Cyber Resilience and Business Continuity: Building a Unified Response Framework

On February 21, 2024, a ransomware attack hit Change Healthcare — the clearinghouse that processes roughly half of all medical claims in the United States. Within hours, 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories lost access to claims processing, eligibility verification, and prescription routing. The outage lasted weeks.

A March 2024 American Hospital Association survey of nearly 1,000 hospitals found that 94% reported financial impact. Thirty-three percent said the attack disrupted more than half of their revenue. UnitedHealth Group ultimately estimated losses exceeding $1.5 billion and disbursed $8.9 billion in emergency loans to affected providers. CEO Andrew Witty confirmed the company paid a $22 million ransom.

What drove the damage wasn’t just the initial attack. It was what happened after: healthcare providers discovered their business continuity plans hadn’t been built for this scenario. Manual claim submission processes — paper, fax, phone — collapsed under volume. Staff had no clear protocols for operating without the systems. The gap between “our systems are down” and “here’s how we keep delivering care and getting paid” took weeks to close.

That’s the unified framework problem in real life.

TL;DR

• Cyber incident response (IR) and business continuity planning (BCP) are still siloed in most organizations — but regulators and ransomware actors both know where the seams are
• NIST CSF 2.0 (February 2024), DORA (effective January 17, 2025), and the UK FCA/PRA operational resilience rules (full compliance March 31, 2025) all treat cyber resilience and operational continuity as one integrated obligation
• The 36-hour notification rule (OCC/FDIC/Federal Reserve, effective May 1, 2022) defines a cyber incident trigger threshold that should also activate your BCP — but most organizations haven’t made that connection
• The integration failure isn’t philosophical — it shows up in specific gaps: unclear activation thresholds, no joint playbooks, separate testing programs, and governance structures that keep the CISO and BCM lead from ever being in the same room

The Silo Problem

Here’s how most organizations run their cyber and continuity programs separately — and why that fails during an actual incident.

Incident Response is focused on the technical event: detect the threat, contain it, eradicate the malware or attacker, recover the systems. The IR team is thinking in terms of endpoints, network segments, threat indicators, and forensics. Their clock is running from initial detection.

Business Continuity Planning is focused on operations: identify which business functions are affected, activate alternate procedures, communicate with customers and regulators, manage the operational fallout. The BCP team is thinking in terms of critical processes, recovery time objectives, manual workarounds, and alternate sites. Their clock is running from when someone tells them there’s a problem.

The gap between these two worlds is the blast zone. While the IR team is working the technical incident, business operations are in limbo — nobody has officially activated BCP procedures, no one knows who’s authorized to communicate with customers, and the RTO clock is running. By the time IR declares the extent of the damage, BCP is scrambling to catch up.

This isn’t a theoretical gap. A 2024 Corvus Insurance report found that ransomware and extortion incidents surged 67% in 2023, with the financial impact of ransomware-related claims rising 411% from 2022 to 2023. The World Economic Forum noted a 50% year-over-year increase in ransomware attacks in 2023. These organizations aren’t failing because they lack IR plans — they’re failing because their IR plans and their BCP never connected.

What Regulators Now Expect: An Integrated Framework

Four major regulatory frameworks issued in 2021–2025 treat cyber resilience and business continuity as integrated, not separate programs. If your governance structure keeps them separate, you have examination findings waiting to happen.

NIST CSF 2.0 (February 26, 2024)

NIST released CSF 2.0 in February 2024, adding a sixth function — Govern — to the original five (Identify, Protect, Detect, Respond, Recover). The Govern function explicitly positions cybersecurity as an enterprise risk management responsibility alongside financial and operational risk. The Recover function in CSF 2.0 is also strengthened, with clearer guidance that recovery planning must address business continuity, not just technical restoration.

The practical implication: NIST CSF 2.0 is designed to be used in conjunction with your BCP/BCM framework, not as a standalone cybersecurity checklist.

FFIEC Business Continuity Management Booklet (2019, actively cited)

The FFIEC BCM booklet explicitly requires that incident response procedures “align with other related processes such as cybersecurity, network operations, and physical security.” Examiners assess whether your BCP covers the full range of disruption scenarios — including IT outages caused by cyberattacks. A BCP that only addresses natural disasters and facility outages will generate findings.

