake-up call
Yesterday was a Monday morning of doom and gloom, and it wasn’t just the weather or the IMF’s downgrade of the UK economy that contributed: Reckitt Benckiser chipped in too.
Double entendres are not unknown to the maker of Durex condoms. There’s a ready made one to describe its latest trading statement: floppy. Revenues excluding currency fluctations grew just 2 per cent, adjusted profits 1 per cent in the first six months of the year.
The consumer products group also counts Vanish, Nurofen and Lemsip among its brands, and it could do with some of the latter to counter the summer cold that’s been hanging around since last month’s cyber
attack.
The fallout from the NotPetya virus isn’t the only problem Reckitt is grappling with. Its business in South Korea has cratered after a horrible scandal involving a disinfectant that killed nearly 100 people and caused illness in many more. The results contain a provision of £318m in respect of the demerged drugs business Invidior, which is the subject of an on going investigation by the US Department of Justice. There was last year’s rotten Scholl product launch.
But NotPetya has exacerbated all those existing difficulties, raised questions about the quality of its IT security, and taken the gloss of the good parts of the interim results statement, such as the recent sale of the group’s food business and the faster than expected completion of the £14.2bn buy of baby formula maker Mead Johnson.
“We still have work to do on addressing the full implications of the recent cyber attack,” chief executive Rakesh Kapoor warned.
That attack hit the company on 29 June, starting in Ukraine, and managing to avoid many of the measures designed to prevent its spread, rapidly mucking up systems, and services. It took just over two weeks for most of Reckitt’s manufacturing sites to get back to something close to full capacity. However, the company admitted that there are “a number of activities which will take until the end of August to complete in full and we continue to face some operational disruption”.
The resultant delays to shipping and invoicing have, in some cases, lost it sales.
NotPetya was named after the Petya ransomwear virus, but whereas the latter was designed to extort money, the former’s intention was purely destructive. As the impact on Reckitt demonstrates, it succeeded in that.
Mr Kapoor says the business is now responding: “RB has significant cyber security measures in place. With attacks becoming ever more sophisticated in nature, we are reviewing what further measures can be implemented to minimise both the likelihood and potential impact of any future attacks.” You would hope so.
British businesses and multinationals based in Britain have long been guilty of underinvestment, IT included. A report by the Institute for Public Policy Research’s Commission on Economic Justice highlighted the issue again last week, and pointed to one of the possible causes: short-term shareholders with short-term time views.
However, NotPetya and viruses like it, whether seeking to extort money, or just aimed at causing chaos, can hit both short-term and long-term returns.
As such, at the top of the list for any institutional investor when called in for lunch should be, “are you spending enough on your IT and security and if not why not”, regardless of their time horizon.
Reckitt wants us to believe it has woken up to the issue. Only time will tell if that’s true. And even if Reckitt is now sufficiently alive to the danger, it’s by no means clear that others are.