Financial and operations leaders face many non‑technical decisions that can make all the difference in limiting the severity of financial losses, work stoppage, legal liability, and reputation damage. This article covers basic steps executive teams can take to prepare for an effective incident response and avoid a worst‑case scenario in the event of a ransomware or data compromise.
- Understanding the financial impact for your unique operation
- Real-world examples of typical recovery costs and timeline
- Tips for avoiding preventable losses with planning and preparation
- Cyber insurance: Key considerations and fine print to be aware of
- Questions to be ready for from external stakeholders
- Next steps for financial leaders
Picturing a hypothetical cyberattack scenario is a useful starting point to help leaders understand what decisions they may face, potential tradeoffs of different strategic choices, and gaps in the response plan that can be addressed. In a typical scenario, ransomware attacks are discovered on a Monday morning when employees arrive for work to find they’re locked out of their computers. There may be a ransom note on the screen asking for $100,000 to $200,000 or more to restore access to systems and/or data.
Over the next hours, days, and months following an attack there will be many decisions big and small that will determine the severity of losses, such as:
- If we pay the ransom, what assurance is there that we actually get our data back?
- If we don’t pay, how long could business be shut down until systems are restored?
- How long can our business survive with operations disrupted for a week or longer?
- When do we notify insurance, customers, investors, or other external stakeholders?
Many decisions involve strategic, financial, and operational considerations with no easy answers. But the more leadership thinks about these questions and practices gaming out contingencies, the better chance you have of walking away with minimal disruptions to your business.
Understanding the impact of a cyberattack for your unique operation
With such significant financial stakes, it’s helpful to make decisions grounded with a firm understanding of what the real‑world impact of a cyberattack might be for your unique operation. Assessing what systems your business relies on for different functions ahead of time and quantifying the potential financial losses if certain systems remain down helps decision makers prioritize and evaluate tradeoffs during the crisis.
"If all of your systems were to go down, what is the thing that would impact our revenue the most?" said Kirsten Bay, insurance expert and CEO of Cysurance. The answer is different for every type of business.
Whatever your most critical systems may be, looking at them individually from an operational lens is helpful. Hackers don't always achieve all of their objectives and often it isn't initially apparent which systems are truly compromised. So knowing how you prioritize the systems needed for the business to survive can inform the first steps in your response, e.g. whether you should pull the plug on everything while the IR team works to determine the extent of the compromise, or if certain systems can/should stay running.
No matter the industry or type of business, when a cyberattack halts operations the costs go beyond lost revenue. During a work stoppage, daily expenses like payroll, facility costs, utilities, maintenance, janitorial services, equipment leases, loan interest, and vendor contracts all keep accruing. Less tangible impacts such as erosion of customer confidence and reputational harm can also lead to long‑term revenue loss and increased acquisition costs.
Overall, going into the crisis with a more granular, quantitative view of how your business will be impacted and planning accordingly can reduce the severity of and accelerate recovery from a cyberattack.
Recovery costs and timeline
Even in a best‑case scenario, businesses are often still down for several days after an attack and recovery frequently takes weeks, with significant time required from internal staff and external service providers to wipe systems and rebuild the company's infrastructure. Recovery costs can vary widely but for an average 100‑user business without cyber insurance, costs can range from $100,000 to $1.25 million including costs such as:
- Digital forensics $50,000–$150,000 for mid‑sized businesses. Forensic teams may bill $300/hr.
- Legal counsel $75,000–$200,000. Cybersecurity specializing attorneys may bill $500/hr.
- Regulatory fines or settlements $150,000 or more.
- Internal team time redirected toward supporting investigation $25,000 in lost productivity is typical.
- E‑discovery and document review $50,000–$100,000.
- Insurance deductibles $10,000–$50,000 typical for cyber policies
- Public relations, investor relations, and reputation monitoring $25,000–$100,000
The timeline for recovery depends heavily on preparation and response capabilities. According to cybersecurity expert and Tech Heads CEO, Randy Richardson, organizations with 24/7 Security Operations Center (SOC) monitoring can often limit compromises to just one or two systems before isolation occurs which can dramatically reduce recovery costs. However, without such monitoring, incidents can happen at times when everybody's eyes are off the system, giving the threat actor time to propagate their attack more widely.
In a recent incident, a business learned that a cyber criminal had been in their environment for months before initiating a ransomware attack and unfortunately the backup solution in place required two weeks to restore their data. With an Incident Response Plan (IRP) they could have prevented that delay, either by recognizing the need for an alternate backup solution or configuration, or putting other contingencies in place.
Without a plan or a clear view of how the systems outage will impact different departments, it becomes more difficult to navigate considerations such as whether to send employees home, what work can continue, how customers are being impacted, and other questions.
Avoiding preventable losses with planning and preparation
Not only can an IRP help you avoid or reduce the severity of an attack, having an IRP is also important because if an incident does happen ownership and investors are going to ask what measures were in place to prevent and contain an attack. A documented IRP shows you had a structured approach to minimize financial loss, operational downtime, and reputational damage.
Part of planning involves developing relationships with cybersecurity, incident response, and recovery service providers. "The immediate aftermath of an incident is not a great time to be shopping around for forensic vendors," said Tech Heads Security Operations lead, Forrest Palamountain.
Periodically going through a simulated cyberattack and allowing your IT leaders and executive team to think through decisions they may face during a real attack also helps everyone understand their role, reduces chaos, and accelerates recovery.
