Preparing for the Worst: Disaster Data Recovery and Written Information Security Plans

Increasingly, governments and regulatory bodies, including the IRS, FTC, and SEC are requiring formalized security plans. In the U.S., some states require financial institutions, such as CPAs, accounting firms, mortgage brokers, universities, and nonbank lenders, to establish a Written Information Security Plan (WISP). This formal plan outlines the roles of staff in data security protections, steps to follow in the event of a data breach, and risk assessments. The chief difference between a WISP and a data recovery plan is that the former focuses on information security and data breaches, while the latter covers natural disasters and other catastrophic events. The two documents should work hand in hand.

According to the Cost of a Data Breach 2023 Report from IBM, the average cost of a data breach in the United States was $9.44 million last year. The incidence rate is increasing, with the speed of recovery becoming a critical factor in a company continuing its operations following a disaster.

Businesses need to invest in a disaster data recovery plan or Written Information Security Plan. Data is one of a company’s most important assets, requiring a significant level of care. Having a backup plan to rapidly restore services focused on IT operations will help prevent and mitigate data security incidents or disasters. 

New call-to-action

Disaster data recovery plans

A disaster recovery plan is a subset of a company’s business continuity (BC) plan. While the BC plan outlines how to keep operations running, the plan focuses on recovering from the interruption as quickly as possible.

Speedy recovery is achieved by first identifying the disasters potentially affecting businesses, such as:

  • Power outages
  • Natural disasters
  • Cybersecurity breaches
  • Data storage corruption

From there, companies can begin developing their plan with specific threat management tactics that can sometimes prevent the disaster from occurring in the first place. A strong disaster data recovery plan saves businesses hundreds of thousands of dollars while getting up and running as quickly as possible.


Also read: How to Defend Against Third-Party Cyber Risk


What should be in the data recovery plan?

The critical aspects of a disaster recovery plan include:

  • A detailed procedure that employees can follow
  • Pre-identified essential databases, copy storages, and active data pools
  • A complete inventory of all IT hardware and software
  • Commands and resources needed to complete database recovery, register licenses, and more
  • Any copies of files that detail the server’s options, device configuration, and volume history
  • A copy of your organization’s Written Information Security Plan (WISP)

Every plan should have the goals of the company at its core. How much data can companies afford to lose, and how long should it take before operations must be up and running again? Which staff members are responsible for what part of the plan, and how often should the plan be tested? 

The identification of recovery timelines is vital. Companies should calculate the following:

  • Recovery Time Objective (RTO): The maximum number of minutes, hours, or days an organization can survive an IT service outage.
  • Recovery Point Objective (RPO): The amount of data the organization can afford to lose during the outage.

Both metrics provide a strong indicator of a recovery plan’s performance, giving employees targets to hit along the road to recovery. Ultimately, the best disaster data recovery plans keep the business environment in mind, resulting in an in-depth, cost-saving recovery plan that strengthens the company’s business continuity plan.

Who needs to be involved in the plan?

Businesses should enlist a team of specialists to develop, implement, and manage the plan’s development and execution. 

If your organization lives in a state that requires a WISP, you are legally required to designate a team member to oversee information security. In the case of disaster recovery, a team member should be designated in a leadership role, becoming the head of crisis management that kicks off the recovery plan, coordinates communications, and resolves challenges.

From there, businesses will need members responsible for impact assessment and recovery, IT applications, and aligning with the larger business continuity goals. During the plan’s development, additional roles will be needed to evaluate the plan’s efficacy and provide feedback to address any concerns.

Each company’s team will look different, with the final plan tailor-made to every company to ensure any employee can pick it up and understand their role in aiding the company during a difficult time.


Also read: Blocking Ransomware Attacks with Updated Microsoft Security Features


The IT audit

The IT audit is a critical component in developing a data recovery plan, which involves an inventory of a company’s network infrastructure, including its hardware. 

An audit helps companies understand which IT resources are essential to normal operations. During the audit, businesses will likely identify data they no longer need, hardware that has become redundant or needs upgrading, and more areas that should be addressed. The result can be a far better understanding of the company’s full capabilities while reducing bloat and saving server storage costs. 

Companies can also build on the audit by investing in streamlining or otherwise consolidating IT resources, making them easier to recover and saving valuable time during a disaster. A robust recovery plan is built on the backbone of the IT audit, giving team members an easy-to-review list of business-critical assets with outlined steps for backup and recovery.

The importance of backing up data

For 83% of companies, it’s not a question of if a cybersecurity breach will happen, but when. Companies can only stand to benefit from backing up their data. 

Speed is essential to reducing the effects of a data disaster, with IBM reporting that containing a breach within 200 days can result in an average saving of $1.12 million per data breach. The rate of disasters such as cyberattacks is also increasing, with the cloud accounting for 45% of all data breaches in 2022. 

From setting up cold sites that act as temporary, connected places of work during a data disaster to signing up for disaster recovery as a service (DRaaS), data recovery methods will help companies manage an increasingly uncertain digital landscape.


Also read: A Comprehensive Cyber Insurance Overview


The Written Information Security Plan (WISP)

Many states now require financial institutions, including CPAs, accounting firms, mortgage brokers, universities, and nonbank lenders, to operate under a Written Information Security Plan (WISP). Even if it is not a requirement in your state, generating a WISP demonstrates that your organization is serious about protecting sensitive data for your clients. Additionally, a WISP may limit your liability in the event of a data breach. For more on generating a WISP for your organization, visit the IRS’ guidance here.

An additional layer of protection

Companies use data recovery plans to prepare for the inevitable. Still, the reality is that regardless of how quickly a business can continue its operations following a disaster, it will still have to contend with the costs of legal proceedings, communication requirements, and more. To address this, companies should invest in insurance that protects against the emerging data security and privacy exposures they face today. 

McGowan PRO provides Information Security and Data Privacy Liability Insurance, offering coverage for the costs associated with a data breach. Find policies that cover legal liabilities, expenses related to providing notification of the breach, the cost to defend a regulatory proceeding, and more. 

Contact us today to learn more about our versatile coverage options.