Natural disasters and cybersecurity attacks seem to be the leading headlines in news almost every day. There’s been a lot going on. Hurricanes Harvey and Irma battered numerous communities while ransomware like Wanncry and NotPetya have damaged companies from the inside out. And the effects of that damage are being felt far outside the actual locations where it happened.
One place SMBs in Middle TN are seeing changes because of these events is in their insurance requirements. More and more SMBs, especially those in regulated industries, have received notification that as their insurance policy renews, there’s now more information they need to provide. This holds true for both General Liability insurance policies and for Property and Business Interruption, and Cybersecurity policies.
Disasters are Costly
A quick search on the cost of a disaster or cybersecurity attack will turn up a range of numbers dizzying in their spread and their total. For example, the Department of Homeland Security estimates the direct costs for a cyberattack could be $38,000 or more. That doesn’t include indirect costs such as the damage to your customer relationships. Cavignac & Associates, an insurance broker out of California estimates the insured losses from Hurricane Harvey & Irma could top $30-$40 billion.
No matter how you look at it, disaster of any kind is expensive not only for the businesses affected, but also for the insurance companies that protect those business, and that’s the driver behind broader information requests when it’s time to renew your business insurance policies.
What SMBs Need to Know
Two terms are often used in close context when you’re discussing disasters: recovery and continuity. These are strategies that guide how fast your business can recover or resume business when a disaster strikes. A common misconception is that these strategies can be used interchangeable. They cannot. Business recovery is a strategy that guides how fast you can recover from an outage or downtime. Business continuity is a strategy for ensuring your business can operate with minimal or no downtime or service outage.
From an insurance perspective, recovery and continuity are indicators of risk. If a company is not prepared to prevent and respond to outages and downtime, no matter the source, the risk level to the insurance company is higher. An unprepared business means longer downtimes and more damages in the event there is a disaster or security event and that translates into larger payouts from the insurance company.
To help combat this, insurance companies are digging deeper into how prepared SMBs are for any event that would impact their ability to do business. Insurers are asking for more, and more detailed information about documented disaster recovery and continuity plans. For many SMBs that means creating such a plan for the first time.
Creating a Disaster Recovery and Business Continuity Plan
Among the information that insurance companies are requesting are some hard-hitting questions that address issues like offsite locations in the event a business isn’t available, financial backup and recovery information, and how data backups are handled. In some cases, SMBs are not prepared to answer these questions quickly. But they can be.
The first step to creating a great disaster recovery plan is to put a great disaster recovery team into place. Your team should include a strong leader who is given the time necessary to review disaster recovery and business continuity requirements continually throughout the year. The team needs to meet quarterly to review the plan and make changes or adjustments as needed.
This team will create and test a functional plan that includes these elements:
- A detailed assessment of risks. Risks are determined by geographical area as well as type of business, nature of customers, and relevant industry risks.
- Assignment of roles and responsibilities. The roles and responsibilities for each team member should be clearly outlined and documented, but there should also be additional roles and responsibilities requirements for other job functions if the plan need to be activated. These others include information technology leaders, human resource coordinators, communications leads, finance and insurance specialists, and leadership. In this section of your recovery and continuity plan, it’s also necessary to ensure that you have clearly defined lines of management authority and that those people understand their roles if the plan needs to be activated.
- Risk mitigation and information regarding policies and procedures associated with each type of risk. For example, your response to a cybersecurity attack will differ greatly from the response to a flood or fire that destroys physical location as well as resources.
- Data and financial backup and recovery strategy, policies, and guidelines. If an event happens and your data is compromised or lost, how will it be recovered? Not only will insurance companies require this information, but it is core business information necessary to keep your company operational. Part of your backup strategy should include keeping copies of your data both onsite and offsite, but it also includes capabilities to recover and restore that data as quickly as possible to return the business to normal operations, even if employees cannot enter your existing physical location. A key in this section of your recovery and continuity plan is to ensure that backups are regularly tested to ensure their recoverability.
- Detailed resource requirements for IT recovery. Your network, connection, servers, and even computers are part of maintaining your business continuity or recovering from a disaster. Create detailed plans for each disaster scenario that outline recovery plans and resources needed to restore these devices and functions as quickly as possible.
- A communications plan for employees and customers. The activities around disaster recovery and business continuity can be chaotic. Before that stress is a factor, develop both internal and customer facing communications plans. You’ll need to communicate with employees about alternatives to normal business activities and with customers about operational hours, data integrity, and need-to-know information. The communications structure differs with the event that takes place, so review each possible risk to determine the appropriate communication plan.
After You’ve Created Your Disaster Recovery Plan
Once you’ve developed your disaster recovery plan, you can’t just save it to a file and forget about it until something happens. A physical copy of the plan needs to be stored in an accessible offsite location in case digital copies are unattainable when an event happens. You also need to schedule regular testing and review of the plan.
Recovery & continuity testing should take place at least one time per year. This is your time to find out what parts of the plan work or don’t in a simulates situation. It’s better to find out something isn’t working in a simulation than during an event when there is little to no time to restructure your strategies and actions.
Regular review of your recovery and continuity plan should take place each quarter. The environment your business operates in changes daily. It’s possible that your natural disaster profile will remain the same over a period of years, but your company will grow and change. Cybersecurity threats evolve daily, too, which means your plans can become obsolete quickly.
SMBs need to have disaster recovery and business continuity plans in place. Insurance requirements are pushing the issue, but the way to address that is to develop a plan before the information is requested. Then you’re ready if a disaster or an insurance request occurs.