Cyber Attack
Recovery Case Study
Blythe was the key driver behind the company’s successful rebuild and recovery efforts after a cyber attack, ensuring that operations could proceed uninterrupted and that all reporting obligations, including audit readiness, were met.
The FBI’s Internet Crime Report for 2022 says that more than 800,000 cybercrime-related complaints were filed that year, resulting in more than $10 billion in losses — a significant jump from $6.9 billion in 2021. The number of attacks and losses are only expected to grow. Entities of all sizes and types are at risk, from mom-and-pop shops to global public companies. For instance, MGM Resorts International, one of the world’s largest casinos, reported that a cyberattack in September 2023 disrupted operations and caused approximately $100 million in losses. However, reports show that small businesses are more frequently attacked because they have fewer resources to keep cybercriminals out. So, while the payout for ransom or the amount and value of the data may be less, hacks of small businesses are easier for cybercriminals to perpetuate in larger quantities.
The healthcare industry is a vulnerable target for cybercriminals, including insurance providers, physician networks, and technology retailers. In May 2020, Trinity Health’s third-party vendor fell victim to a ransomware attack attempt. Before law enforcement was able to block the hack, data related to more than three million patients was stolen. While patients, of course, don’t want their private health information released, the stakes are also high for the hacked healthcare companies. The Health Insurance Portability and Accountability Act (HIPAA) creates strict privacy laws around protected health information and failure to comply with these laws can result in hefty fines and even criminal prosecution.
Overview
Sophisticated cybercriminals hacked into a $500 million technology company, holding its accounting data and backup records for ransom while bringing business operations and services to a stand-still.
Even though the company took cybersecurity seriously and had implemented many internal and 3rd party safety measures to protect itself, a weakness was found and exploited by the cybercriminals, allowing the breech to occur. In this case, the company’s reputable IT provider inadvertently left an “open door” through which the cybercriminals gained access to the company’s system, so human error caused the breach.
The company consulted with their insurance provider and elected to pay the ransom via Bitcoin to release the data. This launched an encryption key exchange where the company worked with the cybercriminals’ “customer service” representatives to reclaim the information — a surprising situation that showed how prevalent and sophisticated cybercrimes have become.
Challenge
Several problems were created simultaneously by the hack:
-
While the company had cyber insurance and paid the ransom, they were still not able to access all of its data after it was paid. Because the hackers gained access to the data through a new software system the company was in the process of implementing, a manual process of recouping the stolen information needed to be developed.
-
Once the stolen data was accessed, two months of records were still missing and needed to be recreated manually through emails, handwritten ledgers, check copies, vendor records, and revenue and bank statements in an auditable format.
-
Recreating and recovering the stolen and lost data was extremely time-consuming and cost the company in terms of lost productivity, overtime hours to address the issue, staff turnover because of increased workloads, and lost business. These losses prompted an insurance claim for loss of continuity and business disruption.
The hack created additional risks that also needed to be addressed immediately:
-
Loss of customer trust: Customers expected that the proprietary and financial information they shared with the company would be safe. The data breach had the potential to shatter that trust, which could lead to a loss of customer loyalty and a decline in customer retention.
-
Reputational damage: A company’s reputation is one of its most valuable assets. A cybersecurity breach can significantly damage a company’s brand reputation, as it suggests a lack of competence, care, or investment in security measures. A damaged brand can be difficult and time-consuming to repair.
-
Legal, regulatory, and public relations consequences: A data breach can trigger investigations and increased scrutiny by both regulatory bodies and the media. The company faced possible fines and requirements to increase security practices, along with demands for more transparency.
Solution
Blythe Global received the client’s call for help late on a Friday afternoon and its Cyber Attack Recovery “SWAT team” sprang into action. Working closely with the company’s CFO and controller, BGA’s Matt Snow helped the company develop a plan to recreate the accounting records and to get back up and running. In addition, Matt and his team compiled information about the extent and the scope of the breach to support the client’s insurance claim for lost revenue and other costs associated with the data breach and presented it to the insurance company.
Blythe Global brought a diverse skill set and a hands-on approach to help the client rebuild its dataset and liaise with the client’s auditors (Big 4 accounting firm) to ensure the records were compiled accurately and quickly. Armed with a proven effective post-cyber attack checklist, the BGA team launched a rebuild protocol that included creating a detailed events timeline, confirming the breach was isolated, retrieving financial statements, and working with staff and partners to identify losses and costs.
Result
With financial data restored and an accurate accounting of damages caused by the hack, the company was able to resume operations and recoup its losses.
In this case, a full recovery from the cyber attack was achieved — but it was a long and costly process.
Lessons Learned
The cyber attack and ransom payment served as a wake-up call for the company, highlighting the importance for robust cybersecurity measures. When it comes to cyber attacks, it’s not a matter of if, but when. Even when you think you’re prepared, cybercriminals find vulnerabilities, making it impossible for a company to be 100% protected.
