It is 02:00. A ransomware attack has encrypted the primary network. Email is down. The internal communications platform is unavailable. The incident response plan is stored on a network drive no one can access. Read on and learn about the five cyber resilience gaps that decide whether you recover — and how to close them.

Do a Cyber resilience self-assessment

Start the quiz →

The clock is ticking. The NIS2 early warning window opened the moment the incident was detected. The DORA four-hour The clock is ticking. The NIS2 early warning window opened the moment the incident was detected. The DORA four-hour notification clock is running. The board needs a picture. The response team needs to coordinate. Someone needs to be building the record — because regulators, insurers, and investigators will ask for it, and it cannot be reconstructed from memory after the fact.

The question is not whether your organisation has a plan. It is whether the infrastructure to execute it survives the attack.

Cyber-resilience: five gaps. 

How this scenario unfolds depends entirely on the approach to cyber-resilience as the ability to withstand, recover from and improve defenses against disruption. Let’s consider five common gaps that can make all the difference.

Gap one: independent response infrastructure — will it survive the attack?

When a ransomware attack hits, the tools most organisations rely on to coordinate their response — internal communications platforms, shared document stores, incident logs, notification systems — are frequently built on the same infrastructure under attack. The response capability shares the fate of the systems it is supposed to manage.

This is not just an architectural concern. DORA Article 17 requires financial entities to establish ICT incident management processes that are independent of operational ICT systems — a legislative recognition that the dependency problem is real and structural, not a configuration error to be fixed later. For organisations outside financial services, the logic is identical even where the mandate is not.

Two cases from the past five years make the point from opposite ends:

Case 1: MGM Resorts

In September 2023, MGM Resorts was breached through a ten-minute social engineering call to its IT help desk. ALPHV, the ransomware group responsible, explicitly cited ‘weak incident response playbooks’ as the reason MGM’s attempts to contain the attack failed at each step. 

Over ten days, digital room keys, slot machines, payment systems, and reservation infrastructure across more than 30 properties went dark. The estimated cost exceeded $100 million. The response infrastructure was not independent of the systems under attack — and when those systems failed, so did the response.

Case 2: Norsk Hydro

Norsk Hydro faced a comparable scenario in March 2019 when LockerGoga ransomware encrypted systems across 170 sites and 35,000 employees in 40 countries. The difference was what happened next. 

Leadership had defined roles and decision-making authority before the crisis arrived. Critically, the treasury team coordinated critical payments through a separate, air-gapped network with J.P. Morgan — independent of the infrastructure under attack. The response operated through contingency channels built before they were needed. Hydro did not pay the ransom. Law enforcement and the information security industry described the response as the gold standard. Total cost: $70 million — significant, but contained. The containment was a function of architecture, not fortune.

Gap two: your emergency readiness – has it been tested or assumed?

Not one of the 750 enterprise CISOs surveyed by Absolute Security in 2026 was able to restore business operations within 24 hours of a significant cyber incident. The Sygnia 2026 CISO Survey found that 76% of organisations experienced at least one cyber attack in the last 12 months — and yet 73% would not be fully ready to execute their incident response plan under pressure if a significant attack occurred tomorrow.

 The UK Government’s Cyber Security Breaches Survey 2025/2026 found that only 25% of businesses have a formal incident response plan in place. The Gartner CISO Leadership Perspectives survey of more than 1,100 security leaders found that cyber resilience became the top functional priority the first year it appeared as a survey option. The gap between priority and practice is the readiness gap.

NIST CSF 2.0’s Respond function calls explicitly for incident response procedures exercised regularly under realistic conditions — not validated on paper and assumed to work. Exercises that run on different infrastructure from live incidents do not close this gap. The simulation-to-reality transfer fails because the conditions are not the same. Readiness is built through repetition on the same system used when something real happens — with partners, authorities, and specialist responders practising together before they need to act together.

Gap three: your response speed – how fast can you respond?

The financial case for speed is unambiguous. Allianz Commercial’s cyber claims analysis found that the cost of a ransomware attack that progresses to data theft and encryption can be 1,000 times higher than one detected and contained early. 

