When a significant ransomware incident hits a critical infrastructure operator, the public and media attention focuses on two numbers: the ransom demanded and — if known — the ransom paid. These numbers generate headlines. They also profoundly misrepresent the actual cost of a major cyber incident.
The ransom is almost never the largest cost. In the incidents where full financial data has eventually become available, it is often not even the second or third largest cost.
Colonial Pipeline: The Numbers That Didn’t Make the Headlines
In May 2021, Colonial Pipeline paid $4.4 million in Bitcoin to the DarkSide ransomware group after an attack that shut down the largest refined products pipeline on the US East Coast for six days. The $4.4 million figure was reported extensively. The other costs were not.
Operational impact: The pipeline shutdown caused fuel shortages across six US states. Panic buying, flight cancellations, and supply chain disruption affected businesses and consumers across the south-eastern United States. The economic impact of the disruption — separate from Colonial’s own costs — ran to hundreds of millions of dollars.
Recovery costs: Getting a complex pipeline operational technology environment back online safely after a ransomware event required specialist OT recovery teams, hardware replacement, vendor engagement, and weeks of testing before full operations resumed. Specialist OT incident response is expensive: day rates for experienced practitioners run to £8,000-£15,000, and a complex recovery may require teams working for weeks.
Regulatory and legal costs: Colonial faced multiple investigations and civil claims arising from the incident. Regulatory scrutiny of pipeline cybersecurity increased substantially, with compliance obligations that continue to generate costs years later.
Insurance: Colonial’s cybersecurity insurance covered a portion of costs, but not all. Many insurers have since tightened terms for critical infrastructure operators, with some sectors finding coverage difficult to obtain at reasonable premiums.
The total cost to Colonial Pipeline is estimated at over $500 million when all categories are included. The $4.4 million ransom was less than 1% of the actual cost.
NotPetya: The $10 Billion Lesson
NotPetya — which in 2017 was disguised as ransomware but was actually a destructive wiper deployed by Russian military intelligence against Ukrainian targets — caused collateral damage to Western companies that had operations in Ukraine and Russia.
Maersk, the global shipping conglomerate, lost the entirety of its IT infrastructure across 130 countries in a matter of hours. The recovery required reinstalling 45,000 PCs, 4,000 servers, and rebuilding from scratch. The financial impact was approximately $300 million.
Merck, the pharmaceutical company, suffered approximately $870 million in damage. FedEx’s TNT Express subsidiary: $400 million. Mondelez: $180 million. Reckitt Benckiser: $130 million.
None of these companies were the intended target. They were caught in the blast radius.
The lesson is not that these companies were careless — several had reasonable IT security programmes by the standards of the time. The lesson is that a sufficiently destructive attack can overwhelm mature defences, that the costs accumulate across dimensions most financial models don’t capture, and that critical infrastructure attacks can have cascading effects that reach far beyond the original victim.
The Cost Categories That Don’t Show Up in Ransom Headlines
When a critical infrastructure operator is hit, the costs typically fall into categories that are harder to report but more significant in aggregate:
Operational downtime. The revenue impact of being unable to operate — or operating at reduced capacity — for the duration of an incident. For a hospital, this means cancelled surgeries, diverted patients, deferred procedures. For a utility, it means manual operations, reduced output, and potential contractual penalties. For a transport operator, it means cancelled services and compensation claims.
Specialist recovery costs. OT environments cannot be recovered using standard IT recovery playbooks. The engineers who understand industrial control system recovery are scarce and expensive. Recovery timelines are measured in weeks, not hours.
Regulatory exposure. Critical infrastructure operators face reporting obligations under the NIS2 Directive, sector-specific regulators, and the ICO for any personal data impact. Regulatory investigations impose cost regardless of outcome. Non-compliance penalties can be material.
Insurance implications. Organisations that have suffered a significant incident often find their insurance terms significantly worsen at renewal, with exclusions added, premiums increased, and coverage limits reduced. Cyber insurance for CNI operators is already difficult to obtain; a significant incident may make it impossible.
Reputational and contractual. For operators with commercial contracts, service level failures trigger penalties. Customers and partners re-evaluate relationships. For regulated businesses, reputational damage with a regulator has regulatory consequences that extend years into the future.
Third-party systemic costs. In interconnected supply chains and infrastructure networks, the cost of an incident at one operator propagates to others. This creates legal exposure and commercial relationship damage that is difficult to model but very real.
What This Means for Investment Decisions
The implication for boards and finance executives is that cyber investment decisions should be benchmarked not against the cost of a ransom, but against the total cost of an incident.
A £500,000 investment in OT security controls, network segmentation, and incident response capability sounds large in isolation. Compared to a £50 million total cost of an incident — a conservative estimate for a mid-size CNI operator — it is 1% of the exposed risk. By almost any financial model, that is a rational investment.
The organisations that have been most seriously damaged by cyber incidents are typically not ones that made a considered decision that investment wasn’t worthwhile. They are ones where the risk was not adequately quantified, the board was not adequately informed, and the decision about investment was made without full visibility of what was at stake.
Boards that want a more honest picture of their cyber risk should ask their finance team to run a scenario model: what does an incident that renders our core operational systems unavailable for two weeks actually cost, in each of the categories above? The answer to that question, not the cost of the most recent pen test, is the number that should frame investment conversations.