With the continued growth of ransomware in 2020, we revisit a ransomware article from Sentinel One. The piece outlines 6 key ways ransomware inflicts economic pain on companies in pointing out that the payment is often the headline but not the full cost:
- The payment;
- Indirect costs: costs of business interruption associated with a ransomware attack;
- Reputational loss;
- Liability: clients impacted by attacks seek compensation from breached company;
- Collateral damage;
- Data loss.
While the accounting of a wider set of costs is an improvement from the fixation on ransomware payment, this year has illustrated how the largest cost comes in the form of operational disruption. The damage inflicted on the financial statements is FAR greater than the data cited in the Sentinel piece from Ponemon that put the overall average cost of ‘downtime’ (e.g. operational disruption) at ~ $740,357. And it is often far greater than the much higher $55mn cost reported by Norsk Hydro in the wake of that 2019 global disruption.
A straightforward review of company financial reporting in the quarters following a ransomware breach paint a very different picture. Consider ISS World—a low-performing 2-Star company in Cyberhedge’s ratings prior to the breach. 6 months after its February 17 breach, the share price is−21% relative to peers, and the ransomware’s financial impact led to a 33% drop in annual operating income as of Q2 2019. This was equal to $126mn USD.
The economic loss as a percentage of operating income for victims Pitney Bowes (October 2019) and Travelex (January 2020) were 14% and 28% respectively. Pitney Bowes share price hasn’t recovered and Travelex parent, Finablr, filed for bankruptcy. We will soon get a first look at the economic cost of the August attacks on Brown Forman and Carnival when they report Q3 results shortly. Contrary to Carnival’s August 17th statement that the company “does not believe the incident will have a material impact on its business, operations or financial results”, we can be sure that it will not be $740,357.
Ransomware hits company financial statements in very real and at times enduring ways. The sooner C-suites and investors appreciate this fact, the sooner steps can be taken to proactively lower the probability of an event occurring in the first place. A good start is improving the cyber governance rating.