A growing number of public companies are now listing ransomware as a forward-looking risk factor in documents filed with the US Securities Exchange Commission.
More than 1,000 documents mentioning ransomware as a risk factor have been filed over the last 12 months, and more than 700 in 2020 alone, with the number expected to easily surpass 2019's values.
Ransomware is now regularly mentioned in annual reports (10K and 20F), quarterly reports (10Q), special event filings (8K and 6K), and registration forms (S1) filed with the US regulator.
Alphabet, American Airlines, McDonald's, Tupperware, and Pluralsight, are just a few of the big-name companies that listed ransomware as a potential risk to their business over the past two days alone.
Companies are listing ransomware in SEC reports as a credible and potential future risk for their operations.
The purpose of these filings is to inform shareholders that the company is vulnerable and a possible target for ransomware gangs and that any ransomware infections could incur substantial and non-negligible losses to a company's bottom line.
Ransomware is getting more aggressive. Companies are noticing.
There are three main reasons for what we're seeing today in SEC filings in relation to ransomware.
The first is that the SEC published formal guidance in February 2018, asking companies to improve their disclosure of cyber-security risks. The document mentioned ransomware as a type of incident that needed to be disclosed, especially if the attack was widely reported in the news, was expected to incur noticeable financial losses for the current quarter, and was likely to impact share prices (shareholder profits).
The second reason is not related to the SEC, but to how ransomware has evolved as a cybercrime trend. Today, ransomware gangs have stopped targeting home users and are now primarily targeting large corporate networks, in search of extravagant ransom payouts.
Ransomware gangs are now ferociously aggressive in their pursuit of big companies. They breach networks, use specialized tools to maximize damage, leak corporate information on dark web portals, and even tip journalists to generate negative news for companies as revenge against those who refuse to pay.
Third, the damage from a ransomware infection has now reached unthinkable levels. Gone are the days when ransomware would ask for $500 to decrypt your files.
Today, ransomware decryption fees hover around the $110,000 mark, according to a report published by Coveware, a company that handles ransomware incident response.
Coalition, a provider of cyber-security insurance coverage, told ZDNet that average recovery costs for an insured company have now reached $210,000.
But that's just the "average" decryption fee and the "average" recovery costs, and those numbers also include smaller companies who don't have to file reports with the SEC.
Companies listed on the stock market usually face much higher ransom demands. For example, hackers asked $15 million from data center operator CyrusOne. They didn't get it, as the company restored from backups, but another ransomware gang received $2.3 million from currency exchange company Travelex in January -- which is today's highest ransom fee ever paid.
Companies finally starting to understand
But the losses from paying the ransom, even if the demand reaches millions, pale in comparison to the invisible costs that come with ransomware, namely lost business.
It was once considered that paying the ransom was an acceptable option for some companies, as they could restore files and get back up and running within hours.
However, the reality is not so. Even if companies pay the ransom demand, decrypting the locked data usually takes days, rebuilding or upgrading IT networks takes another few days or weeks, and companies end up with downtimes of weeks or months due to a ransomware attack.
These downtimes are having a severe impact on companies' bottom lines. Such costs have only recently started to surface, as companies have been filing end-of-year reports, where the overall effect of a ransomware attack becomes much clearer.
For example, Norwegian aluminum producer Norsk Hydro reported over $75 million in ransomware recovery costs and lost production during a two-month period it needed to restore its systems following a ransomware attack last year.
Travelex lost weeks restoring service from its December 2019 ransomware incident, then the coronavirus outbreak hit, and the company is now for sale, as shares have tanked and the business losses have mounted.
It's because of high-profile incidents like Travelex, Norsk Hydro, Merck, CyrusOne, Cognizant, Chubb, Pemex, and others that companies are now finally realizing the impact of a ransomware attack.
Listing ransomware as a risk factor in SEC filings shows that companies now understand the danger posed by a ransomware attack to their bottom line and are declaring it in advance to prevent shareholder lawsuits for negligence.
It also shows that ransomware gangs have evolved and perfected their operational tactics to a level of sophistication that even the mighty Alphabet -- Google's parent company -- lists ransomware as a credible danger to its many businesses.
Looking at the market as a whole, we can also see that the attention companies are now putting into declaring ransomware a risk factor on SEC forms mirrors their past interest in cyber-insurance coverage for ransomware attacks, both of which have started rising at the same time, in 2018.
"Ransomware is arguably the most significant cybercrime innovation in recent history," a spokesperson for cyber-insurer Coalition told ZDNet today.
"The ransomware business model is so effective that it is now the most common and devastating threat to organizations of all sizes. It is ransomware severity, specifically, that we believe is driving the sharp increase in ransomware-related SEC disclosures," Coalition added.