Utilities with lower gross revenue face the largest financial risks from hackers, with median losses associated with a ransomware attack potentially threatening 30% of a small company’s operating income, according to new research from cybersecurity firm ThreatConnect.
“Organizations are finally waking up to the fact that the impact of ransomware and other cyber attacks is more than just a moment in time,” Jerry Caponera, ThreatConnect’s general manager of cyber risk quantification, said in a statement. “The financial implications are far-reaching and create barriers for companies to continue operations after these attacks.”
ThreatConnect on Tuesday published its first risk quantification report, assessing the potential financial impact of a ransomware attack on an enterprises with revenue of $500 million, $1.5 billion and $15 billion. The analysis focused on the healthcare, manufacturing, and utility sectors.
The median ransomware loss for a utility with $500 million in revenue is around $17.8 million, according to ThreatConnect’s data. The loss figures include revenue impacts, operational disruptions and remediation costs.
“The small utilities, they just have less bandwidth” to absorb an attack, Caponera said in an interview. An average ransomware loss at a small power provider could amount to a 31% hit to operating income, he said. For a medium or large entity the impact would be more modest, about 13% and 2%, respectively.
In the health care and manufacturing sectors, the potential losses are even higher.
A health care company with $15 billion in revenues faces median ransomware attack costs in excess of $100 million, according to ThreatConnect. For a manufacturing company that size, median attack costs are almost $187 million.
“We’re starting to see more threats to the small and medium companies in sectors like manufacturing and health care because they're not as equipped to deal with them as the larger companies that invest more,” Caponera said.
“The utility sector is the one that worries me the most,” he added. Beyond the financial impacts, U.S. adversaries see the utility sector as a “prime target.”
“Hackers are increasingly exploiting the utility companies that provide energy needed to power our economies and enable most of what we use in our daily lives,” the report concluded. “Ransomware attacks, such as that on Colonial Pipeline ... show an increasing trend where hackers target the smaller and medium-sized utility companies they perceive as easier targets.”
In 2021 a ransomware attack on Colonial, the largest refined fuels pipeline on the U.S. east coast, led to a shutdown of the pipeline’s operations. The company paid a ransom of more than $4 million to hackers to speed recovery of its internal systems, though federal officials were able to recover a portion of the ransom.
Ultimately, consumers bear the burden of a ransomware attack, Caponera said.
“We pay twice,” he said. “Not only in terms of having to pay for increased costs, to get it cleaned up ... But depending on the kind of utility that gets hit, you can you can be talking about major impacts to the economy, major impacts to livelihoods. The magnitude and scale is broader in utilities than it is in most other industries.”
Successful utility cyberattacks are generally kept confidential, Caponera said, but there are signs of an increase. Roughly half of utility companies have faced some kind of a system, shut down or had an operational data loss in the last 12 months, he said.
Utilities are also paying higher rates for cyber insurance. Electric utilities shopping for cyber insurance from industry-backed insurers faced premium increases of 25% to 30% last year, according to data from Marsh, an insurance broker that works with underwriters that insure utilities.