In short:
- Ransomware isn’t going anywhere, despite a new government focus
- That means not just the possibility of crypto payments but also a range of ancillary costs, from insurance surcharges to impairments
- Some new expenses are easier to estimate than others, with lawsuits a particular wildcard
In June, I advised you to prepare for the possibility of a ransomware attack on your organization and offered a working ransomware prevention checklist for finance teams. Since that was published, more notable attacks have occurred, enough that the U.S. government has formally made stopping ransomware a priority. President Biden even made a point to address the matter at his summit with Russian President Vladimir Putin.
Unfortunately, this is mostly theater, as illustrated by the recent ransomware attack on consulting firm Accenture. CFOs and CIOs need to operate on the assumption that this threat will be with us for the foreseeable future.
If you’ve read that the ransomware groups involved in some recent attacks have shut themselves down, don’t lower your guard. This just means they’re rebranding.
These outfits are not “groups” in the sense of a team or company. A small number of coders write the ransom software, which they then essentially rent, much like you’d pay for access to a digital movie for a set amount of time. Renters find vulnerable targets and use the ransomware to carry out attacks, then pay a fee, typically 15% of any ransom they collect using the software.
Ransomware as a service is a profitable business. When these outfits “shut down,” it just means that they close one site on the dark web, copy the software to a new site and resume their activity. The name is irrelevant.
And, having investigated Russian cybercriminals for years, I can say that a major crackdown from Putin is extremely unlikely. First, cybercrime is a major industry in Russia. It brings a lot of cash into the country. And, these criminals avoid targeting Russian businesses — some embed code in the software that prevents ransomware from impacting Russian organizations — so it’s not in Putin’s interest to shut them down.
There has been some indication that the U.S. Cyber Command might begin to more heavily target Russian cybercriminals, but that would require a long-term, concerted effort. And then we’d need to move on to China, Iran and homegrown criminal operations. Bottom line: It is critical to acknowledge that the risk of ransomware is not significantly decreasing. I have spoken to many executives lately who mistakenly believe that some short-term talk signals a significant improvement.
Besides the checklist in my past column, there are budgetary considerations for finance leads. Ransomware could hit your budget in a variety of ways, over and above any payments you choose to make and/or immediate remediation and technology upgrades. Here are the top five:
1. Higher Borrowing Costs
A comprehensive American Accounting Association study released in May found that substantial additional capital costs due to data breaches, including ransom attacks, can dwarf any direct payments. For example, lenders may see a breach as indicating “weak operational control risk and a poor internal information system,” resulting in less favorable loan terms.
2. Higher Insurance Premiums
I maintain business insurance for a couple of small cybersecurity companies. Despite the fact that I outsource all critical data storage, business insurance has gone up significantly — in large part due to ransomware underwriting.
I expect these cost increases to continue. And if you have not yet purchased cybersecurity insurance, you should seriously consider budgeting for it. Here’s how to evaluate cybersecurity insurance policies.
3. Hard and Soft Customer Notification Cost
Should you suffer from a breach involving customer data, you will likely be legally required to inform those whose information was compromised. The extent of required notifications depends on which regulations you are subject to. While your cybersecurity insurance may cover some or all notification costs, expect to hire your own lawyers to work with the notification service provider and protect your interests.
If your insurance doesn’t cover these mandated notifications, you will have to hire even more lawyers and find a company that can help you execute. This cost comes in addition to staff time spent and distraction from normal operations.
4. Brand Damage
Intangible assets — including your brand and IP — compose an increasingly large part of business valuation. An attack may affect the value of both, so expect to address impairments.
Also plan to fund a marketing campaign to counter negative publicity. The amount of damage from that publicity depends on your industry and how well you handle notifications. I’ve seen companies come close to closing as a result of competitors relentlessly using an attack to steal customers. In reality, your competitors might be even more vulnerable than you to future attacks. But unless you’re upfront, make it very clear that the problems that created the incident are addressed and explain exactly how, customers may be left with the impression of vulnerability — and you can be sure that your competitors will foster that impression.
5. Potential Lawsuits
Unfortunately, when you have a data breach, a class action attorney may well make a claim against your organization. Suits are in the works targeting Colonial Pipeline over lost sales, and this month, a U.S. district court approved a settlement over a 2020 Nebraska Medicine breach that exposed data on some 216,000 individuals. Those 125,000 who got notifications about the breach could receive $300 for time and expenses and up to $3,000 for documented monetary losses which the incident "more than likely" caused. That’s a potential liability to the tune of $412.5 million, in addition to free credit monitoring services for about 13,000 people.
Whether your customers suffer material losses or not, these attorneys will come out of the woodwork. In many cases, I have seen them walk away with millions of dollars while plaintiffs get trivial amounts.
Why Insurance May Not Help Much
Though cyber insurance covers many costs, I have found that victims sometimes don’t want to accept what the carrier is willing to pay for. For example, the CIO of a school district hit by ransomware told me that the insurance company was willing to pay for its network to be rebuilt, but only the way it was before the attack. The district considered that design too vulnerable and wanted to strengthen its security architecture. The CIO chose to reject the insurance offering and rebuild the network using another contractor.
As I recently discussed, CFOs and in-house IT teams or service providers can and should work together to make a financial case for additional controls. The stronger your security, the more likely drive-by attackers will move along to the next target.
However, even companies with strong defenses, such as Accenture and T-Mobile, are falling victim, which serves as further reminder to fully prepare your organization financially for the possibility of a debilitating attack.