Data breaches and ransomware attacks in the US are increasing companies’ risk of financial losses, in many cases dragging them into bankruptcy or putting them out of business altogether.
Data breaches cost companies across the world on average about $4.9 million, and nearly double that amount in the US, according to a 2024 study by IBM. Costs can differ based on a number of factors, including regulatory compliance requirements, sensitivity or complexity of the data involved, and subsequent litigation.
The International Monetary Fund warned last year that cyberattacks have more than doubled since the onset of the pandemic, increasing the risk of “extreme losses” for companies that could cause funding problems “and even jeopardize their solvency.”
Companies in bankruptcy are increasingly citing data breaches as contributing factors to their financial woes. In late November, the US-based units of alcohol distributor Stoli Group—maker of Stolichnaya vodka—filed for Chapter 11 relief, saying an August 2024 data breach and ransomware attack crippled some of the firm’s internal systems and caused “severe operational disruption.”
Background check provider National Public Data suffered a hack in late 2023 that compromised millions of personal records and later forced the company into bankruptcy as it faced a loss of business, multiple class actions, regulatory investigations, and duties to notify and pay for credit monitoring of affected individuals.
“You end up with a cascade of chaos,” said attorney Angelo Gasparri of Kelley Kronenberg, who represented National Public Data in its short-lived Chapter 11 case last year. “The victim becomes overwhelmingly responsible for the bad actions of an outsider.”
Specialty insurer
“The frequency is certainly going up,” said Mike Maletsky, a Hiscox USA vice president who leads cyber underwriting. The techniques used by hackers are “really ramping up more and more.”
Difficult Recoveries
Stoli Group said in court papers that the cyberattack it suffered last year added to its troubles by disabling accounting functions and other internal processes that haven’t been fully restored. The breach also caused issues complying with lender reporting requirements, the company said.
The spirit seller’s collapse followed a March 2024 bankruptcy filing by nursing home operator Petersen Health Care Inc., which lost access to billing records, emails, and other data after a ransomware attack in October 2023.
The company said it got back up and running following the attack, but the loss of books and records led to “incredible difficulty and delay in pursuit of the debtors’ accounts receivable, which is a crucial part of the debtors’ income.”
While a wide range of industries face ruinous cybersecurity threats, health-care providers are disproportionately targeted by ransomware attacks, according to FBI statistics.
Fallout from the widespread cyberattack last year on
The skilled nursing company noted that the Change Healthcare breach slowed reimbursements and “had a material impact” on its bottom line.
In an April report by the American Medical Association, 77% of physician practices surveyed shortly after the cyberattack said they experienced service disruptions as a result, and 80% said they lost revenue from unpaid claims.
A few respondents also cited fears of being forced into bankruptcy as a result, according to the findings.
Black Talon Security CEO Gary Salman launched his cybersecurity firm in 2018 after having numerous conversations with medical practitioners who complained of constant ransomware attacks that sometimes caused them to shut down for weeks on end.
Salman’s practice has grown as hackers become more skilled at taking down every operating system within a business, he said.
“We’ve had smaller businesses that have literally had to close their doors,” Salman said. “They just couldn’t survive the impact.”
Cyber Insurance
Operational problems are often just the first financial hit. There are attendant costs for investigating a breach, noticing others who may have been affected, potentially paying a ransom, and then defending lawsuits.
“If there is a large class action lawsuit after a privacy breach, those can be very, very expensive,” Maletsky said. “You can imagine a small company at some point throwing up their hands and saying, ‘I can’t run my business while this is going on.’”
National Public Data said it faced several class actions by the time it filed for Chapter 11 from individuals whose personally identifiable information was found on the dark web.
A Florida judge dismissed the company’s bankruptcy less than a month after it began, agreeing with the Justice Department’s arguments that the company’s lack of an applicable cyberinsurance policy put the estate and general public at great risk.
Gasparri, who had sought to run National Public Data’s case as an orderly wind-down, said the experience shows that if a company has any online presence, “cyber insurance starts to become an absolute mandatory thing.”
Cyber insurance policies are set up to cover a host of costs that can run businesses into the ground. But 75% of small businesses in the US are underinsured for cyber events, leaving business owners liable for the additional costs, according to Maletsky.
However, obtaining the right level of cyber insurance coverage has become more complicated, said Salman, comparing it to hurricane insurance in Florida.
“The coverage does help,” he said. But for any mid-size or large company, “you can never buy enough.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.