Erm
So they're claiming that all work to prevent future attacks is the result of this one attack, rather than what they should have been doing anyway?
An organisation whose network was infected by Ryuk ransomware has spent $8.1m over seven months recovering from it – and that’s still not the end of it, according to US news reports. The sum, spent by Baltimore County Public Schools, will doubtless raise some eyebrows and the public breakdown of the costs will be eye-opening …
This is the problem with Cyber/Info Sec, some products are easier to show ROI on than others and many it's very much a benefit which end users don't see or don't notice e.g. less down time.
I frequently use incidents like this, Wannacry etc to show what can happen and I'm a huge fan of risk assessments as a way to make senior management accountable for what is or is not done. Sadly that doesn't seem to be done in many companies though.
To keep that competitive edge they have in native intelligence, America spends crazy stupid money on all forms of Education. State schools; private schools; universities; community colleges etc., whilst also keeping costs down by not paying staff much --- in a great tradition reaching back to British Public boarding schools where the headmaster paid himself ten times as much as his average master.
American reverence for Education surpasses its reverence for God --- but not so much as that for Money.
You'd think they could afford to pay for back-ups.