SEC Filings Show the True Cost of Ransomware Attacks

SEC Filings Show the True Cost of Ransomware Attacks
Photo by Michael Geiger / Unsplash

The amount of Ransomware attacks had reached unprecedented levels in 2021, with ransomware threat actors demanding, and in many cases receiving, ransom payments in the multiple sums of millions of dollars. The world’s largest meat processor, JBS, they confirmed in June 2021 that it paid the equivalent of 11 million in ransom to respond to the criminal hack against its operations.

Colonial Pipeline paid  around 4.5 million to its ransomware attackers back in May 2021. The the U.S Department of Justice (DOJ) managed to get back around 2.3 million of that amount. In May that year, backup appliance supplier ExaGrid paid a 2.6 million ransom to cybercriminals that targeted the company with the Conti ransomware.

The actual costs of ransomware attacks – including lost revenues – can far eclipse the simple dollar amount of any ransom paid to the actors. For most private companies, the costs of ransomware attacks, and even the attacks themselves – which can be hidden from plain view a lot of the time – one reason why mandatory ransom payment reports for all organizations became law last week.

On another hand, publicly traded companies are obligated to report to the U.S. Securities and Exchange Commission (SEC) any cyber incidents that materially affect their operations. This is also including ransomware attacks. Most publicly traded corporations registered with the SEC  are obligated to reporting these attacks on an SEC form called 8-K.

Note: the SEC is developing plans to require all publicly traded firms to report material cybersecurity incidents within four days after the registrant determines that it has experienced such an incident.

After long hours of researching of 8-K filings at the SEC found 10 publicly traded companies that reported a ransomware incident or even paid ransomware-related expenses. They also received ransomware-related insurance reimbursements during 2020 and 2021. Although most of these filings deemed the ransomware attacks as not material or lacked financial data to spell out the costs experienced in dealing with the incidents, seven contained sufficient cost data to shed light on how high the costs of a ransomware incident can go.


The following snapshots are what happened to different companies according to the Security and Exchange Commission.

  1. Sinclair Broadcast Group: The media and broadcasting giant reported it experienced a ransomware incident in October 2021. Sinclair said it paid no ransom and was able to restore its network from backups, but some disruption impacted revenues and expenses. The incident resulted in a $63 million loss of advertising revenues for the broadcast segment in the fourth quarter and $11 million in remediation costs. After potential insurance reimbursements, the company estimates that the cyber incident will have resulted in approximately $24 million of unrecoverable net loss. However, that estimate may increase as details of the recovery are still fluid.
  2. Blackbaud, Inc.: Cloud technology company Blackbaud was hit by a ransomware attack in May 2020, after which it successfully prevented the threat actor from blocking its system access and fully encrypting files, ultimately expelling the actor from its system. However, the attacker removed a copy of a subset of data from its self-hosted, private cloud environment, and Blackbaud ended up paying the demanded ransom.

    During 2020, Blackbaud recorded $10.4 million of expenses related to the security incident and offset probable insurance recoveries of $9.4 million. Blackbaud was hit with approximately 570 claims for reimbursement of expenses from customers or their attorneys related to the incident following the incident. In July 2021, a court allowed those lawsuits to proceed. In February 2022, Blackbaud entered into a credit agreement that anticipated up to $50 million of non-recurring legal expenses paid in cash associated with the data breach and related ransomware attack.
  3. WestRock Company: The differentiated paper and packaging solutions provider was hit by a ransomware attack on January 23, 2021, that disrupted its IT and operational technology systems. The company said that the impact on net sales and segment income from the lost sales and operational disruption during its second quarter of 2021 was $189 million and $80 million, respectively. WestRock also said it incurred approximately $20 million of ransomware recovery costs, primarily professional fees. WestRock said it expects to recover the ransomware losses from cyber and business interruption insurance in future periods.
  4. Radiant Logistics: On December 8, 2021, the logistics and multimodal transportation company experienced a ransomware attack that impacted its operational and IT systems. Radiant said the incident resulted in a loss of revenue and incremental costs for December, which are expected to adversely affect the company’s second-quarter results for the fiscal year 2022.

    The company noted that some data extraction related to its customers and employees occurred from the company’s servers before it took its systems offline. It is proactively engaging with those who may have been affected by these events. In detailing its full-year 2021 financials, Radiant said that it incurred $750,000 in ransomware-related incident costs during December, including third-party forensic experts and other IT professional expenses, legal fees, and incremental overtime and employee-related expenses.
  5. Mineral Technologies: The mineral technologies company suffered an Egregor ransomware attack on October 26, 2020. Mineral said it incurred $4 million in expenses relating to system restoration and risk mitigation following the ransomware attack for its fiscal year 2020.
  6. Benchmark Electronics: The electronics engineering firm initially reported a ransomware attack on November 5, 2019, that disrupted customer and employee access to its systems and services. The incident forced it to incur $7,681,000 in ransomware incident-related costs during its 2019 fiscal year. By year-end 2021, it recouped $3,989,000 of those costs, presumably from insurance reimbursements.
  7. Faneuil: The business process outsourcing solutions provider, a subsidiary of ALJ Regional, detected a ransomware attack on August 18, 2021. Faneuil launched an investigation and engaged legal counsel and other incident response professionals, and implemented a series of containment and remediation measures to address this situation and reinforce the security of its information technology systems using leading cybersecurity firms. As a result of the incident, Faneuil incurred expenses and penalties of approximately $2.8 million. Faneuil recognized an insurance recovery receivable of $1.9 million, with Faneuil receiving total insurance proceeds of $1.3 million. The remaining insurance proceeds are expected to be received before March 31, 2022.