MPact » Insight

Why do so few organizations still not have a recovery plan?

By Danny Timmins, National Leader, Cyber Security

and Stephen Dodd, Ontario Insurance Advisory Lead

Every week, there's a new story about a cyberattack creating devastating consequences for a business. It can happen in any industry, at any time. And while organizations understand that cyberattacks are major risks, few are building plans for response plans that can mitigate the damage.


  • Companies are shifting to remote work and off-site access, but cybersecurity plans are failing to keep up with the change.
  • Cyber attacks do more than take down your operations. They impact productivity, profitability, and your brand.
  • Organizations need to create strong plans to prevent attacks and even stronger plans for how to react and respond.

Cyber criminals have seized the opportunity to double down on attacks over the past year as much of the workforce transitioned to remote and off-site access. Breaches and associated losses among large, reputable organizations are increasingly newsworthy events — most recently with the Colonial pipeline ransomware attack in May 2021 causing widespread fuel shortages across the United States.

The resulting fallout from these events stoke fear and discomfort among business leaders and the general public. And rightly so: the Allianz Risk Barometer lists cyber incidents as the third highest global risk for 2021.

Navigating the long tail of cyber business interruption damages

Cyber losses are challenging enough to address in and of themselves, let alone the associated business interruptions that can result. While cyber experts can often restore systems within weeks and sometimes days of identifying an attack, business interruptions often have a long tail which can impact a firm’s reputation and income for weeks and potentially years thereafter.

More organizations are seeing the value of working with cyber security specialists to train their teams, assess risk, implement controls, and simulate attacks to assess incident response capabilities. However, even the best defenses can only hope to reduce the likelihood of a successful breach. Prevention is virtually impossible, and few firms are taking the appropriate steps to prepare for the fall out when a breach occurs.

Cyber-related business interruptions now account for approximately 60 percent of insurance claim values. As breach tactics and market demands evolve, policy wordings and coverage terms will surely change to follow suit. Proper forensic accounting support is therefore essential both before and after an attack. First to review insurance coverage and terms, anticipate the potential losses from an attack, and plan accordingly. Then to assess and build a case for businesses to recoup related actual losses and fully restore operations.

Know where you’re at risk of the more common cyber attacks in use today:

Distributed denial-of-service (DDoS)

A DDoS attack occurs when a threat actor seeks to make a network resource unavailable by disrupting service of the server connected to the internet. They will typically accomplish this by flooding the targeted machine with many bogus requests which prevent it from fulfilling legitimate ones.

For most people, DDoS attacks immediately bring to mind credit card payment processors or webhosting services. However, other utilities such as automated resource extraction machines are equally vulnerable. In much the same vein as Colonial Pipeline, consider what might happen if cyber criminals could interrupt instructions to drilling equipment and effectively cause it to go offline. There are significant safety and environmental damages to consider and the loss of productivity and profitability could be significant.


Ransomware is a subset of malicious applications called malware that gives cyber criminals the ability to lock users out of the network and encrypt and / or publish sensitive data. Ransomware attackers will generally demand some form of payment or concession (i.e. ransom) in exchange for restoring access.

However, as many victims learn the hard way, complying with demands does not necessarily guarantee a positive result. With the attackers holding all the cards, there’s little stopping them from continually upping the ransom amount or simply going underground after they receive payment without restoring access to critical systems.

According to Group IB Ransomware Uncovered, the average victim experiences 18 days of downtime due to ransomware. That’s nearly two-thirds of a month of suppressed revenues, not to mention the lingering costs of restoring consumer / client confidence, retraining and auditing employees, and upgrading systems to prevent future attacks.

Approximately 80 percent of ransomware attacks start either through a phishing email or exploiting a third-party or remote service vulnerability. With employees working from home due to the pandemic, and likely to continue this arrangement at least part of the time moving forward, these vulnerabilities will continue to be a large avenue of attack.

Effects on your business

Contemporary media coverage of cyber attacks typically ends with the mitigation of malicious code and restoration of services. However, that only marks the beginning of an organization’s recovery. Determining revenue losses can be much more difficult and will likely continue to affect the business long after the system is back to normal.

Most firms can expect to face a general loss of trust and confidence, not just among clients and customers but within their own ranks as well in the aftermath of an attack. This can materialize in everything from depressed revenues to lost productivity, and even lawsuits in the months and years ahead. These damages, including the public relations and outreach investment, can be large but difficult to quantify.

Hope for the best, but prepare for the worst

There’s been a marked improvement in cyber preparedness in recent years as leaders and boards increasingly take steps to assess their cyber risks and invest in adequate controls. But even the best perimeter defences have a weak point — and too few enterprises are considering what happens if a threat actor manages to find it.

At MNP, we help you look beyond the initial thrust of an attack to consider all aspects of a business interruption. Our multi-disciplinary teams evaluate your technology, accounting, insurance, and governance frameworks so you can understand your risks, quantify potential short- and long-term losses, and plan the necessary steps for a swift and sustainable recovery. Together, we can help you build a robust and comprehensive business resilience plan that provides assurance to decision-makers and stakeholders that you’re ready to face whatever comes your way.

The likelihood and frequency of attacks will almost certainly rise throughout this period of sustained change and uncertainty, even as the pandemic subsides. Risk assessment and resilience planning needs to be part and parcel with changes to remote / in-person work arrangements, adoption of new technologies, and the roll out of new business and service delivery models. Else, the lingering effects of COVID-19 may indeed continue to follow enterprises for many years to come.

To learn more about effective cybersecurity strategies for your organization, contact Danny Timmins, National Leader Cyber Security or Stephen Dodd, Ontario Insurance Advisory Lead.