The British Library cyber event (which occurred in October 2023), and the subsequent, ongoing operational and fiscal impact provides a tangible, quantifiable example of the immediate and ongoing impact a significant cyber event can have on an organisation.
The event also acts (in our opinion) as a clear counter argument against those advocating for an outright ban of organisations having an option to pay ransoms, and equally demonstrates the importance of organisation ensuring their approach to cyber & technology risks is one focused on resilience and not purely prevention/defence.
The British Library is still facing the consequences of the cyber attack it suffered back in October 2023, which left its online services inaccessible. Further, it is claimed that 490,191 files, or 630GB of data was stolen from the Library’s CRM database. The attack was claimed by the Rhysida ransomware group, which gave the library just a week to pay £600,000 (roughly A$1.14 million); otherwise, it said it would sell the data, which included passports and employment documents, to a third party.
Whilst the library did not pay the ransom, it now faces a bill 10 times larger, with “clean-up costs” expected to cost between £6 million and £7 million, according to an insider source speaking with The Financial Times.
The article notes that this reportedly makes up roughly 40% of the library's fiscal “reserves”, which equates to ~£16.4 million.
The British Library has so far spent at least £250,000, which it paid to cyber security provider NCC group to initially tackle the incident. Some of the British Library's services are expected to return to normal sometime this month, including a reference-only version of its online catalogue; however, it is unclear whether all systems will return to full functionality.
This event speaks to and provides a helpful, and real world demonstration as to the importance of a resilience focused cyber strategy. Further, organisations can often overly focus on immediate costs associated with respect to responding to an event, however the British Library event shows the importance in understanding, considering and seeking to quantify the long term costs of “clean up” following a cyber event, as part of a resilience focused strategy.
Specifically - referring again to the overall cost of clean-up - many organisations tend to focus on the ransom and/or extortion cost, and immediate forensic and legal response costs, and fail to consider the costs associated to respond and recover in the immediate to long term. These often are a mix of forensic, “rebuild” (if applicable), legal, operational, reputation (PR) related. They are also slightly more difficult (but not impossible) to quantify in reputation/potential loss of client and customer related, which can be quantified more tangibly through the costs associated with “penance projects” i.e., costs incurred to keep or reassure clients and customers.
These, as it may now be more apparent are not negligible, especially compared to the amount it would have cost to implement and test holistic measures as part of a resilience led strategy before an event.
In the case of British Library, the question to ask is: Had the group tested early would that have had a tangible impact as to the cost of the event? We suggest this is likely. An additional, important consideration is one with respect to the role cyber insurance plays as an essential element imbedded into an organisations cyber security strategy.
Cyber insurance is instrumental in mitigating and containing risks throughout an organisations digital and technology ecosystem. Cyber insurance is a valuable tool for defraying the financial harm inevitable in any cyber-resilience strategy, and in many cases provides crucial support in ensuring sufficient and effective Investment in cybersecurity. Insurance is a risk management solution, and should be seen internally as a driver for not only incentivizing companies to be more resilient, but also as something that every company that wants to address this risk needs to have as part of their holistic cyber security strategy.
The cyber risk “problem” is not the same for all organisations, however an approach that involves a strategy that is driven by resilience can be applied to all, irrespective of size and industry/sector. When organisations view cyber risk holistically and quantify the risk as a financial metric, they better understand the magnitude of the cyber risk problem in context will other operational risks.
With this understanding, organisations can determine which cyber risks to accept, mitigate, and transfer, and be better prepared to respond as best they can, dictated by a cyber resilience focused strategy.