• United States



Contributing Writer

SEC filings show hidden ransomware costs and losses

Mar 17, 20226 mins

A review of 2021 8-K filings with the U.S. Securities and Exchange Commission reveals a more complete picture of the financial damage from ransomware.

A U.S. dollar sign materializes from small, separate blocks into a unified whole.
Credit: Rafik / Getty Images

The ransomware scourge reached unprecedented levels in 2021, with ransomware threat actors demanding, and in many cases receiving, ransom payments in the millions of dollars. The world’s largest meat processor, JBS, confirmed in June 2021 that it paid the equivalent of $11 million in ransom to respond to the criminal hack against its operations.

Colonial Pipeline paid $4.43 million to its ransomware attackers in May 2021, although in a subsequent operation, the U.S Department of Justice (DOJ) seized $2.3 million of that amount. In May, backup appliance supplier ExaGrid paid a $2.6 million ransom to cybercriminals that targeted the company with Conti ransomware.

The actual costs of ransomware attacks, including lost revenue, can far eclipse the simple dollar amount of any ransom paid. For most private companies, the costs of ransomware attacks, and even the attacks themselves, can be hidden from view, which is one reason why mandatory ransom payment reports for all organizations became law last week.

On the other hand, publicly traded companies are obligated to report to the U.S. Securities and Exchange Commission (SEC) any cyber incidents that materially affect their operations, including ransomware attacks. Most publicly traded corporations registered with the SEC fulfill this obligation by reporting these attacks on an SEC form called 8-K. (Note: the SEC is developing plans to require all publicly traded firms to report material cybersecurity incidents within four days after the registrant determines that it has experienced such an incident.)

CSO ‘s examination of 8-K filings at the SEC found 30 publicly traded companies that reported a ransomware incident, paid ransomware-related expenses, or received ransomware-related insurance reimbursements during 2020 and 2021. Although most of these filings deemed the ransomware attacks as not material or lacked financial data to spell out the costs experienced in dealing with the incidents, seven contained sufficient cost data to shed light on how high the costs of a ransomware incident can go.

The following are snapshots of what these filings had to say.

  1. Sinclair Broadcast Group: The media and broadcasting giant reported it experienced a ransomware incident in October 2021. Sinclair said it paid no ransom and was able to restore its network from backups, but some disruption impacted revenues and expenses. The incident resulted in a $63 million loss of advertising revenues for the broadcast segment in the fourth quarter and $11 million in remediation costs. After potential insurance reimbursements, the company estimates that the cyber incident will have resulted in approximately $24 million of unrecoverable net loss. However, that estimate may increase as details of the recovery are still fluid.
  2. Blackbaud, Inc.: Cloud technology company Blackbaud was hit by a ransomware attack in May 2020, after which it successfully prevented the threat actor from blocking its system access and fully encrypting files, ultimately expelling the actor from its system. However, the attacker removed a copy of a subset of data from its self-hosted, private cloud environment, and Blackbaud ended up paying the demanded ransom. During 2020, Blackbaud recorded $10.4 million of expenses related to the security incident and offset probable insurance recoveries of $9.4 million. Blackbaud was hit with approximately 570 claims for reimbursement of expenses from customers or their attorneys related to the incident following the incident. In July 2021, a court allowed those lawsuits to proceed. In February 2022, Blackbaud entered into a credit agreement that anticipated up to $50 million of non-recurring legal expenses paid in cash associated with the data breach and related ransomware attack.
  3. WestRock Company: The differentiated paper and packaging solutions provider was hit by a ransomware attack on January 23, 2021, that disrupted its IT and operational technology systems. The company said that the impact on net sales and segment income from the lost sales and operational disruption during its second quarter of 2021 was $189 million and $80 million, respectively. WestRock also said it incurred approximately $20 million of ransomware recovery costs, primarily professional fees. WestRock said it expects to recover the ransomware losses from cyber and business interruption insurance in future periods.
  4. Radiant Logistics: On December 8, 2021, the logistics and multimodal transportation company experienced a ransomware attack that impacted its operational and IT systems. Radiant said the incident resulted in a loss of revenue and incremental costs for December, which are expected to adversely affect the company’s second-quarter results for the fiscal year 2022. The company noted that some data extraction related to its customers and employees occurred from the company’s servers before it took its systems offline. It is proactively engaging with those who may have been affected by these events. In detailing its full-year 2021 financials, Radiant said that it incurred $750,000 in ransomware-related incident costs during December, including third-party forensic experts and other IT professional expenses, legal fees, and incremental overtime and employee-related expenses.
  5. Mineral Technologies: The mineral technologies company suffered an Egregor ransomware attack on October 26, 2020. Mineral said it incurred $4 million in expenses relating to system restoration and risk mitigation following the ransomware attack for its fiscal year 2020.
  6. Benchmark Electronics: The electronics engineering firm initially reported a ransomware attack on November 5, 2019, that disrupted customer and employee access to its systems and services. The incident forced it to incur $7,681,000 in ransomware incident-related costs during its 2019 fiscal year. By year-end 2021, it recouped $3,989,000 of those costs, presumably from insurance reimbursements.
  7. Faneuil: The business process outsourcing solutions provider, a subsidiary of ALJ Regional, detected a ransomware attack on August 18, 2021. Faneuil launched an investigation and engaged legal counsel and other incident response professionals, and implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems using leading cybersecurity firms. As a result of the incident, Faneuil incurred expenses and penalties of approximately $2.8 million. Faneuil recognized an insurance recovery receivable of $1.9 million, with Faneuil receiving total insurance proceeds of $1.3 million. The remaining insurance proceeds are expected to be received before March 31, 2022.

Technical debt redressed in ransomware remediation process

Allan Liska, an intelligence analyst at Recorded Future, tells CSO, “There’s a whole lot of expenses that go into the recovery process that maybe we don’t normally think about. If you’re not paying the ransom, you restore all the machines. You have incident response expenses and everything that goes along with that. And you figure that is likely going to be a couple of million dollars.” But, he added, “there are a lot of expenses beyond that really get factored into this,” including, as is true in the case of Blackbaud’s significant legal expenses.

Another significant expense factored into ransomware recovery is technical debt that is fixed in the ransomware remediation process, “projects that have been sitting on the shelf for years and years that need to be implemented,” Liska says. “We should have implemented multifactor authentication two years ago. Well, after the ransomware attack, now we’re able to do that. It’s become almost common practice that after a ransomware attack, security budgets open up, and that money has to come from somewhere. It wasn’t part of the original security budget. So, it sort of gets moved around, and then that counts as a ransomware expense in the end.”