Sten Eikrem - Information Security & Risk Management

You Can Outsource the Work, But Never the Accountability

4 min read

Business continuity and risk management{.featured-image}

You Can Outsource the Work, But Never the Accountability

A Norwegian court just delivered a €5.6 million lesson that every manufacturing executive needs to understand.

The Case

Btec, an industrial machining company, lost everything in a ransomware attack. They sued their IT provider Nordlo for €5.6 million in damages. They lost the case and got hit with €190,000 in legal costs.

The Reality Check

Btec paid €270 per month for IT services while running operations worth millions. When disaster struck, they discovered they’d bought basic IT support, not business continuity.

This wasn’t a cybersecurity failure. This was a business continuity planning failure.

The Critical Gap

The court found that backup systems existed but weren’t properly integrated into Btec’s operations. They lost 14,000 product specifications and manufacturing processes because they never defined what recovery actually meant for their business.

The technical backups worked. The business continuity plan didn’t exist.

Lessons for Manufacturing

1. Price Doesn’t Reflect Risk

Your €270/month IT contract doesn’t cover your €5.6M business risk. Standard IT support agreements are about keeping systems running, not ensuring business operations survive disasters.

2. Standard Agreements Aren’t Business Plans

IT service contracts define technical obligations—uptime targets, response times, backup schedules. They don’t define your business recovery requirements, production dependencies, or operational continuity needs.

3. Accountability Can’t Be Outsourced

You can outsource technical execution. You can’t outsource responsibility for understanding what your business needs to survive. That accountability stays with business leadership.

4. Recovery Requires Business Context

Technical teams can restore systems. Only business leaders can define:

  • Which manufacturing processes are critical
  • What production data is irreplaceable
  • How operations restart after recovery
  • What “acceptable” downtime actually means

The Questions You Need to Answer

Before the next incident, manufacturing executives must document:

Recovery Time Objectives

  • How long can production actually stop?
  • What’s the financial impact per hour of downtime?
  • Which customers can we afford to fail?
  • What regulatory obligations continue during outages?

Critical Dependencies

  • Which systems and data actually keep production running?
  • What’s the cascade effect if one system fails?
  • Which suppliers and partners are critical to operations?
  • Where are the single points of failure?

Recovery Execution

  • Who executes recovery, not just technical restoration?
  • How do we restart production processes?
  • What’s the procedure for validating recovered data?
  • How do we communicate with customers and regulators?

Accountability Structure

  • Who owns the decision to declare a disaster?
  • Who authorizes recovery procedures?
  • Who validates that recovery is complete?
  • Who accepts residual risk during recovery?

The Accountability Trap

Btec’s mistake wasn’t technical. They assumed their IT provider understood their business continuity needs. The provider assumed Btec had communicated those needs. Neither assumption was tested until disaster struck.

The gap between technical capability and business requirement is where companies fail.

What This Means for You

If you’re relying on standard IT support contracts to protect your manufacturing operations:

  1. Document your actual recovery requirements based on business impact, not technical capabilities
  2. Validate your provider understands manufacturing-specific continuity needs
  3. Test recovery procedures that include business process restart, not just system restoration
  4. Define accountability clearly for business continuity decisions and execution

The Real Cost

Btec paid:

  • €5.6M in lost business value
  • €190,000 in legal costs
  • Immeasurable reputation damage
  • Lost customer relationships
  • Competitive position erosion

All because they assumed €270/month IT support meant business continuity protection.

Bottom Line

Every manufacturing executive needs to stop assuming their IT provider has solved business continuity. You can outsource technical work, but you can never outsource the accountability for keeping your business operational.

The Norwegian court was clear: business leaders own business continuity accountability. Technical providers execute technical contracts. The gap between those two responsibilities is where companies die.

Don’t let a €270 contract create a €5.6 million liability.

What Recovery Planning Gaps Are You Discovering?

Have you validated that your IT service agreements actually cover your business continuity requirements? What assumptions are you making about supplier accountability that haven’t been tested?

The time to discover gaps in your recovery planning is before the incident, not in court afterward.

Originally published: LinkedIn

Case Reference: Btec AS v. Nordlo Norge AS, Norwegian court ruling, 2025 Source: Norwegian court ruling coverage

Connect: Follow for more insights on risk management and security governance on LinkedInMastodonBluesky

Graph View

Backlinks