The IBM Cost of a Data Breach Report 2025 found an average breach lifecycle of 241 days globally, with the average US breach cost reaching a record $10.22 million. The scale of that disruption has a name and a number in 2025: M&S estimated its cyber incident would reduce group operating profit by around £300 million before mitigation; Co-op recorded an estimated adverse trading impact to revenue of £206 million in a single half-year.

As one CISO noted in Gartner’s 2026 research: ‘Cyber resilience goes well beyond IT recovery plans — it includes legal, public relations, market disclosures, and supplier readiness. It’s about full, end-to-end coordination and readiness across departments.’ Speed of response is the primary determinant of financial outcome. It depends on whether coordination, communication, decision-making, and stakeholder notification are available from the first moment — or have to be improvised from whatever remains functional.

Gap four: your time to recovery – how long will it really take?

Containment and recovery are not sequential — they are parallel. The moment an incident is declared, two workstreams need to run simultaneously: 

  • the technical response containing the breach 
  • the operational response restoring the business

 Most organisations treat recovery as the second phase, something to be organised once the immediate crisis is contained. The Absolute Security survey found the consequence of that approach: average downtime of nearly five days, with some organisations experiencing disruption lasting two weeks and recovery costs averaging $5 million per incident.

The organisations that recover fastest have pre-built recovery action plans that activate alongside the incident response — assigned, tracked, and visible to everyone who needs to act on them. Recovery is not improvised after the fact. It runs from the first moment, in the same platform as the response, with the same situational picture available to the teams doing it.

Gap five: continuous learning and improvement – what will you learn and how?

As Koen Matthys, CxO/Principal and owner at Metavoli, observed in the RAYVN webinar Cybersecurity: Prepare for an Attack: ‘Typically, all members of the IRT team dive into the logs and focus on the forensics while the stakeholders, communication aspect and the logging of the handling itself are ignored. A lot of precious time is wasted here.’

It is a widely recognised failure mode — and its consequences extend well beyond the incident itself. 

The regulatory obligations are unforgiving: 

  • NIS2 requires an early warning within 24 hours of awareness; 
  • DORA requires an initial notification within four hours of classifying an incident as major.

Both depend on a record built during the incident, not assembled afterward from memory and partial notes. The FCA’s March 2026 operational resilience review found that documentation was complete in some firms — the capability it described was not. Germany’s BSI issued formal notices to 47 entities in Q4 2025.

But the deeper cost is what happens after the regulatory window closes. Without an automatic record, the post-incident review has nothing to work from. Plans do not improve. The next incident starts from the same baseline as the last. 

NIST CSF 2.0’s Govern function — added in the 2024 revision — requires the cybersecurity posture to be demonstrably understood, managed, and improving. That demonstration depends on a record that builds itself during the event. Organisations that do not have one are not becoming more resilient. They are resetting each time.

Closing the five gaps

Each gap has specific compliance guidance:

GapCore capabilityCompliance
The contingency gapIndependent response infrastructureDORA; ISO/IEC 27001
The readiness gapExercises on live-response infrastructureNIST CSF 2.0; ISO/IEC 27001
The response gapImmediate cross-functional coordinationNIS2; DORA
The recovery gapParallel recovery and containmentISO/IEC 27001; NIST CSF 2.0
The learning gapAutomatic audit recordNIST CSF 2.0; NIS2; DORA

The 2.00 am attack when the gaps are closed

It is 02:00. A ransomware attack has encrypted the primary network. 

  • The incident is declared. 
  • The response team is mobilised in seconds — not through email, not through the internal platform that just went dark, but through infrastructure that was never on the network under attack. 
  • External counsel and the communications lead are notified automatically. 
  • The regulators’ clock is visible to everyone who needs to see it. 
  • Every action is logged as it happens. 
  • The board has a picture calibrated to what they need to act on, not a filtered briefing that arrives twenty minutes late. 
  • Recovery actions are assigned and tracked. 
  • By the time the forensics team has finished mapping the breach, the record of every decision made and every action taken already exists — complete, time-stamped, ready for the NIS2 notification, the insurer, and the post-incident review that will close the learning loop before the next event arrives.

