Recovery From a
Cyber Event

Jul 8, 2025

Recovery from a cyber event often receives little attention before a cyber event takes place. That is a mistake. The recovery process is multifaceted, and depending on the nature of the event, it can take a long time to complete. While the process is necessarily reactive, understanding what it involves, and planning ahead, can streamline it and make it much easier.

Start to Recovery

The end of a cyber event does not end the need to respond to it. Once the event is contained or resolved, an organization can begin the recovery process. That process should be built around the answers to three questions:

What went wrong?
What have we lost?
What can we do to prevent this event from happening again?

Determining What Went Wrong

Once a cyber event has been resolved, an organization should have a good technical understanding of what happened from the forensic investigation performed. That understanding is important, but it isn’t all an organization needs.

A few examples:

Organizations should look at whether any policies and procedures were inadequate.
If a vendor was involved, organizations should assess the strength of their third-party cyber risk management.
Organizations should evaluate their own response to the event to determine where improvements are needed.

Potential Losses

Unless an organization has been hit with a cyber fraud that results in the loss of funds, determining financial losses from a cyber event can be difficult. The most significant losses typically involve loss mitigation costs, fixed operating costs, system restoration costs, and business disruption.

Loss Mitigation Costs

Loss mitigation costs are those incurred to minimize the impact of the cyber event on the organization’s ability to carry on its business and other losses that may be incurred. A good example would be setting up a new and/or temporary network to isolate the compromised network. Loss mitigation costs will vary by the nature and extent of a cyber event and the organization affected.

Fixed Operating Costs

Even in the case of a traumatic cyber event, operating costs will still be incurred. The best example of fixed operating costs is payroll expense, which must be paid even when employees are unable to work due to a cyber event.

System Restoration Costs

Cyber-attacks today, especially those involving ransomware, frequently encrypt, corrupt, and sometimes destroy data and computer software. Under circumstances where the impacted data and software can’t be restored from backups, they will have to be replaced or recreated. That can be very expensive and time-consuming.

An attack can also damage IT and operational technology system components. While this is unusual, when it happens, organizations will be forced to repair or replace that equipment.

Profit Loss

Determining profit lost because of a cyber event can be tricky because of the many factors that affect an organization’s profitability during any given time.

Those include:

The ability to continue business functions during a cyber event.
The availability of substitute income.
The overall market conditions.
The damage to the organization’s reputation that leads to lost income.

Proving the amount of the loss can be challenging. We recommend that organizations work with a forensic accountant before facing an actual cyber event to understand and identify any necessary documentation and other evidence that will be needed to establish the loss.

Road to Full Recovery

The first few hours and days following a cyber event are triage, a critical time to isolate and contain the event. Once stabilized, an organization begins the recovery process. First and foremost, recovery is the time to fully restore all affected systems. It is also the time to assess ancillary damage caused to operations, revenues, and reputation, and to implement the changes necessary to rebuild and improve its defenses. Where triage should be completed as quickly as possible, recovery takes significantly longer.

There are several steps to undertake on the road to full recovery.

Restoring Affected Computer Systems

System restoration starts with recovering and rebuilding data and ensuring systems, software, and servers are free from all corruption. Very broadly speaking, organizations should:

Focus first on mission-critical infrastructure
Retrieve and validate backup data
Restore data from backups
Test systems before reconnecting
Bring systems online in a controlled manner

Assessing Cyber Defenses and Hygiene

Once operations begin returning to normal, organizations should start assessing weaknesses in their cyber defenses. This evaluation can expand on the forensic analysis performed immediately following discovery of the event to determine whether any non-technical causes contributed to the event or made it worse than it might otherwise have been. Such an assessment can also identify vulnerabilities that continue to exist.

The assessment process can include:

Identification of changes that could be made to policies, procedures, and IT systems that would protect the organization from a similar event in the future.
Review of the organization’s incident response plan to determine whether changes are needed in light of recent cyber event.
Employee interviews to uncover any human concerns.
Reevaluation of vendor cybersecurity requirements and performance.
Taking a fresh look at compliance with any contractual or regulatory cybersecurity requirements.

Improving Cyber Defenses

Following resolution of a cyber event, organizations should consider implementing changes to the organization’s cyber defenses.¹ These should be identified via the assessment process described above and the forensic investigation performed in response to the event. They should be prioritized by the extent to which they address the organization’s most significant cyber risks.

Recovery With the Benefit of Cyber Insurance

Organizations with cyber insurance can count on their insurer to be a good partner throughout the recovery process.

A cyber insurer will help identify and retain a forensic investigator, and the costs will be covered by the cyber policy. A cyber policy will also cover the costs of other vendors needed to respond to a cyber event.

While coverage for losses will depend on the specific facts of the event and the terms of the policy, the types of losses described above should be covered by a good cyber policy.

With few exceptions, cyber policies do not cover the cost to improve cybersecurity. However, insurers frequently offer free or discounted loss control services that can assist in that regard.

Recovery from a cyber event should include an assessment of a cyber policy’s coverage. Was coverage broad enough to cover the losses sustained? If not, consider expanding coverage. There is a lot of creativity in the cyber insurance marketplace, and underwriters typically will consider reasonable requests to enhance coverage. Were the policy limits in the cyber insurance program enough to cover all of the losses? If not, then the organization may want to consider buying higher limits.

Recovery should also include a review of the cyber insurer’s claims performance. If the insurer’s claims handling was subpar, that should be discussed with the insurer.

Final Word

A cyber event can debilitate an organization. No matter how strong an organization’s cybersecurity is, a determined threat actor will usually find a way to successfully attack their target. Once that happens, after managing the event well, a comprehensive and sure-footed recovery is essential. The process may take time, but it is important to take it. Done well, the recovery process can leave organizations more resilient than they were before the event happened.

This is the third article in our cyber risk management series. The first article focused on protecting your organization from cyber-attacks and the second article looked at preparing for and managing a cyber attack.