The True Cost of Vendor-Related Cyber Incidents

Ransomware attacks, and the costs associated with them continue to rise, with the average attack costing 10 times the size of the ransom payment on average. With a total of 304 million ransomware attacks in 2020—a 62% increase from 2019—the average ransom payment was $170,404. Additionally, with phishing emails being the leading vulnerability causing these attacks, a simple human error can cause devastating business loss for any organization.

“As organizations become more reliant on outsourced service providers, while their individual security may improve, the aggregation risk to the global economy and insurance industry increases exponentially,” says Spencer Timmel, National Director of Cyber Insurance at Safety National. “Consider the number of businesses using a relatively small number of global technology and cloud providers. A single vulnerability within those offerings could expose hundreds of thousands of companies to a cyber event.”

It is critically important to recognize the associated risks of using outsourced service providers. Below are five things you need to know about vendor-related cyberattacks.

1. Business interruption due to a vendor-related cyber incident is most likely not covered under your property policy.

   While the property insurance market offers business interruption coverage, these policies typically focus on system outages caused by natural perils, like fire, flood or theft. An organization can face numerous additional expenses related to a cyberattack, including costs associated with getting systems back up and running, investigating the event and lost income. While none of these items are covered in a property policy, a cyber casualty policy can unburden a business from these extra expenses.

2. No one is invulnerable to a vendor-related cyber event.

   By now, you are probably familiar with the SolarWinds attack that penetrated government networks and affected as many as 250 organizations. The vulnerabilities were exposed through supply chain layers that companies rely on, costing cyber insurance companies close to $90 million. If hackers can prey on the U.S. government with extensive security measures in place, they can easily target your organization.

3. Third-party cyberattacks are more expensive and frequent.

   Data breaches that involve a third party are $700,000 more expensive on average. Provided the frequency of cyberattacks, there is a lot more to lose, including consumer trust caused by reputational harm.

4. You may be advised not to pay the ransom if a threat actor is on a federally banned list.

   The U.S. Treasury Department’s Office of Foreign Assets Control maintains a list of banned threat actors called the Specially Designated Nationals and Blocked Persons List. While there is no federal law prohibiting payment to a ransomware attacker, you could face federal civil penalties or sanctions by paying someone on this list. A breach coach, provided as a resource through many cyber policies, can help determine if the ransom can be paid.

5. With a cyber policy, your carrier can provide critical remediation services.

   In addition to a breach coach that has managed thousands of ransomware attacks and can help negotiate the terms of the ransom, a cyber policy can cover association costs, like system and data recovery and legal aid. It can also assist with regulatory fines, reputational damage and liability matters. Leveraging these specialized resources can help a company get back to business in a timely matter.