Business Recovery Planning is Essential. Why Do Few Organizations Have it in Place?

Cyber criminals have seized the opportunity to double down on attacks over the past year as much of the workforce transitioned to remote and off-site access. Breaches and associated losses among large, reputable organizations are increasingly newsworthy events — most recently with the Colonial pipeline ransomware attack in May 2021 causing widespread fuel shortages across the United States.

The resulting fallout from these events stoke fear and discomfort among business leaders and the general public. And rightly so: the Allianz Risk Barometer lists cyber incidents as the third highest global risk for 2021.

Navigating the long tail of cyber business interruption damages

Cyber losses are challenging enough to address in and of themselves, let alone the associated business interruptions that can result. While cyber experts can often restore systems within weeks and sometimes days of identifying an attack, business interruptions often have a long tail which can impact a firm’s reputation and income for weeks and potentially years thereafter.

More organizations are seeing the value of working with cyber security specialists to train their teams, assess risk, implement controls, and simulate attacks to assess incident response capabilities. However, even the best defenses can only hope to reduce the likelihood of a successful breach. Prevention is virtually impossible, and few firms are taking the appropriate steps to prepare for the fall out when a breach occurs.

Cyber-related business interruptions now account for approximately 60 percent of insurance claim values. As breach tactics and market demands evolve, policy wordings and coverage terms will surely change to follow suit. Proper forensic accounting support is therefore essential both before and after an attack. First to review insurance coverage and terms, anticipate the potential losses from an attack, and plan accordingly. Then to assess and build a case for businesses to recoup related actual losses and fully restore operations.

Know where you’re at risk of the more common cyber attacks in use today:

Distributed denial-of-service (DDoS)

A DDoS attack occurs when a threat actor seeks to make a network resource unavailable by disrupting service of the server connected to the internet. They will typically accomplish this by flooding the targeted machine with many bogus requests which prevent it from fulfilling legitimate ones.

For most people, DDoS attacks immediately bring to mind credit card payment processors or webhosting services. However, other utilities such as automated resource extraction machines are equally vulnerable. In much the same vein as Colonial Pipeline, consider what might happen if cyber criminals could interrupt instructions to drilling equipment and effectively cause it to go offline. There are significant safety and environmental damages to consider and the loss of productivity and profitability could be significant.

Ransomware

Ransomware is a subset of malicious applications called malware which gives cyber criminals the ability to lock users out of the network and encrypt and / or publish sensitive data. Ransomware attackers will generally demand some form of payment or concession (i.e. ransom) in exchange for restoring access.

However, as many victims learn the hard way, complying with demands does not necessarily guarantee a positive result. With the attackers holding all the cards, there’s little stopping them from continually upping the ransom amount or simply going underground after they receive payment without restoring access to critical systems.

According to Group IB Ransomware Uncovered, the average victim experiences 18 days of downtime due to ransomware. That’s nearly two-thirds of a month of suppressed revenues, not to mention the lingering costs of restoring consumer / client confidence, retraining and auditing employees, and upgrading systems to prevent future attacks.

Approximately 80 percent of ransomware attacks start either through a phishing email or exploiting a third-party or remote service vulnerability. With employees working from home due to the pandemic, and likely to continue this arrangement at least part of the time moving forward, these vulnerabilities will continue to be a large avenue of attack.

Effects on your business

Contemporary media coverage of cyber attacks typically ends with the mitigation of malicious code and restoration of services. However, that only marks the beginning of an organization’s recovery. Determining revenue losses can be much more difficult and will likely continue to affect the business long after the system is back to normal.

Important questions include:

  • Have ransomware originators used their access to download personal client / employee information, intellectual property, etc.? What information has been compromised and what is the organization’s legal and ethical duty to the affected parties (e.g. credit monitoring, financial compensation, etc.)?
  • Has the attack compromised other servers and / or login credentials that could lead to another breach in the future? What steps are necessary to fully secure the organization and prevent a similar attack in the future?
  • Has the attack impacted the functioning and integrity of a physical system (e.g. drilling rig)? What are the costs and necessary steps to get systems back to nominal operating parameters?

Most firms can expect to face a general loss of trust and confidence, not just among clients and customers but within their own ranks as well in the aftermath of an attack. This can materialize in everything from depressed revenues to lost productivity, and even lawsuits in the months and years ahead. These damages, including the public relations and outreach investment can be large, but difficult to quantify.

Hope for the best, but prepare for the worst

There’s been a marked improvement in cyber preparedness in recent years as leaders and boards increasingly take steps to assess their cyber risks and invest in adequate controls. But even the best perimeter defences have a weak point — and too few enterprises are considering what happens if a threat actor manages to find it.

At MNP, we help you look beyond the initial thrust of an attack to consider all aspects of a business interruption. Our multi-disciplinary teams evaluate your technology, accounting, insurance, and governance frameworks so you can understand your risks, quantify potential short- and long-term losses, and plan the necessary steps for a swift and sustainable recovery. Together, we can help you build a robust and comprehensive business resilience plan that provides assurance to decision makers and stakeholders that you’re ready to face whatever comes your way.

The likelihood and frequency of attacks will almost certainly rise throughout this period of sustained change and uncertainty, even as the pandemic subsides. Risk assessment and resilience planning needs to be part and parcel with changes to remote / in-person work arrangements, adoption of new technologies, and the roll out of new business and service delivery models. Else, the lingering effects of COVID-19 may indeed continue to follow enterprises for many years to come.

If you’re looking to learn more about how you can enhance your business recovery planning, contact us for a free assessment and we will help you roadmap your path forward. Reach out to our team to get started.

Request a free consultation to discuss your organization’s business recovery planning.



 

Authors: Stephen Dodd and Danny Timmins

Stephen Dodd is a member of MNP’s Forensics and Litigation Support Services team in Toronto, and the Insurance Advisory Services lead for Ontario. Drawing on more than a decade of experience in the insurance industry, Stephen works closely with clients to provide a wide range of insurance advisory services. He helps businesses mitigate losses and return to normal as quickly and efficiently as possible. Stephen’s services include insurance claim and damage quantification, loss measure and business interruption calculations, as well as pre-loss insurance need evaluations. 

Danny Timmins, CISSP, is MNP’s Cyber Security National Leader. Danny and his team have extensive experience advising business leaders and boards of directors on cyber security risks, trends and opportunities and have helped many Canadian organizations improve their resilience to attacks.