The actual cost of a cyber attack

Courtesy FirstNet Learning

Pay a ransom or no? Even though the question seems dramatic and ripped from the script of a 70’s spy movie, according to Joseph Bonavolonta, assistant special agent for the Cyber & Counterintelligence Program for the FBI, you may want to if you get hacked.

“The ransomware is that good,” he said.

Cyber security

Depending on how you want to handle a cyber breach, what it will cost your organization can now vary widely.

Below are a couple of examples of how much it can cost your organization if (when?) you get hacked.

Scenario #1: An employee opens a phishing e-mail. The malware in that e-mail then accesses the company’s centralized network exposing names, addresses, dates of birth, Social Security numbers and financial information, such as credit card and bank account numbers.

Based on the above information, estimated costs for this attack could potentially break out as follows:

Incident Investigation: $200,000 – $300,000
Post-Incident Management: $350,000 – $500,000
Fines & Penalties: $400,000 – $550,000
Total Costs: $950,000 – $1,350,000

Scenario #2: A nurse accidentally leaves his or her hospital-issued laptop at a restaurant.  The laptop has an unencrypted database of current patient records that include protected health information with the name, Social Security number, credit card, insurance ID and medical information of at least 200 patients.

Based on the above, estimated costs could potentially break out as follows:

Incident Investigation Costs: $100,000 – $180,000
Customer Notification and Crisis Management Costs: $20,000 – $50,000
Fines & Penalties: $100,000 – $175,000
Total Costs: $220,000 – $405,000

Preventive measures:  

1. Within any e-mail, be sure you know where a link is really taking you — the easiest way to do this is to let your mouse hover over the link to determine whether the link looks familiar or can be determined to be a real website.

2. Learn how to see where a link is really going.
• Locate the first single forward slash (/) in the address.
• Look at the information immediately to the left of the forward slash. That is the actual url name.

3. Know how you are legally obligated regarding HIPAA compliance and PCI reporting.






VMLIP Addition:
The VML Insurance Programs Online University, powered by FirstNet Learning, includes important courses to help you understand your obligations in regards to HIPAA and PCI reporting.

Additionally, VMLIP’s Cyber Coverage endorsement expands coverage under the Local Government Liability Policy that provides coverage for privacy liability arising out of lost computer equipment, network security breaches and human errors.

Members can also benefit by taking advantage of resources through the eRiskHub®. The eRisk Hub® contains information and technical resources that can assist you in the prevention of network, cyber and privacy losses, and support you in the timely reporting and recovery of losses if an incident occurs.

It also features the latest news, content and services from leading practitioners in risk management, computer forensics, forensic accounting, crisis communications, legal counsel, and other highly-specialized segments of cyber risk. Learn more and access the eRisk Hub® here.

VMLIP offers more than just coverage. We are partners in risk management. How does your insurer stack up? Having all lines of coverage with VMLIP ensures that your organization is receiving comprehensive coverage and a wide variety of value-added services tailored to Virginia’s local governmental entities. Call for a quote today: (800) 963-6800. For more information on VMLIP visit: or follow us on Facebook.

** VMLIP blog postings are offered for VMLIP members to utilize in strengthening their risk management efforts. See copyright information for clarification on sharing this information.