Watch Now


Forward Air postmortem: CEO says an experienced team can help an organization get through a cyberattack

Schmitt says the company had “muscle memory” that enabled a shift to methods that predated the technology shutdown by a ransomware attack

Image: Jim Allen/FreightWaves

Several weeks before it got hit by a ransomware attack, Forward Air (NASDAQ: FWRD) did a “comprehensive roleplay” to prepare for a company disaster.

The event they were preparing for? A ransomware attack.

“Just six to eight weeks ago, we did a comprehensive roleplay that was customer facing on the assumption of if we go dark, what do we do?” Forward Air chairman and CEO Thomas Schmitt said in an interview with FreightWaves to discuss the company’s recent cyberattack.

“We hack ourselves all the time,” Schmitt said. “When we find a hole, we plug the hole.”


Forward Air was first hit with the cyberattack on December 15. By December 23, operations were coming back online. 

In a December 21 8-K filing with the Securities and Exchange Commission, Forward Air said it planned to be back online “within the coming week.” So while the company was largely back two days later, the prediction of possibly another week to recover was made because the company was “being overly cautious,” Schmitt said. “We wanted to make sure that when we brought our systems back up that they were safe for us and our customers to use.”

One thing that Forward Air learned in its game playing and the real-life incident: it’s good to have experienced people. 

Schmitt talked about the company’s Atlanta terminal, which he had visited the day of the interview, noting that many of the staff members had been there for more than 20 years. “So when this happened, they divided up the physical space into quadrants, brought in the pen and paper and went back into their muscle memory,:” Schmitt said of the staff’s response to the ransomware attack, which first hit the company December 15. They acted with “precision execution…of the way they did things 20 plus years ago.”


But it wasn’t all just muscle memory, Schmitt said. There were plans, what he called a “cybersecurity fence” that had been put in place. That plan involved everything from how drivers continue to get paid, how other back office operations continue and steps that “show you how to move freight and how you still accept freight” in the absence of normal systems. 

Schmitt said when the ransomware attack hit, Forward Air kept its operations going with what he described as “pen and paper and arms and legs.”

Schmitt declined to offer details about the attack itself.  Forward Air had announced that it had brought in law enforcement and Schmitt confirmed that it was the FBI, rather than local law officials. He declined to say whether Forward Air had paid ransom. 

“We were looking for the safest way to get back up and going again” was what Schmitt said in response to questions about how Forward Air reacted to the ransomware attack. 

Schmitt used the interview to heap praise on his staff. When asked about the hit on profitability, Schmitt, who spent 10 years at FedEx Corp. (NYSE:FDX), said he fell back on the FedEx mantra of “people/service/profit” as the sequence that makes a company successful. “You  watch and do the right thing by your people,” he said.

His staff for the two weeks of the outage and its aftermath “went above and beyond.” “We didn’t have to ask anybody, ‘are you off on the weekend? Christmas Day? They were just there.”

The response, he said, showed Forward Air is “more walk than talk.”

Asked if Forward Air had plans to pay out bonuses for the staff given their performance, Schmitt said the company has “not talked about a specific one-time bonus yet.” But he did say that the company decided to pay its drivers and other workers on the basis of the “best estimate” of their hours, given that normal record-keeping would have suffered during the outage.


Also, Schmitt added that where some drivers were not able to accumulate the normal number of hours, “we did make up for that.”

Forward Air’s approach toward communication when the outage hit was fairly open. Customers that FreightWaves spoke with said they heard from Forward Air quickly. A request by FreightWaves for confirmation of the cyberattack was answered quickly though without a great deal of detail, which tends to be normal practice for operations that have been hit by a cyberattack; they don’t want to give too much away.

The first announcement by Forward Air said nothing about ransomware. But when a later announcement said the company had called in law enforcement, it was clear that the issue was serious.

As a publicly-traded company, Forward Air is required to file an 8-K report with the SEC noting “material events.” In that report, 

In its 8-K filing, Forward Air said the incident “may result in a deferral or loss of revenue as well as incremental costs that may adversely impact the Company’s financial results.”

One thing Schmitt said, he found was that customers “were cheering for us. They said, we understand it is going to be manual going forward and we need to get past it. We want you to come out strong here.”

When it comes to communicating with customers during this sort of shutdown, Schmitt said the advice he would give is “the more the better.” “It’s the perfect time to join forces with them and say we’ve been together for decades and now we’re going to get through this together,” Schmitt said. “They really appreciate it.”

What comes through from Schmitt is a feeling that while Forward Air might have gotten hit with a cyberattack, it’s not that the company was unprepared or had had fallen down in getting ready for such it. He didn’t use the term “inevitable” but he did say that the goal of preparedness is to “maximize the odds of you being in a good place when something happens.”

“Clearly, there will be a post mortem,” Schmitt said. Reviewing the forensics of what happened will be part of that, but Schmitt declared: “We have a very, very clear cybersecurity roadmap that we review with the board as part of our enterprise risk management,” he said. It’s also under the review of Forward Air’s audit committee, he said.

While the odds of getting hit again are impossible to calculate, Schmitt said one of the key indicators of odds of being hit again came from the number of people in the industry who contacted him and said some version of “this happened to us.”

More articles by John Kingston

Five days later, Rand McNalley says ELD system back online

Covenant sees ESG principles moving deeper into truckload segment’s strategy

OOIDA rips into lack of trucking aid in spending bill, says expanded PPP not specific to the industry

John Kingston

John has an almost 40-year career covering commodities, most of the time at S&P Global Platts. He created the Dated Brent benchmark, now the world’s most important crude oil marker. He was Director of Oil, Director of News, the editor in chief of Platts Oilgram News and the “talking head” for Platts on numerous media outlets, including CNBC, Fox Business and Canada’s BNN. He covered metals before joining Platts and then spent a year running Platts’ metals business as well. He was awarded the International Association of Energy Economics Award for Excellence in Written Journalism in 2015. In 2010, he won two Corporate Achievement Awards from McGraw-Hill, an extremely rare accomplishment, one for steering coverage of the BP Deepwater Horizon disaster and the other for the launch of a public affairs television show, Platts Energy Week.