RiskLens Fast Facts on Cyber Risk for Local Governments – Suffolk County, NY, Ransomware Attack

September 27, 2022  Jeff B. Copeland

City Hall - Ransomware Attacks Local GovernmentOn September 8, 2022, a ransomware gang (reportedly ALPHV or BlackCat) seized the IT services of Suffolk County, NY, knocking out email and websites including the title searches needed for real estate sales. The attackers even disconnected the 911 system, forcing the county to turn to the NYPD to field emergency calls. The county warned residents to check their credit reports, as PII has been accessed. According to county officials, the attackers had been inside systems since the previous December, exploiting an unpatched Log4j vulnerability. 

RiskLens is the leader in quantitative analysis of cyber risk.

Estimate of Probable Costs for Suffolk County from the Ransomware Attack 

Using the RiskLens My Cyber Risk Benchmark tool, we can estimate the probable effect (in annualized dollar amounts) of a ransomware incident on a government agency of Suffolk Country’s size:

  • $4.7M for Primary Response Costs (incident management)
  • $338.3K for Lost Revenue
  • $13.3K Secondary Fines & Judgments (levied by government regulators, for instance)
  • $5.0M Total 




Local Governments Cyber Incidents Count

According to the 2022 Verizon DBIR, the public administration sector was hit with 2,792 cyber incidents in 2021, including 537 data breaches. That placed this industry at number three for total incidents, also number three for data breaches, out of 21 surveyed. 

Most Probable Cyber Risks by Incident Frequency and Loss for Government

The RiskLens data science team estimates risk for companies in an industry category based on the cyber events history plus a wide range of parameters such as revenue (or government budget), number of employees and number of database records.

In RiskLens modeling, a ransomware event for a government agency of Suffolk County’s size comes in relatively low at a 14.5% probability in a year, but that’s relative to the very high probabilities for other forms of attack, as shown in the chart below. Public administration is the most likely to be targeted and the least well-protected among industry types.

Benchmark - Public Adm - New 11 17 22Here's how the government sector compares to others for ransomware attacks, far out ahead for likelihood in a year.

Benchmark - Public Admin - New 2 11 17 22

Database Size and Security Posture Make a Difference 

Adjusting the parameters on the My Cyber Risk Benchmark tool gives clues on how to reduce cyber loss exposure. 

For instance, reducing the number of records in a database, but leaving the other settings the same for a public agency of Suffolk County’s characteristics shows this $1.3M improvement for a ransomware event 

  • 1M-10M Records = $2.5M Loss
  • 100K-1M Records = $1.2M Loss 

To rate security posture, the Benchmark tool incorporates grading by Security Scorecard. Here’s how the annual probabilities of a ransomware attack go up for a government organization comparable to Suffolk County as security grades go down, suggesting the value of controls investments. (Security Scorecard rated Suffolk County at “D”).

  • A rating = 6%
  • D rating = 14.5%

Try the My Cyber Risk Benchmark tool for yourself – get a free trial.