Like WannaCry, Petya appears to be ransomware, as it encrypts files on infected computers and demands payment for access to be restored.

A very high-profile victim

One of the companies hit by Petya was the world’s largest ad holding firm, WPP. In a statement, the company revealed that on June 27, “a number of WPP companies were affected by the ransomware attack that hit organisations around the world.”

WPP assured clients that it was working with its IT partners and law enforcement “to take all appropriate precautionary measures, restore services where they have been disrupted, and keep the impact on clients, partners and our people to a minimum.”

According to AdWeek, “staff at various offices left work early yesterday due to an inability to access their networks.”

In an internal memo, WPP chairman Sir Martin Sorrell tried to reassure staff that the cyberattack wasn’t hurting the firm’s business. “Many of you will have experienced significant disruption to your work. However, contrary to some press reports, WPP and its companies are still very much open for business,” he told staff, adding that there was “no indication that either employee or client data has been compromised.”

A new agency risk

Even if WPP emerges from this cyberattack with little more than a few nicks and scratches, the fact that it was affected at all by Petya should be of concern to brands that count agencies as some of their most important partners. After all, if a brand’s agency is knocked offline, loses data or is otherwise compromised, it could affect clients in any number of ways, such as disruption to or delays of campaigns.

As Michael Connolly, CEO of adtech firm Sonobi, told AdAge, “Any impact to an organization’s infrastructure or operational ability…can have an impact on the ability to execute, particularly when data is involved.” Data, of course, has become the lifeblood of digital advertising thanks in large part to the rise of programmatic.

And there are a number of worst-case scenarios that could expose clients to even costlier crimes. For example, because agencies are privy to some of the most sensitive information of their clients, it’s not inconceivable that agencies could be specifically targeted by groups who are aiming to extort or otherwise inflict damage on their clients by stealing, modifying or deleting client data.

Seem far-fetched? Consider that this is exactly what is happening to Hollywood studios on a now disturbingly frequent basis. Like brands, Hollywood studios rely heavily on third-parties, which out of necessity often have access to some of their most sensitive and valuable assets.

Agencies are ill-prepared

Unfortunately for brands, according to experts who spoke to AdWeek and AdAge, agencies are largely unprepared to deal with cyber threats like Petya.

According to Tom Pageler, chief risk officer and chief information security officer at global information services provider Neustar, agencies are “probably doing the minimum versus other, more heavily regulated industries like financial services that deal with critical data.”

The news isn’t all bad, however. “The industry realizes that they’re really not where they need to be,” he stated, and in the the wake of the Petya attack, Pageler is already seeing signs that companies are trying to catch up. He predicts WPP specifically will soon announce the hiring of a big security vendor.

But while agencies have a lot of work to do, brands must also recognize that they share with their partners responsibility for cybersecurity. They can’t just demand that their agencies own the cybersecurity challenge. Instead, they need to better educate themselves, take an active role in establishing and enforcing data security policies that their agencies are required to adhere to, and take steps to ensure that they’re not creating vulnerabilites themselves.