Recovery From a
Cyber Event
Cyber Event
Jul 8, 2025
Recovery from a cyber event often receives little attention before a cyber event takes place. That is a mistake. The recovery process is multifaceted, and depending on the nature of the event, it can take a long time to complete. While the process is necessarily reactive, understanding what it involves, and planning ahead, can streamline it and make it much easier.
The end of a cyber event does not end the need to respond to it. Once the event is contained or resolved, an organization can begin the recovery process. That process should be built around the answers to three questions:
Once a cyber event has been resolved, an organization should have a good technical understanding of what happened from the forensic investigation performed. That understanding is important, but it isn’t all an organization needs.
A few examples:
Unless an organization has been hit with a cyber fraud that results in the loss of funds, determining financial losses from a cyber event can be difficult. The most significant losses typically involve loss mitigation costs, fixed operating costs, system restoration costs, and business disruption.
Loss mitigation costs are those incurred to minimize the impact of the cyber event on the organization’s ability to carry on its business and other losses that may be incurred. A good example would be setting up a new and/or temporary network to isolate the compromised network. Loss mitigation costs will vary by the nature and extent of a cyber event and the organization affected.
Even in the case of a traumatic cyber event, operating costs will still be incurred. The best example of fixed operating costs is payroll expense, which must be paid even when employees are unable to work due to a cyber event.
Cyber-attacks today, especially those involving ransomware, frequently encrypt, corrupt, and sometimes destroy data and computer software. Under circumstances where the impacted data and software can’t be restored from backups, they will have to be replaced or recreated. That can be very expensive and time-consuming.
An attack can also damage IT and operational technology system components. While this is unusual, when it happens, organizations will be forced to repair or replace that equipment.
Determining profit lost because of a cyber event can be tricky because of the many factors that affect an organization’s profitability during any given time.
Those include:
Proving the amount of the loss can be challenging. We recommend that organizations work with a forensic accountant before facing an actual cyber event to understand and identify any necessary documentation and other evidence that will be needed to establish the loss.
The first few hours and days following a cyber event are triage, a critical time to isolate and contain the event. Once stabilized, an organization begins the recovery process. First and foremost, recovery is the time to fully restore all affected systems. It is also the time to assess ancillary damage caused to operations, revenues, and reputation, and to implement the changes necessary to rebuild and improve its defenses. Where triage should be completed as quickly as possible, recovery takes significantly longer.
There are several steps to undertake on the road to full recovery.
System restoration starts with recovering and rebuilding data and ensuring systems, software, and servers are free from all corruption. Very broadly speaking, organizations should:
Once operations begin returning to normal, organizations should start assessing weaknesses in their cyber defenses. This evaluation can expand on the forensic analysis performed immediately following discovery of the event to determine whether any non-technical causes contributed to the event or made it worse than it might otherwise have been. Such an assessment can also identify vulnerabilities that continue to exist.
The assessment process can include:
Following resolution of a cyber event, organizations should consider implementing changes to the organization’s cyber defenses.1 These should be identified via the assessment process described above and the forensic investigation performed in response to the event. They should be prioritized by the extent to which they address the organization’s most significant cyber risks.
Organizations with cyber insurance can count on their insurer to be a good partner throughout the recovery process.
A cyber insurer will help identify and retain a forensic investigator, and the costs will be covered by the cyber policy. A cyber policy will also cover the costs of other vendors needed to respond to a cyber event.
While coverage for losses will depend on the specific facts of the event and the terms of the policy, the types of losses described above should be covered by a good cyber policy.
With few exceptions, cyber policies do not cover the cost to improve cybersecurity. However, insurers frequently offer free or discounted loss control services that can assist in that regard.
Recovery from a cyber event should include an assessment of a cyber policy’s coverage. Was coverage broad enough to cover the losses sustained? If not, consider expanding coverage. There is a lot of creativity in the cyber insurance marketplace, and underwriters typically will consider reasonable requests to enhance coverage. Were the policy limits in the cyber insurance program enough to cover all of the losses? If not, then the organization may want to consider buying higher limits.
Recovery should also include a review of the cyber insurer’s claims performance. If the insurer’s claims handling was subpar, that should be discussed with the insurer.
A cyber event can debilitate an organization. No matter how strong an organization’s cybersecurity is, a determined threat actor will usually find a >way to successfully attack their target. Once that happens, after managing the event well, a comprehensive and sure-footed recovery is essential. The process may take time, but it is important to take it. Done well, the recovery process can leave organizations more resilient than they were before the event happened.
This is the third article in our cyber risk management series. The first article focused on protecting your organization from cyber-attacks and the second article looked at preparing for and managing a cyber attack.
Tim Burke, Executive Vice President, Cyber/Commercial Client Advantage
William Boeck, Executive Vice President, Cyber Product Leader Client Advantage
Angela Thompson, Senior Marketing Specialist, Market Intelligence & Insights
Brian Spinner, Senior Marketing Coordinator, Market Intelligence & Insights