That’s cyber resilience in action.

Cyber resilience self-assessment

Just how resilient are you? Answer these eight questions to get a quick take on where your organisation stands.

Question 1 of 8 1 / 8

  1. Absolute Security. Cyber Resilience Survey 2026. 750 enterprise CISOs. January 2026. https://www.businesswire.com/news/home/20260108022999/en/Cyber-Incidents-and-Attacks-Disrupt-Enterprise-Business-Operations-for-Two-Weeks-Reveals-First-Comprehensive-Global-Cyber-Resilience-Survey
  2. Sygnia. 2026 CISO Survey: The State of Incident Response Readiness. April 2026. https://www.sygnia.co/press-release/sygnia-released-ciso-survey-2026/
  3. UK Government, Department for Science, Innovation and Technology and Home Office. Cyber Security Breaches Survey 2025/2026. April 2026. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-20252026/cyber-security-breaches-survey-20252026
  4. NIST. Cybersecurity Framework 2.0. February 2024. https://www.nist.gov/cyberframework
  5. Gartner / Evanta. CISO Leadership Perspectives 2025. Survey of more than 1,100 CISOs. 2025. https://www.evanta.com/resources/ciso/survey-report/top-3-priorities-for-cisos-in-2025
  6. Panorays. 2026 CISO Survey for Third-Party Cyber Risk Management. January 2026. https://panorays.com/blog/ciso-survey-2026/
  7. MGM Resorts cyber attack, September 2023. ALPHV post-incident statement; multiple post-incident analyses 2023–2024. https://www.netwrix.com/en/resources/blog/mgm-cyber-attack/
  8. J.P. Morgan Treasury Insights. How to maintain full treasury operations in the midst of a cyber-attack? Follow Norsk Hydro’s gold standard response. https://www.jpmorgan.com/insights/treasury/treasury-management/norsk-hydros-gold-standard-response
  9. IBM Security. Cost of a Data Breach Report 2025. Conducted by Ponemon Institute. July 2025. https://www.ibm.com/reports/data-breach
  10. Allianz Commercial. Cyber Security Resilience 2025: Claims and Risk Management Trends. September 2025. https://commercial.allianz.com/news-and-insights/news/cyber-risk-trends-2025.html
  11. Marks and Spencer Group plc. Annual results statement filed with the London Stock Exchange, 21 May 2025. https://therecord.media/marks-spencer-cyberattack-hit-to-profits-300m
  12. Co-operative Group. Interim Results for six months ended 5 July 2025, published 25 September 2025. https://assets.ctfassets.net/5ywmq66472jr/inQbpqZKZA34xlGz3t2Pu/51ff10a1def9367c28ee0fc1a9bf979a/Co-op_Interim_Results_2025.pdf
  13. World Economic Forum and Accenture. Global Cybersecurity Outlook 2026. January 2026. https://www.weforum.org/publications/global-cybersecurity-outlook-2026/
  14. ISO/IEC 27001:2022. Information security management systems. Annex A controls A.5.24–A.5.28: Information security incident management.
  15. Financial Conduct Authority. Operational Resilience Insights: Observations One Year On. March 2026. https://www.fca.org.uk/publications/good-and-poor-practice/operational-resilience-insights-observations-one-year
  16. NIS2 Directive (EU) 2022/2555. Article 23: Reporting obligations.
  17. Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. Articles 17 and 19. Commission Delegated Regulation (EU) 2025/301.
  18. Germany BSI. NIS2UmsuCG enforcement notices, Q4 2025.
  19. Koen Matthys, Group CISO, Grieg. RAYVN webinar: Cybersecurity: Prepare for an Attack, 2023. https://rayvn.global/blog/cybersecurity-prepare-for-an-attack

Related articles

Talk to a RAYVN Expert

Don't just test a tool—optimize your strategy. Sit down with a RAYVN expert to verify our features meet your compliance needs and see how easy it is to manage complex incidents in real-time.

Get Started
RAYVN Overview Laptop