Global Insight | August 2025

21 Days to Bankruptcy: The Cost of Ignoring Cyber Risk Planning

IT security often feels like a low-priority issue – until it’s too late. For growing mid-sized firms, it’s a blind spot: leadership is focused on revenue, not risk. But one hack, and your operations could be offline for 21 days – and that is long enough to kill your business.

Mid-sized companies often don’t realise how vulnerable they are. Insurance doesn’t cover them unless their systems are up to a certain standard. Even insured firms find claims rejected due to inadequate security setups.

“Insurance companies are terminating contracts themselves because the risk is not predictable anymore,” explains Christoph Schillinger, a cybersecurity specialist at Nexia Austria. “Most of the time, when a company gets hacked, the insurance company says their security has not been sufficient enough to cover the risk, so they won’t cover the payment.”

Growth exposes companies to greater threats, but IT maturity doesn’t always keep pace. “These companies grow quite fast… they very often don’t think about their IT or IT security. As a result they are very vulnerable to these risks,” Christoph notes.

Insurance is being pulled back hard. Insurers now require cyber audits and evidence of robust IT systems. Firms without these safeguards are uninsurable – or hit with steep premiums. Audits reveal overlooked risks: open ports, poor credential policies, no documentation.

The real-world impact is devastating. Global average downtime after a cyberattack is 21 days. It’s not just about paying a ransom – you’re losing sales, production, and trust. Many companies go bankrupt before recovery is complete, even if backups exist.

“If you need to set up a completely new infrastructure and that takes you 21 days, but you are actually bankrupt after 14 days, you can have the best backup in the world, but you’re dead before you’re up again,” Christoph warns.

The solution starts with an IT audit to map current risk exposure. Conduct external penetration testing on websites, customer portals, and public-facing systems. Assess internal systems – password rotation, access logs, server room security.

Develop a Business Impact Analysis (BIA) and an Emergency Recovery Programme (ERP). Identify which systems to restore first. Consider setting up mirror servers to reduce recovery from 21 days to 1-2 days.

“Recovery in 1-2 days compared to 21 days… is a completely different answer,” Christoph emphasises.

Waiting until after an incident to plan is like buying fire insurance whilst the building burns. Prioritising IT audits now can save you from catastrophic operational and financial loss.

Download Help Sheet