Cyber Incident and Risk: Calculating the Costs to IT and Security

What does a major cyber incident cost these days? Over the past eight months, experts and researchers have sought to explain what these types of attacks can do to organizations, as well as the associated costs.

The need for answers has become particularly pressing in the wake of the cyberespionage campaign that struck SolarWinds and customers of the company’s Orion network monitoring platform, along with a series of high-profile and destructive ransomware attacks targeting other companies. That’s in addition to the daily data breach announcements that do not make headlines.

A study published in June by the Foundation for Defense of Democracies and the insurance firm Intangic found that a large-scale cyber incident could collectively cost organizations about $80 billion, which not only includes the damage to the physical infrastructure and networks and potential theft of data from victims, but also accounts for the reputational loss as well as the inability to attract new investors and creditors.

Compare that with the damage from Superstorm Sandy, which hit parts of the East Coast of the U.S. in 2012 and caused about $65 billion in damages, the report noted.

The cybersecurity scenario utilized for this calculation included attackers targeting a supplier of technologies to other firms, followed by a series of ransomware attacks against the customers of the original organization.

“The hacking group then launches a coordinated ransomware attack on the [managed service provider] and many of its customers, resulting in significant business disruption for more than three days,” according to the report. “This impacts 600 [small and midsize businesses] across the industrial, chemical, energy, IT and communications sectors. Impacted companies span every region of the United States and every major industry sector. In such a scenario, Intangic forecasts that the economic losses would approach $80 billion, costing tens of thousands of jobs.”

While such a scenario might seem outlandish, consider the July 2 ransomware attack against software firm Kaseya, which supplies technologies and applications to dozens of managed service providers. In that case, the cybercriminals took advantage of vulnerabilities in the on-premises version of Kaseya’s Virtual System Administrator, which is used by MSPs to help manage the IT infrastructure of their clients. 

By leveraging these bugs, the attackers pushed out a ransomware executable instead of legitimate files or updates to about 60 of Kaseya’s MSP customers. This allowed the attackers to target about 1,500 of those organizations’ clients, a scenario not too different from the one laid out by the Defense of Democracies study.

“As cybercriminals become increasingly sophisticated as they attack larger and more security-hardened objectives, they leave behind a toolbox of advanced software tools specifically designed for less defended targets,” Isabelle Dumont, vice president of market engagement at cyber insurance provider Cowbell Cyber, told Dice. “These collections of hacking tools and malware are openly traded on the darknet. It has become an arms race, and if organizations are not constantly updating and deploying new countermeasures, they will eventually be attacked by a tool or be infected by malware that they have no defenses against.”

The Case for Insurance

The potential costs and losses associated with ransomware and other cyber threats have many organizations debating whether they should invest in cyber insurance as a way to protect against catastrophic losses. “There has been a fundamental shift in the thinking of cybersecurity vendors over the past three to four years,” Dumont said. “Cybersecurity professionals realize that there is no such thing as being 100 percent protected. The question is no longer ‘if,’ but ‘when’ a cyberattack is going to occur.”

In June, Colonial Pipeline Co. CEO Joseph Blount told a House committee investigating the ransomware attack against his company that the firm did have cyber insurance, and that it would likely submit a claim for reimbursement of the ransom it paid the attackers (even though the FBI recovered part of that money).

Andrew Barratt, managing principal for solutions and investigations at consulting firm Coalfire, noted that, over the last several years, the market for cyber insurance has changed as more organizations carry insurance, and insurers and brokers gather more data about what happens during cyber incidents and adjust their policies to reflect the market reality.

For those organizations seeking cyber insurance, much of the process comes down to understanding risk.“How should enterprises react to the changes in the cyber insurance industry? It will require adapting behavior and a very threat-focused risk management approach,” Barratt told Dice. “The challenge we face then is that if the excess focus is placed on defending against one very specific threat to meet an external expectation, it’s not unusual to leave blind spots to others. As always, cyber defenses need to be continually evolving to the adversarial nature of the threat. It’s not a random occurrence, it’s an invisible enemy looking to profit from your weakness. Our defenses must evolve the same way.”

As the insurance industry better understands cyber incidents, it will change more to reflect current threats and trends. “Historically, insurance companies have looked to the past to model future risks. For example, there are more than 100 years of data to understand the inherent risks associated with driving an automobile,” Dumont said. “No such data exists for cyber risks and will never exist in the near term because cyber risks evolve constantly. Therefore, the only way to evaluate cyber risk is by continuously collecting and compiling cyber risk signals.”

Changing Market

While buying more cyber insurance might seem like the logical solution to managing security risk, it might not be that easy for some organizations and businesses.

A study released in June by the U.S. Government Accountability Office found that ransomware and other destructive attacks are leading cyber insurance firms to raise premiums and limit some coverage in industries such as healthcare and education. In addition, the survey found that more than half of insurance brokers reported that their clients’ prices increased 10 percent to 30 percent in late 2020.

Sean Cordero, a security advisor at Netenrich, noted that these trends could mean it might be harder to obtain cyber insurance. There is, however, an upside as well.

“The increased scrutiny of each policy could lead to positive outcomes for both the insurer and the policyholder. Historically insurers have relied on self-attestation as a critical input into the underwriting process, and this process is rife with unintentional and intentional inaccuracy in responses,” Cordero said. “Due to this, insurers will need to determine if they will evolve their models and capabilities to better predict the impact on their business from a high-to-moderate risk policy or, in some cases, decide whether they should remain in the cybersecurity market.”

For those organizations considering whether to invest in cyber insurance, Cordero said enterprises should prepare for an increased level of review from the provider. Security teams should be ready to partner with that provider to address identified areas of exposure.

Cordero also said that organizations should consider working with the new generation of cyber insurance providers, primarily if they’ve invested the resources and time to build a resilient cybersecurity program. 

“These insurance providers incentivize strong security practices and controls by offering more options and coverage upkeep and validation capabilities,” Cordero told Dice. “These providers provide capabilities for improving your insights into security and risk and include these as part of the base premium. These capabilities help you find and maintain coverage.”