CyberKainos. Reading time: 5 minutes

Last month, Marks & Spencer announced that a recent ransomware attack might hit its operating profit by about £300 million this year. For context that is just over one-third of its pre-tax profit for the previous period.

Big numbers are everywhere when it comes to cyber-attacks. For the impacted organisation, ransomware demands can be in the millions, and operational disruption can be even higher. For insurers, cover can run into the tens of millions, while any number of customer records can be stolen or encrypted by the attackers.

But how does the cost of a ransomware attack actually breakdown for an impacted organisation?

Costs to deal with the immediate triage

Once a ransomware attack is discovered, you need quick access to specialist skills. This is true whether your response team is in-house or if you use a third-party MSSP.

Your team will almost certainly expand, maybe by several times as the need for specialist expertise becomes clear. These specialists come at a high price for a reason, and more so in emergency situations. You can expect to pay anything from £1,200 per person per day depending on the skill set of the team who are working on the remediation.

In this early phase you can be racking up costs of tens of thousands of pounds per day. These resources may be needed for some time before the incident is bought under control (according to IBM’s 2023 report, the average time to identify and contain a breach is 277 days).

Sachin Patel, a CyberKainos CISO of over 10 years’ experience adds: “It is not uncommon to see quite large organisations get through 25% – 50% of their original security annual budget in a matter of days or weeks in the event of a threat actor gaining access and causing a major incident.

A big issue that is often overlooked here is cashflow. Funds need to be available to pay the people who are trying to fix the situation promptly, and is a major reason organisations end up folding.”

The ransom demand

Before long, a ransom demand will materialise. The decision of whether to pay it will be driven by the severity of the ransomware attack and a desire to minimise immediate financial and operational disruption. With the average downtime of operations due to ransomware attacks at around 22 days, it is a decision that may come down to simple maths.

Many larger organisations take the view that paying a ransom is the quickest way to move past an incident. Indeed, organisations with more than 5,000 employees are the group most likely to pay and, on average, hand over more than $4m per demand, but without any guarantees that their ransomed data or systems will actually be returned.

While the official position of the UK government is “we do not condone making ransomware payments”, this is the only position they can realistically take publicly.

However, a closer look at their own official guidelines uses language that leaves plenty of room for manoeuvre. There are with lots of instances of ‘should not’s’, ‘periodically reviews of policy’ and ‘sanctioned with ministerial discretion’ rather than simple firm ‘will not’s’.

The fact is that earnings from cybercrime is many times larger than the total income from the global illegal drug trade, and if combined, would create the 3rd largest economy in the world, with a value of around $10 trillion. Ransomware payments form only a part of that, but it shows capitulation is a choice taken by a lot of decision makers every year. 

Costs of remediating a ransomware attack

Even if paying a ransom is the option is taken, the payment will not be the end of the costs associated with the incident. Work will begin immediately to understand how it was carried out, and it is essential to identify any backdoors left behind by the attackers to assist their return in the future.

Sachin Patel adds: “Even if a ransom of $4million is paid, you are still facing months of additional costs to evaluate and re-engineer your entire infrastructure. You are left in a position where you can trust nothing and could end up with another bill that almost matches what you handed over originally to the attackers”.

Regulatory fines

Whether you pay a ransom or not, there is another cost that will likely be coming your way after a ransomware attack: Fines from regulators, especially if the organisation is found to be non-compliant with data protection laws relevant to their region or industry. However, in the event of any data breach, your practises are going to be under the microscope.

Data protection regulations, such as the UK General Data Protection Regulation (GDPR) are designed to safeguard the personally identifiable information (PII) and data of users. Depending on an organisation’s operations or industry, compliance could mean adhering to multiple frameworks and reporting to other governing bodies.

The GDPR establishes two tiers of administrative fines that can be imposed for violations:

• Up to €10 million or 2% of annual global turnover, whichever is higher for less serious infringements
• Up to €20 million or 4% of annual global turnover, whichever is higher for more serious infringements

In a major ransomware scenario, if poor data handling practises contributed to the breach or meant the data was readily / easily accessible to the attackers, then the organisation can expect to reside firmly in the higher of these tiers.

The role of cyber security insurance

Yes, just like corporate liability and buildings, cyber insurance is fundamentally a good idea. Organisations should not assume that because of large payout figures reported in the media, such as Marks & Spencer’s “£100 million payout”, that premiums will break the bank to cover them.

There are two reasons for this:

First, unlike other industries or scenarios, there are steps you can take to directly influence your premiums beyond the amount of cover you are seeking. If you can demonstrate you have good control and visibility of your IT infrastructure and are compliant with information security and data handling standards such as ISO 27001, Cyber Essentials, NIST CSF, and SOC2, this will help considerably.

If you need help, organisations like CyberKainos can engage with your insurer to communicate and demonstrate these actions to lower premiums, as what the insurer is insuring is now fundamentally more secure than before.

Second, isolated breaches like M&S, while obviously incredibly stressful for those directly involved, are not, speaking purely in financial terms, a major issue for a big insurer, and do not contribute to any meaningful increase to premiums in general.

What impacts big insurers (and likely premium increases) is the occurrence of a ‘Catastrophe Load Event (CLE)’ such as NotPetya in 2017.

As a result of a number of errors and earlier breaches in the US, NotPetya was the result of penetration tooling being unleashed by Russian actors against the Ukraine…but with a blast radius that ended up impacting major companies all around the world. Maersk, FedEx, Saint-Gobain, Reckitt Benckiser, and Mondelez were just some of the names that were affected. The estimated cost of NotPetya to insurers…about £4 billion. Thankfully to date, these CLE’s are a relatively rare occurrence.

Your insurers’ role will go beyond simply providing a financial pay-out too. It is in their interests to offer expert consultancy and on-the-ground support in the event of an attack to either resolve or limit the damage as quickly as possible, limiting their exposure in the process. The incident response services of the major players are almost always to a very high standard.

On a day-to-day level it is a good idea to integrate your insurer with either your internal or external IT security resources who monitor your networks for suspicious activities and the wider threat landscape. If they have good, advanced knowledge of your systems, software, and wider infrastructure this can be of great help in reduce the likelihood of losses arising from systemic vulnerabilities.

Contact:

CyberKainos

hello@cyberkainos.com

www.cyberkainos.com