The real costs of a ransomware attack (clue: it isn’t the ransom…)
Mainstream press coverage of ransomware attacks may lead you to believe that the ransom is the largest financial cost suffered. What our data shows clearly is that this is not the case.
Welcome to another edition of Cyber Security: Beyond the headlines. Each week we’ll be sharing a bite-sized piece of unique, proprietary insight from the data archive behind our high-quality, peer-reviewed, cyber security case studies.
Recently a client asked us to provide some analysis on the financial impact to companies who suffered a cyber ransom attack. Amongst many of the interesting data points we found a clear pattern in the relationship between the ransom and total costs incurred from this type of attack. We asked whether we could share this specific data point with you and they kindly agreed (thanks Mike!).
But first, let’s look at some general trends around cyber ransom attacks.
Verizon’s 2018 Data Breach Investigations Report shows that ransomware is now the most common type of malware reported.
Yet we also know that many ransomware attacks go unreported as companies are keen to retrieve their data/systems with as little publicity as possible. Paying the ransom is probably viewed as the most efficient route to a swift solution since the traditional inclination to contact law enforcement may be dissuaded by their flip-flopping guidance on the subject.
In cases where a ransomware attack is reported the focus is almost always on the amount of ransom demanded, leaving readers with the impression that this is the largest cost.
But, as everyone in cyber risk knows, there are a multitude of other costs that occur when an attack like this takes place. For example, during the City of Atlanta’s recent ransomware attack it was reported they paid $650,000 to Secureworks for ‘emergency incident response services’ and $600,000 to EY for advisory services related to ‘cyber incident response’. Their ransom payment was by comparison a mere $51,000.
One of the great things our repository does is provide us with the data to quantify these other costs and when we compared them to the initial ransom demanded a clear pattern emerged:
The ransom part of a ransomware attack is between 0.5% and 4% of the total costs of the cyber attack.
Put another way if you suffer a ransomware attack that demands a $10,000 ransom to release your data you can expect to suffer total attack costs of between $250,000 to $2 million.
Take the example of the Lansing Board of Water and Light who suffered a ransom cyber attack in April 2016 which immediately cost the utility $25,000 in the form of a ransom payment and other costs totalling $2.4 million. These other costs related to cyber emergency response services, crisis management, stabilising/restoring systems and enhancing cybersecurity personnel and technologies.
Worth noting their $1.9 million insurance claim was still pending 11 months after the attack. Plus the utility saw non-financial business impacts; 13 members of the information technology team as well as the emergency management director left the company following the cyber attack. Highlighting that a cyber ransom attack doesn’t represent the simply-pay-the-ransom-and-the-problem-goes-away situation that companies might be hoping for.
Another example concerns a Rhode Island law firm who ended up taking their insurance company to court after their ransom attack in 2015. The firm’s immediate costs included a $25,000 ransom payment and their slow-burn costs totalled $700,000 related to lost earnings where their lawyers were unable to access data/systems.
The good news though that our analysis also highlighted, those other costs constituting up to 99.5% of the costs from a cyber ransom attack, can all be mitigated with dedicated, professional risk management. Risk transfer through insurance is of course a key component of this but understanding your risk profile represents the critical first step.
Drop us a line on consulting@cybersecuritycasestudies.com if you’d like to learn more.
Found this interesting? Sign up to receive these insights every week directly in your inbox and check out our previous editions at Cyber Security: Beyond the headlines.
