The cybersecurity incident identified on October 17, 2021 resulted in the loss in the fourth quarter of 2021 of approximately $63 million of advertising revenue, primarily related to our broadcast segment, as well as approximately $7 million through the date of filing of this Form 10-K in costs and expenses related to mitigation efforts, our investigation and the security improvements resulting therefrom. However, we did not pay the ransom that was being sought as a result of the cybersecurity incident.
These amounts exceeded the limits under our insurance policies and thus, based on the known effects of the cyber incident, the Company estimates that the cyber incident has resulted in approximately $20 million of unrecoverable net loss through the date of filing of this Form 10-K. Although we have received $30 million in reimbursement proceeds from our insurance policies through the date of filing of this Form 10-K, there can be no assurance that the insurance policies will pay their full coverage or the timing of such additional reimbursements. In addition, the Company may incur additional cyber incident response costs, and the estimated unrecoverable net loss above does not include an estimate of any liability the Company may have in the event that litigation or regulatory proceedings result from the incident.
We recurringly identify cyber threats as well as vulnerabilities in our systems and work to address them. Despite our efforts and the efforts of our third-party vendors to ensure the integrity of our software, computers, systems and information, we may not be able to anticipate, detect or recognize threats to our systems and assets, or to implement effective preventive measures against all cyber threats, especially because the techniques used are increasingly sophisticated, change frequently, are complex, and are often not recognized until launched. Cyber attacks can originate from a variety of sources, including external parties who are affiliated with foreign governments or are involved with organized crime or terrorist organizations. Third parties may also attempt to induce employees, customers or other users of our systems to disclose sensitive information or provide access to our systems or network, or to our data or that of our counterparties, and these types of risks may be difficult to detect or prevent. We expect cyber attack and breach incidents to continue, and we are unable to predict the direct or indirect impact of future attacks or breaches on our business operations.
Investigations of cyber attacks are inherently unpredictable, and it takes time to complete an investigation and have full and reliable information. While we are investigating a cyber attack, we do not necessarily know the extent of the harm or how best to remediate it, and we can repeat or compound certain errors or actions before we discover and remediate them.
The occurrence of a cyber attack, breach, unauthorized access, misuse, ransomware, computer virus or other malicious code or other cybersecurity event could jeopardize or result in the unauthorized disclosure, gathering, monitoring, misuse, corruption, loss or destruction of confidential and other information that belongs to us, our customers, our counterparties, our employees, and third-party service providers that is processed and stored in, and transmitted through, our computer systems and networks. The occurrence of such an event could also result in damage to our software, computers or systems, or otherwise cause interruptions or malfunctions in our, our customers’, our counterparties’ or third parties’ operations. This could result in significant financial losses, loss of customers and business opportunities, reputational damage, litigation, regulatory fines, penalties, significant intervention, reimbursement or other compensatory costs, significant costs to investigate the event, remediate vulnerabilities and modify our protective measures, or otherwise adversely affect our business, financial condition or results of operations. While we maintain insurance to cover losses related to cybersecurity risks and business interruption, such policies, as was the case with respect to the October 2021 cybersecurity incident, may not be sufficient to cover all losses of this incident or any future incidents.
Data privacy, data protection, and information security may require significant resources and present certain risks.
We collect, store, have access to and otherwise process certain confidential or sensitive data, including proprietary business information, personal data or other information that is subject to privacy and security laws, regulations and/or customer-imposed controls. Despite our efforts to protect such data, we may be vulnerable to material security breaches, theft, misplaced or lost data, programming errors, or employee errors that could potentially lead to the compromising of such data, improper use of our systems, software solutions or networks, unauthorized access, use, disclosure, modification or destruction of information, and operational disruptions. In addition, we operate in an environment in which there are different and potentially conflicting data privacy laws in effect in the various U.S. states in which we operate, and we must understand and comply with each law and standard in each of these jurisdictions while ensuring the data is secure. Our failure to comply with those regulations or to adequately secure the information we hold could result in significant liability or reputational harm.
6