Estimated reading time: 7 minutes
Lee Nolan, General Manager UK and Ireland for Hitachi Vantara, explains why recovery speed, not breach prevention, defines a company’s true cyber risk.
Most business leaders accept that a breach will happen at some point. Well, they should. The real issue is whether their company can survive it. Lee Nolan has over 20 years of experience in managed services, storage, and enterprise data, and now leads Hitachi Vantara’s UK and Ireland operations. He recently spoke with the Cyber Insurance News Podcast about recovery, resilience, and the key question every CEO should be asking.
The Phrase That Changes Everything
Most boardroom discussions about cyber risk focus on defense. Nolan takes a different approach. He asks a simpler question: what does your business truly need to keep operating?
This is what he calls the minimum viable business. It is not about extras, but the essential systems, data, and processes your company needs to function. Identify these, protect them, and know how quickly you can restore them. Everything else is less important.
The concept sounds straightforward. The execution is not. Modern business environments are deeply interconnected. One system depends on another. A failure in one area triggers a cascade through others. Mapping that dependency chain and building a recovery plan around it is a board-level conversation, not an IT task.
“If you haven’t asked your CISO inside the last four weeks how long it takes you to recover, I suggest you go and ask them.”
Lee Nolan GM UK/IRELAND HITACHI VANTARA
WATCH AT THESE SPOTS
YOUTUBE
SPOTIFY
APPLE
AMAZON
The Numbers Nobody Wants To Hear: What Does Your Cyber Insurance Cover?
The average organization takes 21 to 24 days to restore basic operations after a serious incident. Full recovery takes around seven months. Neither figure is acceptable to a finance team or a customer base. Nolan is direct about what that means in practice.
The ransom itself is usually not the biggest cost. Nolan points to data showing that the total impact on a business can be 20 to 24 times higher than the ransom. Lost revenue, supply chain issues, legal costs, PR, and losing customers all add up fast. For example, the M&S cyberattack erased a year’s profits. The JLR incident affected many UK businesses that supplied them, including small and medium companies that could not handle the financial hit.
Cyber insurance helps with some of these costs, but not always all of them. Nolan compares it to car insurance: your insurer might pay to fix your car, but if your policy does not include a courtesy car, you cannot drive to work while yours is being repaired. The difference between what companies think their cyber insurance covers and what it really covers is often where recovery plans fail.
Build The Castle First
Nolan uses a castle and moat metaphor to explain the architecture of serious cyber recovery. In a fully connected environment, a determined attacker can reach almost anything, including backup systems. When ransomware encrypts live data, organizations reach for their backups. If those backups were also connected, they are also compromised.
The solution is isolation. Critical data lives in a protected environment. It is not on the main network. Nothing enters that environment unless it has been verified as clean. When a breach occurs, the team accesses the castle, retrieves clean data, and rebuilds. That is the architecture behind immutable backups and clean rooms, terms executives often nod at without fully understanding.
Nolan explains these concepts simply. An immutable backup is a copy of data that is written once and cannot be changed. A clean room is a secure space where you can check possibly infected data without risking further infection. These are not just nice-to-haves, they are essential for any solid recovery plan.
What The Board Must Ask
Nolan closes the conversation with one direct instruction to business leaders. Ask your CISO how long it takes to recover. If the answer surprises you, that is the starting point for a serious investment conversation.
He compares this to health and safety rules. No one questions OSHA compliance on a construction site because the risks are too high. Cybersecurity should be seen the same way. It is not just a cost, it is what allows the business to keep running.
The CISO needs to show what the minimum viable business looks like in real terms. This means having a tested, up-to-date recovery plan with a clear recovery timeline. The board should decide what recovery window is acceptable. That choice will guide how much to invest. If you can accept a longer recovery time, you spend less. If you need a faster recovery, you invest more. This is a straightforward and honest discussion.
One critical detail: plans go stale. Staff change. Systems change. A recovery plan produced 18 months ago may be dangerously out of date. Nolan describes the common pattern as a wave of initiative, a period of rigor, and then gradual drift as attention moves elsewhere. Regular checks prevent that drift.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Where Cyber Insurance Fits In
Nolan is not an insurance professional. He is clear about that. But his perspective from the technology and recovery side is instructive for underwriters and brokers.
He says the best cyber insurance relationships are true partnerships. The insurer is not just someone who reads the policy, but they get involved in assessments, audits, and reviewing methods. They help clients understand their risks before a breach happens, not after. This active partnership is where the industry is moving.
The organizations most likely to recover well are those with clear minimum viable business definitions, tested recovery plans, immutable backup infrastructure, and insurers who understand their environment. Those organizations also tend to present better risk profiles at renewal.
FAQ – Minimum Viable Business And Cyber Insurance
It is the smallest set of systems and processes a company needs to keep trading after a cyberattack. It prioritizes income-generating functions over everything else. Identifying it before a breach allows faster, more focused recovery.
Industry data points to 21 to 24 days for basic operational restoration. Full recovery averages around seven months. Both timelines carry high financial and reputational costs.
Immutable backups are copies of data written once and locked against any modification. Ransomware cannot alter them. They provide a clean restoration point but only if stored in an isolated environment that attackers cannot reach.
A clean room is a controlled, isolated environment used to inspect and test backups before restoring them to live systems. It prevents reinfecting a recovered environment with malware still present in backup data.
Not always. Total breach costs typically run 20 to 24 times the direct ransomware demand. Policy terms vary significantly. Organizations should review coverage in detail against their minimum viable business plan. Know what your cyber insurance covers.
At a minimum, monthly checks are advisable. Staff changes, system updates, and new business arrangements all affect plan accuracy. The UK Cyber Resilience Act requires organizations to maintain a physical copy of their incident response plan.
Start with the recovery window. How long does it take to restore minimum viable business operations? Is that window acceptable given the company’s financial tolerances? What investment is required to reduce it?
Transcript – This has been checked for accuracy, but confirm elements against the recording to be sure.
Related Cyber Insurance Posts
- Resilience Launches Arc: A Portfolio Cyber Risk Management Platform Built For Complex Organizations
- 1/3 of Ransomware Victims Did Not Recover Data Even After Paying Up(Opens in a new browser tab)
- Ransomware Payments Flowing With a Human Toll – Sophos Report(Opens in a new browser tab)
- Canada Tops FBI Cybercrime Complaints But Only 18% Of Small Businesses Have Cyber Insurance(Opens in a new browser tab)
