On 12 May 2021, the Biden administration unveiled an executive order to improve the US’s cyber security defenses. The approach is meant to “improve its efforts to identify, deter, protect against, detect and respond to these actions and actors”.
This is welcome news, but we have witnessed debilitating attacks from JBS to Kaseya since then. Enterprises continue to face existential threats from cyber-attacks. Now the board of directors and the C-suite are left with this unavoidable reality: it’s not if, but when your company will face a cyber attack.
And when confronted with that reality, the board and C-suite will quickly realize that cyber-attacks are pretty different from other corporate crises – necessitating a pragmatic and tailored approach to communicating with all stakeholders when a breach occurs.
The most pressing questions that the board and other executives should be asking themselves are:
- In the event of a cyber attack, is the company ready to comply with regulatory reporting requirements?
- Has it been thought about how to communicate with affected stakeholders if primary communications channels have been compromised in the breach?
- How should the company respond publicly without further inciting the threat actors to wreak more havoc on it?
Below are five crisis communications tips that the board and C-suite should consider when considering overall cyber security strategy.
1. Ensure a senior member of the communications team is part of the cyber incident response team
Every company should have a cyber incident response team (CIRT, or sometimes CSIRT) with a senior communications executive. This will help build a bridge between IT, legal, the C-suite, and outside partners and ensure that the communications team has timely access to accurate information as the breach unfolds.
Having access is half the battle in a cyber-specific crisis. It ensures timely reviews and approvals of decisions and content necessary for the team to communicate transparently internally and externally throughout the event. The company’s communications response will suffer greatly if the CIRT does not have a formally defined role for a senior communications person.
2. Don’t further incite threat actors with undisciplined communications
If you are a board member or part of the C-suite of a company in the middle of a cyber attack – especially a ransomware attack involving ransom negotiations and stolen data – a top priority is ensuring that any communication is measured and mindful of specific demands.
Any message, whether delivered via an email, a company spokesperson, a social media post, or a press release, must strike the right balance of addressing stakeholders’ key concerns without further inciting the threat actors.
How or when the company communicates can influence ransom demands, the length and severity of the attack, and the release of stolen information that can significantly affect the business’s reputation. Thinking like a threat actor and knowing what will and won’t incite them further is paramount.
3. Always stay on top of compliance and reporting requirements
Your chief communications officer must be as well versed in cyber security compliance and reporting requirements as your chief compliance officer. From publicly traded to privately held firms across nearly every industry, companies need to adhere to a range of reporting requirements that differ globally.
For example, the UK General Data Protection Regulation mandates that organizations that have suffered a personal data breach that is “likely to result in a high risk to the rights and freedoms of individuals”, those concerned must be informed “directly and without undue delay”. Notifiable incidents must also be disclosed to the Information Commissioner’s Office within 72 hours.
Meanwhile, for those operating in the US, a publicly-traded company is bound by the Securities Exchange Commission to file a Form 8-K to “announce major events that shareholders should know about”. Failure to do so can result in fines and other punitive measures.
Other examples abound. Financial institutions must inform regulators in a specified timeframe under the auspices of the Gramm-Leach-Bliley Act if it is determined that customer information is misused or breached. Similar conditions exist at the state level.
For example, financial institutions in New York that experience a cyber-attack must follow compliance protocols outlined in the New York Department of Financial Services Cybersecurity Regulation.
4. Accuracy matters more than speed
Amid a cyberattack, a slow, ineffective response could prove disastrous for a company’s reputation. Speed is essential, but inaccurate and incomplete information will cause more damage. If the crisis communications infrastructure is already in place, combined with the appropriate legal, compliance, operations, and IT entities, your chances of communicating accurately are better assured.
5. Establish a cloud-based communications system to reach stakeholders if primary communications channels are disabled during a cyber attack
Suppose you preside over a company that primarily uses email to communicate with employees, customers, or anyone, and email is down because of the cyberattack. In that case, it is critical to have backup communication channels to disseminate information quickly and effectively. Enterprises should consider cloud-based platforms that foster one- and two-way communications that can be turned live at a moment’s notice.
When the primary channels go dark, the company cannot afford the same fate and must have backup media established not to miss a beat on the communications front.
Cyberattacks represent a fast-moving, ruinous crisis that imperils brands and stakeholders for the board and the C-suite. And while general crisis communications principles have relevance, a cyber attack is a different beast.
Ted Birkhahn is president of HPL Cyber, a US-based cybersecurity specialist in branding, communications, and marketing. The five tips outlined above will help fortify a company’s crisis communications plan for a cyberattack, but it must also be integrated with a broader cybersecurity strategy. Without it, companies will imperil their value, security, and reputation.