Other tips:
- Keep a printed list of insurance, legal, and other vendor contacts as well as personal phone numbers for staff.
- Set aside $20K–$40K for an Incident Response (IR) retainer.
- Train your AP team to verify payment requests and educate other staff with an ongoing security awareness program like KnowBe4.
Cyber insurance: Key considerations and fine print to be aware of
After a cyber attack, companies that have cyber insurance sometimes find out about requirements related to notification timelines or having specific security tools and practices in place that cause their claim to be denied. Up to 30‑35% of claims are now declined or partially declined due to security requirements that can be easy to overlook. "The insurance company is fully auditing these environments and seeing that, for example, only half of the environment had MFA on and that's how the threat actor entered into the environment. So that might only be a partial coverage," says Bay.
Multi‑factor authentication (MFA) has become a requisite in many policies, along with identity and access management controls. Also, policy holders aren't always made aware they need to inform the insurance company of their preferred partners for incident response and legal services ahead of time. This can force policy holders to use the insurance company's preferred vendors. Some cyber insurance policies also require notification within 24 hours.
"The worst thing that could happen to anybody is to have an event happen and say, oh, good, we're covered and then have that claim get denied because you didn't do basic things that were required,” says Richardson. Insurance providers typically want to see EDR or MDR deployment with 24/7 SOC monitoring, comprehensive backups, and MFA implementation.
Questions to be ready for from external stakeholders
Following an incident, organizations face scrutiny from multiple external parties. Business Email Compromise incidents are currently the bulk of claims activity according to Bay and they trigger specific reporting requirements. If someone from your organization sends a wire transfer to a cybercriminal, you may also need to file reports with the FBI and attempt fund recovery. Investigators may ask if the AP team was trained to verify any requests to change wire transfer instructions by voice.
In the case of data loss, organizations may have additional reporting requirements depending on their industry and reporting timelines are typically 30 days or less.
Tools and processes for prevention and early detection
Cybercriminals have caught up with many conventional MDR, EDR, and other point solutions. Now protecting businesses from evolving threats takes a holistic approach that layers defenses, utilizes next generation security architecture, and hardens security in Microsoft 365 where most compromises now originate. Richardson identified Business Email Compromise (BEC) as "the number one threat vector" and emphasized that while "Microsoft provides a lot of tools to prevent BEC, it isn’t enabled off the shelf". Many businesses utilize only 20% to 30% of the available security capabilities of M365. Tech Heads implements approximately 100 security controls in Microsoft 365 during the hardening process.
A 24/7 SOC provides crucial monitoring capabilities. "These events always seem to happen after hours during the evening," Richardson said, so engaging a SOC‑as‑a‑service helps avoid compromises going undetected.
Network monitoring becomes essential for devices that cannot support endpoint agents, such as programmable logic controllers (PLCs) in manufacturing or medical devices.
Security awareness training is still one of the best ways to reduce risk. “With AI, phishing attempts are getting much more difficult to identify.”
An additional cost reduction benefit that goes along with reducing security risk comes in the form of reduced cyber insurance policy premiums. Through Tech Heads, businesses can access cyber insurance policies for 40% to 60% less than market rate premiums by implementing basic security measures and certifying their reduced risk. Tech Heads security clients can also access a $500,000 cyber liability warranty for no added cost which comes standard with our MDR and managed security program, THInc. Secure.
Next steps for financial leaders
As cyber attacks become more common, responsibility for managing the risk no longer falls solely to the IT department. Often the first questions from the board or the CEO after hearing that employees have been locked out of their systems by a cyberattack will be about the financial impact and whether losses will be covered by insurance. Fortunately planning and preparation can have a major impact both for reducing the risk of a compromise and helping your leadership team effectively respond to the crisis. It isn’t about trying to anticipate every possible contingency, because no plan survives first contact with the enemy. But getting stakeholders into a room to talk through how a cyberattack may unfold in your operation and preparing leaders for the type of decisions they may face can go a long way toward effectively navigating the crisis and achieving the best possible outcome.
For companies that would like to accelerate planning, involving a partner such as Tech Heads that specializes in Incident Response can help finance, operations, and IT stakeholders understand their roles, get aligned, and expedite the process.
Free Workshop: Prepare your executive team for navigating a cyberattack
Help your organization minimize losses from a cyberattack with planning session facilitated by a Certified Information Security Systems Professional. Walk away with a better view of how a cyberattack may impact your unique operation and key steps to take before and during an attack to help contain losses.
Schedule Workshop: https://info.techheads.com/incident-response-readiness
- Roles of finance, operations, and IT leaders in preparing and responding
- Live exercise walking your executive team through an example cyberattack
- Key decisions executive leadership may face during a cyber crisis
- Critical steps to take before and during a cyberattack to contain the damage
- Questions to be prepared for from insurance, regulators, and law enforcement
- Why cyber insurance claims can be denied and key factors affecting premiums
Note: Agenda can be expanded or narrowed to focus on key areas relevant for you and the operational landscape of your business. Learn More
About Tech Heads
Celebrating 30 years of cybersecurity excellence in 2025, Tech Heads has all the capabilities to manage security and IT operations for mid‑sized and large businesses, while still offering the individualized, collaborative approach we did when we started back in 1995. Contact us at [email protected] or (503) 639‑8542 to discuss ways we can support your goals.