Business Continuity vs. Disaster Recovery vs. Backup on Cyber Policy Applications


You can learn a lot about technology from cybersecurity insurance applications. You can also get confused because some of the questions oversimplify terminology, transcend IT classifications, and suggest testing exercises that most SMBs cannot afford to undertake. Understanding these distinctions will not only save you time in the cybersecurity insurance application process, but you will also gain a greater appreciation of the business impact and increase the likelihood of getting approved for coverage.

Our recent review of an application inspired the following lingo decoder highlighting five questions that appeared in a section labeled “Business Continuity & Disaster Recovery Planning.”


#1 – Do you have a business continuity or disaster recovery plan?

The primary concern of business continuity is maximizing operational resource uptime during a natural disaster, fire, act of terror, active shooter, or cybercrime. By default, this means limiting downtime. The main objective of disaster recovery is responding to threatening events with specific steps to return the enterprise (and its resources) to a pre-disaster state.

Business continuity is the How/When/Where/Why/To What Extent? safety blueprint of a business while disaster recovery is the What Happens If and When? piece.

Warning (because it wasn’t evident in the application): both plans encompass resources that are much broader than hardware, software, computers, etc., including:

  • Employees
  • Office space, furniture, and equipment
  • Records (electronic data and hard copies)
  • Production facilities, machinery, and equipment
  • Inventory including raw materials, finished goods, and goods in production.
  • Utilities (power, natural gas, water, sewer, telephone, internet, wireless)
  • Third-party services


#2 – When was your plan last tested?

This follow-up question asked how often business continuity or disaster recovery plans were tested: <12 months ago, >12 months ago, >24 months ago, or Never.

Unlike data backup, a subcategory of disaster recovery, comprehensive business continuity, and disaster recovery readiness testing is not feasible for most SMBs. A full-fledged program is disruptive to operations, while a scaled-down version isn’t as accurate or complete.

Some facets of the testing include but are not limited to:

  • Team training exercises
  • Emergency simulations
  • Reading through step by step checklists
  • Evaluating and validating volumes of paperwork
  • Performing walkthroughs to observe process flow
  • Testing alternate sites for parallel function and performance
  • Relocating data and staff
  • Shutting down and relocating all resources to simulate the response to a total interruption

Can you afford this? Not many businesses would say “yes.” Your risk tolerance and available resources will drive the size and scope of your process.


#3 – Do you maintain regular backups (at least monthly), and are they in an encrypted format?

The answer to this question is a simple “yes” or “no” in two parts. And the cost is very reasonable for most SMBs. But first, I’d like to issue a little critique: monthly backups are not frequent enough! More on this in section #5.

Why is encryption so important? Encryption is a protective layer that prevents your data from being deciphered. So even if your data repository gets breached, it’s of no use to the threat actors. They can’t read it.


#4 – Are your backups segmented from and inaccessible through the organization’s network?

You can confidently answer “yes” to this inquiry by employing a combination of network-attached storage devices and offsite cloud backups. For example, a backup appliance can fulfill its obligations in conjunction with cloud data centers in multiple geographies, each of which maintains independence from the other. And the backup device is removable.

Or all of the back-ups can take place in a combination of data centers in different cities without employing an on-site appliance. Many companies use physical data backup appliances in conjunction with off-site cloud instances due to bandwidth constraints. It’s quicker to implement frequent incremental backups on the local area network throughout the day.


#5 – What is the frequency of backing up data, and do you test restoring from backups?

The application gives you four ways to respond: Daily, Weekly, Monthly, or None. (The last one is a serious issue issue.)

We recommend daily incremental backups with an on-site appliance in conjunction with a few or several redundant and geographically diverse cloud data centers. Incremental backups can be set every 15 minutes, mirrored to offsite silos, with nightly testing to ensure the backups are successful. Insurance companies love this approach because companies who get hit by ransomware actors can’t be held hostage. The impact is minimal. How so? Even if all backup instances are commandeered (which is statistically improbable), the company only loses 15 minutes of data.


What’s next?

Be sure your IT provider plays an integral role in helping you qualify for cyber liability insurance that covers data breaches, ransomware events, or phishing schemes. Your provider can also assist with developing comprehensive business continuity and disaster recovery plans, including the selection of third-party specialists.

We're Integris. We're always working to empower people through technology.

Keep reading

Cybersecurity Plans, Policies, and Procedures: A Guide

Cybersecurity Plans, Policies, and Procedures: A Guide

The proliferation of cyber threats has underscored the critical importance of robust cybersecurity measures for organizations and industries. As cybercriminals evolve and adapt their tactics, protecting sensitive data, critical systems, and digital infrastructure has...

Two Access Credentials Best Practices to Adopt Right Now

Two Access Credentials Best Practices to Adopt Right Now

To solidify business continuity, IT Teams, IT Steering Committees, and their MSPs should embrace two durable and future-proof access credentials best practices. Access credentials AKA “email addresses and passwords” are the proverbial combinations for each master lock...