Companies, therefore, should ensure and understand if they have a good insurance policy in place as well as investing in proactive security practices and contingency plans for potential cybersecurity breaches. This includes making regular software updates and having a checklist of steps should an attack occur.
In addition, if a company does not use cloud-based services, their data should be backed up offsite, consistently, and on a different server than the company’s primary server so that information can be easily retrieved with as little disruption as possible.
Luckily, the company had an insurance policy in place that covered business interruption and allowed it to recoup some of the losses. The hack provided an opportunity to review the policy and assess if additional coverage would be beneficial. It also served as a reminder to review the policy regularly. In addition, any third-party IT providers or vendors should not only be highly reputable and vetted, they should also carry their own cybersecurity insurance policies.
Prevention
The company took many of the necessary steps to help prevent a cyber attack, but it was still not enough. Here are some of the ways companies can protect themselves from a data hack:
1. Risk Assessment and Management: Conduct regular risk assessments to identify potential security vulnerabilities. This includes evaluating the likelihood and potential impact of different types of cyberattacks. Based on this assessment, develop a risk management plan.
2. Implement Strong Security Policies and Practices: Establish and enforce robust security policies. This includes the use of strong, unique passwords, regularly updating and patching systems, and securing all endpoints.
3. Employee Education and Training: Employees often represent the first line of defense against cyberattacks. Regularly train staff on cybersecurity best practices, such as recognizing phishing attempts and securely handling sensitive data.
4. Vendor and Third-Party Management: Assess the security measures of any third parties or vendors who have access to your network or sensitive data. Ensure they meet your cybersecurity standards.
5. Use Advanced Security Technologies: Employ advanced security technologies like firewalls, antivirus software, intrusion detection systems and encryption measures. Regularly update these technologies to combat evolving threats.
6. Secure Network Access: Implement secure access controls for your network. This includes using Virtual Private Networks (VPNs), multi-factor authentication and ensuring secure Wi-Fi access.
7. Monitor for Threats: Continuously monitor networks for suspicious activity and have an incident response plan in place.
8. Compliance with Regulations: Stay compliant with relevant cybersecurity laws and regulations. This includes understanding and adhering to industry standards and best practices.
9. Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities. This can include both internal audits and third-party security assessments.
10. Create a Culture of Security: Foster a company culture that prioritizes and values cybersecurity. This can include leadership involvement, regular communication about security issues and encouraging a proactive security mindset among all employees.
About BGA’s Cyber Attack Recovery Services
BGA is a financial services consulting firm with a difference. For over 15 years, our clients have benefited from working with experienced people who meet their complex accounting advisory needs. We help our clients improve revenue, reduce costs and improve profitability, filling the gap that often exists between accounting and financial services.
BGA provides integrated cyber attack recovery services designed to swiftly address challenges. We combine our expertise and technology to transform your cybersecurity stance and risk exposure. We offer practical suggestions for closing any gaps in your cybersecurity program and boosting the overall strength of your cyber defenses. We’ll conduct a thorough review of your cybersecurity practices and infrastructure, providing essential guidance on enhancing security controls, processes, technology, and governance to protect the confidentiality, availability, and integrity of your data.
BGA offers strategic cyber attack recovery solutions that enable you to focus on innovation and growth.
Marc Blythe, CPA, CGMA, Founder & President
Marc brings more than 30 years of experience advising companies of all sizes on their accounting and financial reporting requirements. He has helped mature companies solve complex business issues and emerging companies upgrade their accounting competency.
Salvador B. Sarabosing, Jr., CISA, CRISC, MBA,a Partner, Risk Advisory Services
Sal has more than 22 years of experience in the finance and accounting industry with an emphasis on advisory services for small and mid-sized companies. He brings a unique perspective and distinct advantage to the advisory arena having provided these services as a Big Four audit manager, as the global head of compliance for a Fortune 100 corporation, and as a senior manager for one of the world’s leading advisory services firms.
Kevin Pacourek, Partner, Transaction Advisory Services
Kevin has more than 25 years of experience in the areas of business process outsourcing, transition management, project management, public company reporting requirements, and sales management.
Matthew deMontesquiou, CPA, Partner, Accounting Services
Matthew has more than 20 years of experience in the finance and accounting industry with an emphasis on advisory services. Prior to joining BGA, Matt was a Director of Finance for a SAAS-based company in Orange County. Before that, Matt was the Director of Internal Audit for Western Dental, one of the largest dental practices in America. Matt began his career at CBIZ/MHM, where he ran multiple audit engagements.
Matthew Snow, CPA, Executive Director
Matt is a seasoned executive who has more than 30 years of experience advising companies on accounting and financial reporting matters. In his current and prior role as a Big Four audit partner, he has served public and private companies ranging from start-ups to VC/PE backed to multi-national SEC registrants. He brings experience with respect to accounting matters, financial reporting, auditing, internal control policies and procedures, and financial analysis.