Breach costs are mounting - a glimpse into recent attacks
In its cost of data breach report for 2023, IBM states the average cost of a data breach now stands at USD 4,45 million. That looks tiny when you look at recent attacks on large U.S. companies.
First, start with this year's biggest data leak, which was not about a ransomware attack, but rather a vulnerability in MOVEit, a file sharing software, that quickly propagated through the supply chain and affected thousands of organizations. The software maker, Progress Software, has already incurred $5 million in cyber incident and vulnerability response expenses, around 10% of its yearly net profits.
However, this is just the beginning of the saga, as mounting legal costs will certainly hit the company due to the huge amount of personal records leaked.
What about more mundane ransomware attacks? Let's see some of the recently disclosed breaches:
Clorox, a U.S. maker of cleaning products, expects to post a quarterly loss after a cyberattack in August disrupted supplies and operations. The SEC filing shows the company revised its sales growth outlook for the most recent fiscal quarter, and it expects to experience ongoing operational impacts in the near future as it makes progress returning to normalized operations. Clorox also incurred $25M in costs related to the cyberattack, including third-party consulting, legal, and other IT services fees (a 20% hit on yearly profits). Interestingly, the company has been using outdated on-premise systems, as it announced earlier a $500 million investment plan over a five-year period (since 2021) to invest in new IT tech, including a new ERP system and transitioning to a cloud-based platform.
The casino operator MGM expects $100M hit to profitability, following a highly publicized attack in September, as released in its 8K statement. Additionally, the company spent $10 million on technology consulting services and legal fees following the breach. These accumulating costs are approaching 10% of its yearly net income (at around $1,4 billion).
Johnson Controls, U.S. maker of fire, HVAC, and other ICS/SCADA equipment, has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27TB of information from the company. Johnson Controls filed an 8K stating the company has experienced disruptions in portions of its IT infrastructure and applications. Apparently, the attackers demand $51 million in ransom, which is still a manageable expense for a company whose net income stands at around $1,5 billion for the most recent fiscal year. Still, even if the company does not pay the ransom, mounting costs will probably take several percentages off profits, something investors will want to scrutinize.
It appears publicly listed U.S. companies are being materially impacted by both supply chain and ransomware attacks. As costs are now becoming visible to investors, many will want to mitigate them sooner, by modernizing infrastructure and transition to cloud-based platforms, as outdated on-prem systems are the main target of ransomware operators. And this is the silver lining in this story.
Although the costs my not be that high for smaller organizations, one can assume SMBs are also suffering proportionally similar hits to business operations and profitability. Even without cybersecurity regulation (see here and here), both small and large businesses will need to adapt and focus their investments on meaningful cybersecurity measures.