DORA (EU Digital Operational Resilience Act, effective January 17, 2025)

DORA is the most comprehensive integration to date. For EU-regulated financial entities — and U.S. institutions serving EU markets — DORA requires a single ICT Risk Management Framework that encompasses identify, protect, detect, respond, and recover. The ICT Business Continuity Policy must be explicitly integrated into that framework, not maintained as a separate document. DORA requires that critical functions be recoverable within two hours for the most critical operations, and imposes fines of up to 2% of global turnover for non-compliance.

FCA/PRA Operational Resilience (PS21/3, full compliance March 31, 2025)

The UK regulators published Policy Statement PS21/3 requiring that regulated firms connect their operational resilience framework with governance, operational risk policy, business continuity planning, and outsourcing activities. The concept of “important business services” and “impact tolerances” — borrowed from the Bank of England’s systemic risk framework — creates a service-level framing that forces IR and BCP to share the same language.

The 36-Hour Notification Rule (OCC/FDIC/FRB, effective May 1, 2022)

The interagency Computer-Security Incident Notification Final Rule requires banking organizations to notify their primary federal regulator within 36 hours of determining a “notification incident” has occurred — defined as a cyber event that has materially disrupted or degraded banking operations, critical business lines, or financial stability functions.

This rule effectively defines the BCP activation threshold for banking organizations: the same event that triggers your 36-hour notification clock should also trigger your BCP activation procedures. If those two processes aren’t connected, you’ll miss both deadlines.

The Four Integration Gaps

Most organizations trying to connect their cyber and BCP programs run into the same four failure points:

Building the Unified Framework

Step 1: Align Your Definitions

Create a shared incident classification matrix that maps cyber event types and severity levels to BCP activation status. Not every cyber incident triggers BCP — but ransomware deployment, confirmed data exfiltration affecting critical systems, and prolonged service outages beyond defined thresholds all should.

Your matrix should answer: “At what point does an IR-managed event become a BCP-activated event?” Define that threshold explicitly, and make sure it mirrors the 36-hour notification trigger if you’re a banking organization.

Step 2: Build Joint Playbooks

Your IR playbooks should include an explicit BCP handoff section: at what stage does BCP activate, who makes that call, and what information does the BCP coordinator need from IR at activation? Your BCP procedures should include a “cyber incident” scenario that runs parallel to your traditional facility outage and natural disaster scenarios.

The playbook handoff is typically: IR Incident Commander declares Severity 1 → BCP Coordinator activates within 30 minutes → joint crisis management team meets within 60 minutes.

Step 3: Integrate Testing Programs

See the existing post on 10 tabletop exercise scenarios for business continuity for a ransomware scenario you can run with both teams. The test objective isn’t just “can IR contain the threat” — it’s “can we maintain critical business operations while IR contains the threat, and can we restore operations within our BIA-defined RTOs.”

Post-exercise findings from joint tabletops routinely surface the same issues: unclear activation authority, BCP procedures that assume system access the cyber incident has removed, and communication protocols that assume everyone is in the office.

See also the FFIEC Business Continuity Management requirements guide for the examination standard your joint testing program will be measured against.

Step 4: Unified Governance

If your CISO and your BCM lead report to different executives and never sit in the same governance meeting, the unified framework will stay theoretical. At minimum, both should participate in the same risk committee and review each other’s annual testing programs. At best, your BCM framework includes a cyber resilience chapter, and your Information Security program includes a business continuity section.

This isn’t just organizational tidiness. The operational resilience vs. business continuity regulatory shift is moving toward service-level resilience as the organizing principle — which requires security and business functions to share the same accountability structure.

So What?

The Change Healthcare attack cost over $1.5 billion in direct losses and disrupted care for tens of millions of patients. It wasn’t a failure of technical security alone — it was a failure of integrated operational resilience. The gap between “our systems are encrypted” and “here’s how we continue operating for the next three weeks” was too wide, and nothing had been built to bridge it in advance.

Your organization doesn’t have to be a healthcare clearinghouse to face this problem. Every organization running critical processes on technology has the same exposure — and regulators across all frameworks (NIST CSF 2.0, FFIEC, DORA, FCA/PRA) have now made the integration expectation explicit.

The questions your next examination will ask: Does your BCP include cyber-specific scenarios? Do your IR and BCP activation thresholds align? Have you tested the handoff? If the honest answer to any of those is “not really,” you have work to do — and the good news is that the work is straightforward once you know where the gaps are.

If you need to build or upgrade your incident response playbooks and breach notification procedures, the Incident Response & Breach Notification Kit includes step-by-step IR playbooks for the most common cyber incident types, a 50-state breach notification matrix, and a tabletop exercise kit you can run with both your IR and BCP teams in 90 minutes.