Cybersecurity budgets are often built on assumptions, including the assumption that backups will always work, that insurance will cover the losses and that existing controls are “good enough.” Yet, when those assumptions fail, the operational fallout can be staggering. The City of Hamilton in Canada learned this lesson when a ransomware attack crippled nearly 80% of its network and left taxpayers facing a CAD $18.3 million recovery bill. Misplaced assumptions regarding backups, authentication, insurance and system resilience can lead organizations to underestimate risk and drive up the cost of a cyberattack.
City of Hamilton Breach Overview
On 25 February 2024, the City of Hamilton was hit by a ransomware attack that impacted much of its municipal networks. Cybercriminals gained access through an exposed system with weak credentials, encrypting internal infrastructure and disrupting core services, including business licensing, property-tax processing, and transit planning. The attackers demanded CAD $18.5 million for a decryption key, a ransom the city refused to pay. Instead, officials relied on what they described as “secure and well-maintained backups” to restore systems and resume operations.
By 30 June 2025, however, the total cost of the breach had reached CAD $18.3 million. To add to this impact, Hamilton’s insurer denied the cyberinsurance claim, citing the city’s failure to fully implement the required multifactor authentication (MFA) to protect sensitive systems.
How Assumptions Inflate Breach Costs
The Hamilton incident demonstrates how easily assumptions can be wrong and contribute to escalating costs and prolonged recovery. There are four assumptions that led to the outcome Hamilton experienced:
Assumption 1—“Our backups will save us.”
Many organizations assume that having backups means they are safe from ransomware. In Hamilton’s case, the city did recover most of its data from backups instead of paying the ransom. However, the breach exposed a confidence gap between having backups and recovering data from them.
The cost of this false sense of security was significant:
- Even with backups, restoration required extensive time, staffing, and third-party expertise. Out of the CAD $18.3 million, Hamilton spent over CAD $14 million on external specialists for the response and rebuilding activities.
- The downtime and service degradation carried their own price: lost productivity, disrupted operations, and public frustration as departments reverted to manual processes and temporary platforms.
- Several systems, including permitting systems, were unrecoverable, proving that “we have backups” is different from “we can restore operations quickly.”
Assumption 2—“We have the controls required by our cyberinsurance.”
The cyberincident in Hamilton demonstrates that cyberinsurance is only as strong as its controls: the city’s insurance claim was denied because the required MFA was not fully implemented.
The cost of this assumption was steep:
- With the claim denied, the City of Hamilton must absorb the entire CAD $18.3 million recovery bill through its own budget.
- The city’s continuity planning was undermined by misplaced confidence in insurance coverage that did not match its control maturity.
- Public trust suffered as taxpayers learned that the payout was forfeited due to a compliance gap, turning the ransomware attack into a governance and accountability issue.
Assumption 3—“Our segmentation will contain the damage.”
Many organizations trust segmentation to contain attacks. In Hamilton’s case, that assumption did not hold. Once inside, the ransomware propagated across the city’s environment, disabling roughly 80% of its systems. Partial or outdated segmentation offers only a false sense of security; real containment requires continuous testing, enforcement and monitoring.
The cost of this assumption was widespread:
- Weak segmentation allowed the attack to move laterally, increasing the number of affected systems and the scope of recovery work.
- Even though critical infrastructure such as water and wastewater operations remained online, the breadth of disruption multiplied the cost and complexity of recovery.
Assumption 4—“Our cybermaturity is good enough.”
Strong governance and skilled staffing are the backbone of cyberresilience, yet many organizations overestimate their readiness. In Hamilton’s case, a 2021 audit flagged major gaps in governance, leadership, and resources, warnings that were left unresolved before the breach.
The cost of this assumption was cumulative:
- Understaffing in cybersecurity roles limited the city’s ability to implement and monitor key controls. Furthermore, frequent leadership turnover delayed the execution of security initiatives.
- Training programs were outdated, with no formal upskilling of security staff provided since 2020, leaving gaps in both awareness and technical readiness.
How Assumptions Multiply the Cost of a Breach
The City of Hamilton’s experience shows that the true cost of a cyberincident extends far beyond the initial response. Each phase of incident response introduces new financial pressures, especially when early assumptions prove wrong. The example cost table in figure 1 demonstrates how expenses accumulate as progress.
Figure 1—Example Cost Table
|
Layer |
Description |
Estimated / Timeframe |
Key Insights |
|
1. Base cost –immediate response |
Forensics, containment, and engagement of external experts. |
US$5.7 M (Total costs, up to May 2024) |
Early response costs surge when preparedness and incident playbooks are untested. |
|
2. Recovery cost – restoring systems |
Rebuilding infrastructure and restoring applications. |
US$18.3 M (Total costs, up to June 2025) |
Recovery takes longer and costs more when backups or segmentation efforts fall short. |
|
3. Transformation cost –program |
Multiyear program to modernize and strengthen resilience. |
2025 – 2027 (Program costs to support transformation efforts) |
Investments in modernization turn short-term fixes into long-term improvements. |
|
4. New ongoing operating costs – sustaining resilience |
New tools, platforms, and support teams raise the city’s permanent IT operating baseline. |
Post-2025 (Additional operational costs for improved cyberoperating model) |
Resilience brings lasting operational costs to maintain security maturity. |
|
5. Opportunity and hidden costs – the public impact |
Downtime, service disruption, delayed projects, reputational harm, and insurance implications. |
Unquantified to date |
Direct and indirect impacts erode public trust and reputation. |
When assumptions fail, a cyberincident evolves from an immediate failure into a sustained financial burden. Resilience requires not just recovery, but the foresight to fund ongoing operations, governance and continuous improvement.
Lesson Learned: The Real Price of Assumptions
Th City of Hamilton’s ransomware incident demonstrates how untested assumptions can turn into costly liabilities. For ISACA® professionals, the message is clear: resilience begins with understanding risk, not assuming it away. Hamilton’s Mayor, Andrea Horwath, expressed determination after the incident, encouraging the city to learn from the breach: “I understand why Hamiltonians are frustrated - this was a serious and costly breach. We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard and we’re not okay with that. But we acted swiftly, and we’re moving forward with focus and determination. This is also a clear and indisputable reminder that timely investments in public infrastructure help prevent far more costly reactive responses down the line.”
Aligning practices with cyberinsurance requirements, testing controls and strengthening governance are financial safeguards. When assumptions replace verification, the cost extends far beyond the initial breach, measured not only in millions spent, but in years of recovery, higher operating budgets and impact to public trust.