Ransomware attacks, extortion doubled in 2021: Accenture

By Jim Tyson for CFODive.com

CFOs at many companies last year saw the assumptions underlying their budgeting and risk management torpedoed by ransomware attacks.

Total ransomware payments doubled in 2021 compared with 2020, according to estimates cited by Moody’s Investors Service.

U.S. banks during the first half of last year flagged to the federal government $600 million in ransom. JBS, a meat producer, paid attackers $11 million last year while CNA Financial, a global insurance company, reportedly paid $44 million.

Colonial Pipeline, the largest fuel supplier to the eastern U.S., handed over to attackers $4.4 million to resume operations after a shutdown that led to a six-day fuel shortage. Federal authorities later recovered $2.3 million.

“As the number of companies that are forced to pay ransoms to regain control of their networks and data increases, so does the number of hackers attracted to this type of lucrative threat,” McKinsey said in a report.

CFOs need to account for other costs from a ransomware attack, including lost revenue, payments to law, public relations and negotiation firms, and the opportunity cost as “executives and specialized teams turn away from their day-to-day roles for weeks or months to deal with an attack and its aftermath,” McKinsey said.

The surge in ransomware attacks has pushed up cyber insurance premiums across all sectors worldwide and prompted reduced coverage for the most commonly targeted industries, Moody’s said. The loss ratio for standalone cyber coverage rose to 65% in 2020 from 45% the prior year.

Healthcare, construction, manufacturing and other businesses most often struck by ransomware attacks have faced premium increases of 300% or more, Moody’s said, citing data from Risk Placement Services.

McKinsey suggests several ways to reduce the risk — and cost — of a ransomware attack:

Prevention. Three out of four ransomware incidents begin with a phishing email or breach in a remote desk protocol, which are especially vulnerable because of the shift to working from home during the pandemic, McKinsey said. Strong passwords, multi-factor authentication, software updates, restricted access and network-level authentication can thwart cybercriminals.

Cybersecurity “hygiene” is essential “across an entire organization, from employees and vendors to third-party supply chains,” McKinsey said. “It is the first line of defense in mitigating a cyberattack.”

Preparation. Company leaders should rally a core team to prepare for an attack by creating a business-continuity plan and practicing the response to a range of scenarios, McKinsey said.

Readiness should include ensuring adequate communication with the board and deciding whether the IT team has the authority to quickly limit immediate damage from an attack regardless of business consequences.

Response. At the first sign of a ransomware attack, cybersecurity leadership needs to ensure transparency and collaboration with internal stakeholders across the company, including the board, C-suite, compliance and risk, and crisis communications teams, McKinsey said.

The first external call by a company should be to notify the FBI or other law-enforcement agency.

Recovery. Attackers usually disrupt servers and databases not designed for an abrupt shut-down. So recovery from an attack can be painstaking even if a company decides to pay for an encryption key, McKinsey said.

For companies that forgo paying ransom, rebuilding networks from backup data is especially time consuming. Companies on average need 21 days of downtime to recover from a ransomware attack, McKinsey said, citing a report by Coveware.