We’re excited to share the results of our first backtesting exercise where we tested the Interactive Cost Model (ICM) against eight cyber attacks for which financial impact data was publicly disclosed. The ICM was launched in August 2022 as the first interactive, transparent, and defensible cost model to provide dollar-value estimates of financial risk due to cyber attacks. It received positive reviews from Gartner and IDC analysts for giving organizations a freemium alternative to explore the benefits of cyber risk quantification.

We are encouraged by the first set of results and will continue fine-tuning our model. We value the input of the cyber risk community and welcome your constructive feedback. Please email [email protected]

How We Built Our Backtesting Method and Design

Reported Ransomware Attacks Used for Backtesting

Safe tested the ICM against eight recent ransomware attacks that were not included in our proprietary database when the model was developed:

  1. Tenet Health
  2. Faneuil
  3. Quincy, IL
  4. Minerals Technologies
  5. Radiant Logistics
  6. WestRock
  7. Benchmark Electronics
  8. Sinclair Broadcast Group

Walkthrough of our Backtesting Method

Step 1: Enter company level input data:

Annual revenue, employee count; industry; and headquarter location.

Step 2: Create scenarios around the security controls

The Safe ICM is tightly linked to impact security controls that do not affect the likelihood of an attack but do reduce the cost of an attack once it has happened.

Deploying a particular impact control (such as data encryption) hugely impacts the backtesting results. The impact controls are:

  1. Incident Response and Business Continuity plans
  2. Offsite Data Backup
  3. Sensitive PII Encryption
  4. Wire Transfer Protocol
  5. The leakage of employee records during the attack

This testing exercise was conducted independently of the affected companies. As such, we made informed assumptions about the security controls they had in place.

To keep it simple, we created two scenarios:

  1. A best-case scenario: where all the controls were implemented
  2. A worst-case scenario: where none of the controls were implemented

There could be several scenarios based on permutations of impact controls; however, they were not considered during this exercise.

Our Results and Observations


Figure: Safe ICM backtesting results on eight recent ransomware attacks
  1. The actual cost of each attack was within the ICM’s predicted range..
  2. The four companies with total costs farthest above estimated expected cost incurred significant revenue loss or interruption. These results suggest that a strong business continuity plan may play a significant factor in the severity of financial impact following an attack.
  3. The other four companies reported total costs that were within a 25% deviation from the estimated expected cost.
    1. Two of the companies reported values equivalent to the estimated expected cost.
    2. Three of the companies reported no revenue loss.

The table below includes the name of the affected entities, the date of discovery of the attack, its cost, and a brief description of how the total attack cost was calculated.

Organization
Total Attack Costs
Discovery Date
Description of Reported Attack Costs

Quincy, IL
$650K
May 7, 2022
The city spent $650K to pay an approximately $500K ransom and $145K in consulting contracts. There was no disclosed revenue loss or theft of PII.

Tenet Health
$100M
April 20, 2022
The attack is reported to have cost approximately $100M for remediation, lost revenue, and other related expenses. Approximately 1.2M PHI customer records were stolen, and a class action suit has been filed.

WestRock
$209M
Jan. 23, 2022
Reported revenue loss was $189M. WestRock also incurred recovery costs of $20M, primarily professional fees. There was no indication that PxI records were stolen during the attack.

Radiant Logistics
$22.068M
Dec. 8, 2021
The attack caused significant revenue interruption, reported incident response costs of $1,031,000, and the theft of some customer and employee PII data.

Sinclair Broadcast Group
$74M
Oct. 17, 2021
Believed to be a victim of Evil Corp., Sinclair reported a revenue loss of $63M and $11M in total costs related to the attack. PII was stolen, and at least one law firm solicits responses from affected individuals.

Faneuil
$2.8M
Aug. 29, 2021
The loss of ~$2.8M includes the cost of the ransom, remediation, penalties, and implementation of security enhancements. Employee records were stolen, and at least 2 law firms are collecting responses for a class action suit.

Minerals Technologies
$4M
Oct. 22, 2020
This attack’s costs were limited to system restoration and post-attack risk mitigation. The attacker, believed to be Egregor, reportedly stole employees’ sensitive PII data.

Benchmark Electronics
$50.181M
Q1, 2019
The company incurred $12.681M for restoration and remediation of systems, and lost revenues were projected to be between $15M and $60M ($37.5M average) as a result of the attack.