Tale of the Tape
Hackers have kicked some big time ass against major American companies in the past 10 years. JP Morgan Chase, Capital One, Equifax, Uber, LinkedIn, eBay are just a few of the large corporate victims. Just in 2021 many corporate IT hacks have made the headlines with the Colonial Pipeline hack being the most recent. Well, that was, until JBS a major American meat processing plant revealed it had also been breached just days ago.
Colonial Pipeline CEO confirmed the company paid $4.4 million ransom. CNA Financial, one of the largest insurance companies in the US, reportedly paid hackers $40 million after a ransomware attack. Information on whether Acer ended up paying the ransom for their breach in March 2021 seems hard to come by but, the initial ransom demand was $50 million and included a threat to increase the demand to $100 million. If Acer did pay up it would be the highest known ransomware attack payment in history.
Logic would lead us to ask the question: Will companies gain a stronger foothold on their IT security? However, it seems a different question can also be asked: Does it matter if companies increase their security posture? Some evidence suggests that perhaps increasing security posture isn’t the only tool in a mitigation strategy.
Supporting evidence for corporate complacency is a piece of research done by Comparitech. Their analysis included 34 selected companies listed on the New York Stock Exchange, and determined that short-term thereafter, the impact a data-breach averaged about -3.5 percent hit to respective stock prices. However only 21 out of 40 breaches resulted in worse stock performance versus the NASDAQ in the six months after a breach, and the longer term performance was highly dependent on the company. This fact shows that a data-breach is not a nail in the coffin or a definite long-term set-back. The full report is available, and you can also read Forbes.com analysis of the research paper. The following image shows the long-term impact of data-breach on companies included in the study.
Image taken from “How data breaches affect stock market share prices” by Comparitech. https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/
Another article on the impact of cyber breaches on stock price from DarkReading.com and a research paper from New York State University found a similar outcome on stock prices.
Other opinion also finds that companies do not necessarily have to suffer long term consequences. Harvard Business Review (HBR) describes the situation of JP Morgan Chase’s stock price actually going up after a data-breach in 2014 and describes the effects as follows:
These counterintuitive outcomes indicate that many factors determine the fallout from data breach incidents. They also show that there are steps a company can take to not only mitigate reputational damage, but sometimes even end up improving their position.
In the same article, HBR describes two pieces of advice for mitigating stock losses post breach:
There are two key pieces of advice: 1) Lead with what you did right to prepare for this eventuality, and 2) then pivot to how you’re going to improve even more.
A SANS Institution white paper reviews another solution to securing your IT infrastructure; simply prepare your poorly secured IT assets with cyber-insurance before disaster strikes. The paper itself bears the names of some of the biggest IT firms in Silicon Valley such as Cisco, and PaloAlto Networks.
The paper provides general advice and sets the expectations for corporations that choose to use cyber-insurance to mitigate ransom based attacks on IT infrastructure – AKA Ransomware. For example, it advises that corporations be honest with insurers about existing IT security controls when negotiating a cyber-insurance policy. Incidentally, the costs of ransomware breaches averages out to be $150 per record exposed by a breach [PartnerRe “Cyber Insurance – The Market’s View”].
The SANS paper goes on to describe two real world examples, one where a mid-sized company may pay $14,000 annual premium for $1-2 Million in coverage with a $25,000 deductible. The second scenario is a real case study of Baltimore County’s costs after a 2019 breach. Without cyber-insurance they incurred $10 million in direct recovery costs, and $5 million in upgrading their IT security. They added insurance protection after-the-fact that included 2 X $10 million in recovery coverage and $8 million in revenue interruption coverage at the costs of $800,000 in annual premiums with a $1 million deductible. These two scenarios clearly point to the fact that ad-hoc purveyance of cyber-insurance far outweights the costs of post-hoc action.
If you need resources in your barter for a good policy you can visit the US Government’s Cybersecurity & Infrastructure Security Agency website for resources on cyber-insurance.
However, this creates a conundrum. While US Treasury advises about potential sanction risks for facilitating ransomware payments, the SANS white-paper describes how insurance policies may cover both the payment of ransom and the cost of business interruption, but in some cases will apply pressure on the insured to pay a ransom. Propublica writes that insurance companies are increasing the market for and viability of ransomware attacks, and reports on the outcome in Lake City, Florida where cyber-insurer, Beazley, an underwriter at Lloyd’s of London, paid a ransom price of 42 bitcoin, worth about $460,000 at the time (now worth substantially more).
The mayor, Witt, said in an interview that he was aware of the efforts to recover backup files but preferred to have the insurer pay the ransom because it was less expensive for the city. “We pay a $10,000 deductible, and we get back to business, hopefully,” he said.
It (paying ransom) holds down claim costs by avoiding expenses such as covering lost revenue from snarled services and ongoing fees for consultants aiding in data recovery.
So, at one end, the US government is warning against paying ransom, while CISA at the other end is pointing companies towards cyber-insurers who tend to want to pay the ransom. Conundrum.
Ransomware attacks have ex-filtrated 10s if not 100s of millions of dollars from corporations in the US and globally. There is evidence that the long-term negative impact on a breached company’s stock price is far from a guarantee and cyber-insurance can evidently mitigate that risk. However, cyber-insurance is perhaps more of a national security risk by funding global international criminal organizations. Finally, if you are an IT security consultant or hopeful IT security consultant (such as the writer of this article), you may want to get into the Ransomware business since insurers and companies apparently don’t want to pay for your consulting. Unfortunately the going strategic trend is to just wash hands of said risk, send money (and sometimes your personal data) into the hands of organized criminals, and avoid those gnarly IT consultancy costs.