Costs of a Cyber Attack

As our nation faces an unprecedented increase in cyber attacks - according to Trend Micro, ransomware attacks on banks alone climbed by a staggering 1,318% last year – and more expected following the invasion of Ukraine, it is imperative that credit unions ramp up their focus on cybersecurity.

There are numerous costs associated with a cyber attack and one of the easiest ways to protect your credit union from those costs is to invest in cybersecurity insurance. Far too many businesses take a reactive approach to cybersecurity and assume they will deal with it when it happens. Every business will experience a cyber attack at some point – big or small – and for credit unions, it could have detrimental impact to your member data and can take months, and even years to recover, so the investment in cybersecurity insurance- like any other insurance – is a critical way to prepare and protect your organization.

Ransomware is the most popular type of attach. The hacker typically gains access to your network, encrypts your data and offers to sell you a key to decrypt your data. The attackers often ask for a reasonable amount so that the affected company is more likely to pay and move on. We are often called to help credit unions recover from a cyber attack. In some cases, there is no choice but to pay the ransomware in order to recover access to data. The ransom demand can be as little as a few thousand dollars, but this is typically just the beginning of recovery and ongoing associated expenses.

In this type of attack, even after the data is recovered, there is still a risk that malware is present in your network. It is not as simple as decrypting your data and getting back to work. If malware is present, we can’t risk having employees go back to work on their infected systems, so we have to migrate the data to new infrastructure and reinstall all applications. It can take months which means significant downtime for the organization and its ability to serve members. In the end, an organization will have paid for hundreds of hours of third party labor and used hundreds of hours of internal resources to remediate an incident.

During this time that a company does not have access to its data or applications and is working to get back to operational, they may not be able to fully serve their clients. This can lead directly to lost revenue as they are not able to bill for their services during this time. In a ransomware attack, there is always the chance that sensitive data was compromised. A situation where a company has to disclose a data breach to customers can lead to long term reputational damage and loss of customers.

A study by the Ponemon Institute found that the average cost for lost business after a data breach in the US was $4.24 million. This includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. Additional costs can include the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and inbound communication set up.

And due to remote work driven by the COVID-19 pandemic, costs increased on average $1.07M.

After the company has remediated the issue, the potential expenses don’t end, and can include legal costs, fines, investigative costs, discounts to customers, increased marketing and crisis communications.

When an organization considers all the costs associated with a cyber attack, cybersecurity insurance can be one of the best investments to protect your company. But it alone does not mitigate risk. A comprehensive cybersecurity strategy and a partnership with a vendor that can monitor your systems and inform you of ways to protect your systems and data, is critical to preventing or minimizing a cyber attack.