The cyber incident at Laurentian University that came to the university’s attention Feb. 18, 2024 cost the school almost $818,000, much of it comprising consulting fees, according to information obtained by Sudbury.com through a freedom of information request.
However, Laurentian said it has submitted these costs to its insurance company in hopes of having them covered.
“Please note that the costs incurred below do not represent the University’s final financial exposure, as the University has submitted an insurance claim for these costs, which is still being adjusted by the University’s Insurer,” said the April 11 letter from Laurentian information and privacy officer Brett-Henry Kraft, which accompanied the information.
The breakdown of costs related to Laurentian’s 2024 cyber incident are as follows: consulting and coaching ($689,222.12); credit monitoring ($27,336.96); overtime ($77,896.33); printing ($3,203.88); postal ($18,306.09); meals and travel ($1,975.61).
Sudbury.com submitted formal freedom of information requests for several categories of information related to Laurentian’s 2024 cyber incident in February of this year, although so far, only the information related to costs has been provided.
We requested this information after doing a follow-up story one year after the cyber incident happened at Laurentian.
Earlier this year, Sudbury.com sought an interview with an administrator to look at the impact of the cyber incident and how the university has changed its operations as a result.
However, we instead received a written statement that did not provide all of the information we were seeking, hence the freedom of information request.
We also provided Laurentian University the opportunity to comment on the information received through the freedom of information request.
Our request for an interview with a senior administrator was declined, but we were invited to submit questions by email. That information will be added to this story in the event that it is received.
We also similarly put in a freedom of information request to the Rainbow District School Board related to the cyber incident the school board experienced this winter after the board declined to answer media questions.
Laurentian’s cyber incident first came to the university’s attention Feb. 18, 2024, and resulted in widespread outages of its IT systems, including the university’s website, its on-campus wifi and its D2L teaching software, throwing the winter semester into chaos.
Laurentian received, but did not pay, a ransom demand.
The personal information of some individuals associated with the Living with Lakes Centre / Co-operative Freshwater Ecology Unit and the Northern Ontario School of Medicine was breached due to the situation.
Laurentian said that new measures brought in since the cyber incident to protect against future situations of this nature include the implementation of new virtual private network (VPN) software; the installation of endpoint detection and response software; the reconfiguration of firewalls to further restrict access to certain systems, and; the implementation of a new vulnerability management solution.
To shed more light on the costs related to Laurentian’s cyber incident, Sudbury.com reached out to cyber security expert Ritesh Kotak, who has now spoken to us several times since the situation at the university arose last year.
Kotak said the costs provided by the university aren’t unusual, and in fact, could actually be higher if any physical infrastructure had to be replaced, something that wasn’t included in the costing provided by Laurentian.
In terms of the “consulting and coaching” line item, Kotak said it’s very normal for large organizations experiencing a cyber incident to bring in a “breach coach” to deal with the situation.
When you’re dealing with a breach, organizations need someone to assist them in knowing which systems to shut down, how to continue their business, what technology has to be replaced and dealing with communications, he said.
During a cyber incident, Kotak said it’s an “extremely stressful time,” and he knows of cases where employees have suffered consequences to their health or even taken their own lives.
“So yes, it is very normal to have a breach coach when you're going through something of this scale,” he said. “In some cases, it’s even required by the insurance companies that you have somebody come in to assist you.”
A lot of large organizations these days do have cyber insurance, and small businesses are also looking at getting it, Kotak said.
“There are requirements that the underwriter may put as well, for example, ensuring that you have proper procedures in place, that training has occurred, that certain systems are in place,” he said.
Similarly to what happens after a car crash, Laurentian’s lawyers “are probably working with the insurance companies to figure out what is the quantum of the settlement. Maybe the insurance company saying certain things will be covered and certain things won't, and they're trying to make an argument on why certain things should be covered, just like any other insurance related settlements. It’s very normal.”
With more organizations becoming the victim of cyber incidents in recent years, “the costs are significant there, and they're only going up,” because breaches are becoming more sophisticated, Kotak said.
“So they're increasing in sophistication, which means you need more specialized skill sets to make the organization whole again, which means, in turn, it's going to cost you more money,” he said.
Heidi Ulrichsen is Sudbury.com’s assistant editor. She also covers education and the arts scene.