As the British Library copes with its alarming cyberattack, what can other businesses learn?

The British Library has been managing a cyber-attack on its networks since 31st October 2023, which disrupted its website, online services and some onsite operations. The library, a critical public institution, has been transparent about the events that unfolded, providing a unique insight into the widespread impact that cyber events can have on organisations. As one of the world’s largest document repositories and a critical UK research body, the ransomware event rendered many of the British Library’s services inaccessible, forcing them to go offline with unfortunate consequences for many of its users.
 

What was the fallout?

After refusing to pay the £600,000 ransom – roughly 20 bitcoin – hundreds of thousands of stolen files were published online, including user and employee data. The attack reportedly came from the Rhysida group, who have previously been linked to various attacks on publically funded services including governmental agencies, schools and hospitals.¹

Some 2-3 months later, much of the British Library’s online catalogue (almost 170M pieces of work including musical recordings, maps, newspapers, diaries, film scripts, letters and 36M books) remained unavailable. This led to delays and complications for its user base, who are predominantly students, academics and authors. In response, the Library moved to manual operations, with librarians finding items on shelves rather than electronically sweeping through the vast database that they spent the last 11 years digitising. Most of the database has now been restored, but the digital booking process remains out of use² and all services may not be restored for another year.

The fallout has transcended the British Library. Nearly 20,000 authors, who were paid up to circa £8,400 per year³ for use of their material within the Library’s collection, saw payments suspended while system repairs took place. This serves as a reminder of how third parties can also inadvertently be financially impacted by these kinds of events.

What are the economic consequences?

It has been reported by the Financial Times, that the Library could drain up to 40% of its reserves to recover from the attack, and spend multiples of the original ransom demand to rebuild digital services at an estimated cost of £6M-7M⁴. Earlier publications suggested that £250,000 was paid to the forensics firm NCC Group for an initial response to the attack.

Restoring digital assets and employing forensics services aren’t the only economic consequences associated with ransomware attacks. Negotiation with threat actors and any payment of a ransom can incur significant costs. Loss of business income and extra expenses are often an economic consequence of being forced to go offline too. Moreover, loss of confidential customer or employee data can trigger legal liabilities as well as regulatory scrutiny that can only come to light months, or even years after the event has taken place. There are also reputational implications that can impact future sales in some extreme cases.

A growing problem

Ransomware attacks are increasing in sophistication and pose a global challenge to businesses in general. Despite coming second only to the US on the Global Cyber Security Index⁵ (a multi-stakeholder initiative that measures the commitment of countries to cybersecurity at a global level), the UK’s private and public sector continues to experience frequent, nefarious cyber activity. According to the UK Official Statistics Cyber Security Breaches Report 2022, 39% of UK businesses identified cyberattacks in 2022⁶. Some 31% of businesses and 26% of charities noted them as frequently as once a week.

The cyber security provider NCC group, who worked on the British Library’s recovery, track yearly ransomware activity and their most recent report⁷ shows that 4,666 incidents were recorded in 2023 vs 2,530 in 2022, an increase of 85% overall (see figure below).

[8]

Action Plan

No organisation is immune from cyber-attacks and whilst traditionally companies have been concerned about the impact of a data breach, the situation in which the British Library have found themselves is a reminder of the sometimes less considered impact on business if their own data is rendered inaccessible or unusable.

So how do businesses successfully navigate cyber incidents? Simply, preparation is key: strategic investments in cyber defences reduce vulnerability to prolonged disruption or outsized losses in the event of a breach but they are not infallible. It is therefore of paramount importance to ensure that businesses have considered their response, if the worst were to happen.

As well as a comprehensive cyber risk management programme, we would suggest that:

• Redundancy is baked into the design of networks and databases where possible
• A disaster recovery plan for cyber events is implemented and tested
• Backup procedures such as encryption and segregation from the corporate network are implemented and backups are regularly tested

After a cyber risk management strategy has been implemented and investments have been made in necessary tooling, residual cyber risk can be transferred into the insurance market. This will further build resiliency and harden incident response processes by embedding service providers into recovery plans. It also provides financial protection against the potentially catastrophic (both foreseen and unforeseen) consequences associated with the event, including recovery costs, ransom negotiation (and where necessitated) ransom payment, business interruption, extra expense, privacy and regulatory liability and reputational loss. 

To read more about the topic of cyber insurance and cyber security, you can download Howden’s latest cyber report "Coming of Age” here.

If you would like to discuss cyber insurance solutions please get in touch.

	Daniel Leahy Divisional Director of Cyber and Technology Solutions, Howden [email protected]

General Enquiries

Email: [email protected]