On 12 May 2021, the Biden administrationto improve the US’s cyber security defenses. The approach is meant to “improve its efforts to identify, deter, protect against, detect and respond to these actions and actors”.
This is welcome news, but we have witnessed debilitating attackssince then. Enterprises continue to face existential threats from cyber-attacks. Now the board of directors and the C-suite are left with this unavoidable reality: it’s not if, but when your company will face a .
And when confronted with that reality, the board and C-suite will quickly realize that cyber-attacks are pretty different from other corporate crises – necessitating a pragmatic and tailored approach to communicating with all stakeholders when a breach occurs.
The most pressing questions that the board and other executives should be asking themselves are:
- In the event of a cyber attack, is the requirements?
- Has it been thought about how to communicate with affected stakeholders if primary communications channels have been compromised in the breach?
- How should the company respond publicly without further inciting the threat actors to on it?
Below are five crisis communications tips that the board and C-suite should consider when considering overallstrategy.
1. Ensure a senior member of the communications team is part of the cyber incident response team
Every company should have a(CIRT, or sometimes CSIRT) with a senior communications executive. This will help build a bridge between IT, legal, the C-suite, and outside partners and ensure that the communications team has to accurate information as the breach unfolds.
Having access is half the battle in a cyber-specific crisis. It ensures timely reviews andand content necessary for the team to communicate transparently internally and externally throughout the event. The company’s communications response will suffer greatly if the CIRT does not have a formally defined role for a senior communications person.
2. Don’t further incite threat actors with undisciplined communications
If you are a board member or part of the C-suite of a company in the middle of a cyber attack – especially ainvolving ransom negotiations and stolen data – a top priority is ensuring that any communication is measured and mindful of specific demands.
Any message, whether delivered via an email, a company spokesperson, apost, or a press release, must strike the right balance of addressing stakeholders’ key concerns without further inciting the threat actors.
How or when the company communicates can influence ransom demands, the length and severity of the attack, and the release of stolen information that can significantly affect the business’s reputation. Thinking like a threat actor and knowing what will and won’t incite them further is paramount.
3. Always stay on top of compliance and reporting requirements
Your chief communications officer must be as well versed incompliance and reporting requirements as your chief compliance officer. From publicly traded to privately held firms across nearly every industry, companies need to adhere to a range of that differ globally.
For example, themandates that organizations that have suffered a personal data breach that is “likely to result in a high risk to the rights and freedoms of individuals”, those concerned must be informed “directly and without undue delay”. Notifiable incidents must also be disclosed to the Office within 72 hours.
Meanwhile, for those operating in the US, a publicly-traded company is bound by the Securities Exchange Commission to file a Form 8-K to “announce major events that shareholders should know about”. Failure to do so can result in fines and other punitive measures.
Other examples abound. Financial institutions must inform regulators in a specified timeframe under the auspices of the Gramm-Leach-Bliley Act if it is determined that customer information is misused or breached. Similar conditions exist at the state level.
For example, financial institutions in New York that experience a cyber-attackcompliance protocols outlined in the New York Department of Financial Services Cybersecurity Regulation.
4. Accuracy matters more than speed
Amid a cyberattack, a slow, ineffective response could prove disastrous for a company’s reputation. Speed is essential, but inaccurate and incomplete information will. If the crisis communications infrastructure is already in place, combined with the appropriate legal, compliance, operations, and IT entities, your chances of communicating accurately are better assured.
5. Establish a cloud-based communications system to reach stakeholders if primary communications channels are disabled during a cyber attack
Suppose you preside over a company that primarily uses email to communicate with employees, customers, or anyone, and email is down because of the cyberattack. In that case, it is critical to have backup communication channels to disseminate information quickly and effectively. Enterprises should consider cloud-based platforms that foster one- and two-way communications that can be turned live at a moment’s notice.
When the primary channels go dark, the company cannot afford the same fate andnot to miss a beat on the communications front.
Cyberattacks represent a fast-moving, ruinous crisis that imperils brands and stakeholders for the board and the C-suite. And while general crisis communications principles have relevance, a cyber attack is a different beast.
Ted Birkhahn is president of HPL Cyber, a US-based cybersecurity specialist in branding, communications, and marketing. The five tips outlined above will help fortify a company’s crisis communications plan for a cyberattack, but it must also be integrated with a broader cybersecurity strategy. Without it, companies will imperil their value, security, and reputation.