On 12 May 2021, the Biden administration unveiled an executive order to improve the US’s cyber security defences. The approach is meant to “improve its efforts to identify, deter, protect against, detect and respond to these actions and actors”.
This is welcome news, but since then we have continued to witness debilitating attacks, from JBS to Kaseya. Enterprises continue to face existential threats from cyber attacks and now the board of directors and the C-suite are left with this unavoidable reality: it’s not if, but when your company will face a cyber attack.
And when confronted with that reality, the board and C-suite will quickly realise that cyber attacks are quite different from other corporate crises – necessitating a pragmatic and tailored approach to communicating with all stakeholders when a breach occurs.
The most pressing questions that the board and other executives should be asking themselves are:
- In the event of a cyber attack, is the company ready to comply with regulatory reporting requirements?
- Has it given thought to how it will communicate with affected stakeholders in the event that primary communications channels have been compromised in the breach?
- How should the company respond publicly without further inciting the threat actors to wreak more havoc on it?
Below are five crisis communications tips that the board and C-suite should consider when thinking about overall cyber security strategy.
1. Ensure a senior member of the communications team is part of the cyber incident response team
Every company should have a cyber incident response team (CIRT, or sometimes CSIRT) with a senior communications executive included. This will help to build a bridge between IT, legal, the C-suite and outside partners, and ensure that the communications team has timely access to accurate information as the breach unfolds.
Having access is half the battle in a cyber-specific crisis and ensures timely reviews and approvals of decisions and content necessary for the team to communicate transparently internally and externally throughout the event. If the CIRT does not have a formally defined role for a senior communications person, the company’s communications response will suffer greatly.
2. Don’t further incite threat actors with undisciplined communications
If you are a board member or part of the C-suite of a company that is in the middle of a cyber attack – especially a ransomware attack that involves ransom negotiations and stolen data – a top priority is ensuring that any communication is measured and mindful of specific demands.
Any message, whether delivered via an email, a company spokesperson, social media post or press release, must strike the right balance of addressing stakeholders’ key concerns without further inciting the threat actors.
How or when the company communicates can influence ransom demands, the length and severity of the attack and the release of stolen information that can have major repercussions on the reputation of the business. Thinking like a threat actor and knowing what will and won’t incite them further is paramount.
3. Always stay on top of compliance and reporting requirements
It is critical that your chief communications officer is as well versed in cyber security compliance and reporting requirements as your chief compliance officer. From publicly traded to privately held firms across nearly every industry, there are a range of reporting requirements to which companies need to adhere that differ globally.
For example, the UK General Data Protection Regulation mandates that organisations that have suffered a personal data breach that is “likely to result in a high risk to the rights and freedoms of individuals”, those concerned must be informed “directly and without undue delay”. Notifiable incidents must also be disclosed to the Information Commissioner’s Office within 72 hours.
Meanwhile, for those operating in the US, a publicly traded company is bound by the Securities Exchange Commission to file a Form 8-K to “announce major events that shareholders should know about”. Failure to do so can result in fines and other punitive measures.
Other examples abound. For financial institutions, if it is determined that customer information is misused or breached, they need to inform regulators, under the auspices of the Gramm-Leach-Bliley Act, in a specified timeframe. Similar conditions exist at state level.
For example, financial institutions based in New York that experience a cyber attack must follow compliance protocols outlined in the New York Department of Financial Services’ Cybersecurity Regulation.
4. Accuracy matters more than speed
Amid a cyber attack, a slow, ineffective response could prove disastrous for a company’s reputation. Speed is important, but inaccurate and incomplete information will cause more damage. If the crisis communications infrastructure is already in place, combined with the appropriate legal, compliance, operations and IT entities, your chances of communicating accurately are better assured.
5. Establish a cloud-based communications system to reach stakeholders if primary communications channels are disabled during a cyber attack
If you preside over a company that primarily uses email to communicate with employees, customers or anyone, and email is down because of the cyber attack, it is critical to have backup communications channels to disseminate information quickly and effectively. Enterprises should consider cloud-based platforms that foster one- and two-way communications that can be turned live at a moment’s notice.
When the primary channels go dark, the company cannot afford the same fate and must have back-up channels established, so it doesn’t miss a beat on the communications front.
For the board and the C-suite, cyber attacks represent a fast-moving, ruinous form of crisis that imperils brands and stakeholders. And while general crisis communications principles have relevance, a cyber attack is a wholly different beast.
The five tips outlined above will help to fortify a company’s crisis communications plan for a cyber attack, but it must also be integrated with a broader cyber security strategy. Without it, companies will imperil their value, security and reputation.
Ted Birkhahn is president of HPL Cyber, a US-based specialist in cyber security branding, communications and marketing.
