In the wake of a cybersecurity incident, the initial step is often to notify insurers and retain privacy counsel with the insurer’s consent. From there, a forensic firm is the logical next firm engaged. However, what is often overlooked is the importance of a strategic communications advisor. While there is no doubt that legal and forensics are an integral part of navigating through a cybersecurity incident, the organization’s messaging is just as important. Sharing too much information early on can be catastrophic to the organization’s brand; however, not sharing enough can also have adverse consequences. Crafting the appropriate message – internally and externally – is key to avoiding negative publicity, potential stock devaluation, and unnecessary regulatory scrutiny that publicity can bring.
Avoiding the PR Nightmare
One of the goals of navigating a cybersecurity crisis has long been to avoid the “PR nightmare.” While that objective remains the floor for any organization working through a crisis, broader consequences to the brand can include significant financial and reputational impacts. With the acceleration of security risks created by the transition to remote work and the increasing sophistication of threat actor tactics, organizations face the daunting challenge of balancing the public narrative and protecting their reputations amidst highly fluid and complex investigations and remediation efforts.
Fortunately for those organizations that purchase cyber insurance, a crisis communications firm is one of the key incident response vendors whose costs — when the firm is retained with the insurer’s prior written consent — are typically covered under the policy. In an ideal situation, once privacy counsel is engaged, forensics and crisis communications are next.
Broader Costs of a Cyber Crisis
While stock prices often rebound and take a nominal hit, long-term consumer/customer trust, employee engagement, and overall brand reputation do not always return. According to a recent study by Infosys- Interbrand, up to $223b of the world’s top 100 brands’ value could be at risk from a data breach.
Consider the following impacts of cybersecurity breaches:
Share prices of breached companies hit a low point approximately 110 market days following a breach.
Share prices fall -3.5% on average, and under-perform the NASDAQ by -3.5%.
Of the 34 companies whose closing shares were analyzed as part of a recent study, tech and finance companies saw the largest drop in share price performance following a breach, while ecommerce and social media companies were least affected.
Breaches that leak highly sensitive information like credit card and social security numbers see more immediate drops in share price performance on average than companies that leak less sensitive info, but in the long term they do not necessarily suffer more.
It is for this reason that, when an organization finds itself amidst a cybersecurity event, strategic communications must have a seat at the incident response table from the outset. All corners of the table – cyber insurance, privacy counsel, forensics and communications – must work in lockstep in order help organizations to mitigate risk regardless of the organization’s industry or size.
Balance Transparency and Risk in Messaging. Leadership’s instincts in a crisis are often to communicate as openly and as transparently as possible. In a cybersecurity crisis, however, being too transparent too early on in an incident may create more risk than less. Forensic investigations can quickly evolve, and organizations that rush to speculate about the scope of the incident and the data involved run the risk of sharing information that may soon be out of date, or wrong. Publicly communicating specific details of remediation efforts can also impact negotiations, and an organization’s leverage, with threat actors. While the initial instinct may be to communicate immediately and openly, it’s important that this urgency is balanced with getting the facts right.
Stakeholders may forgive you for being a little slow to respond, but not for being wrong.
Develop a Multi-Stakeholder Communications Plan. Cybersecurity crisis communications strategies must go beyond traditional media relations. Media are not the most critical audience; they are a conduit to your key stakeholders and often filter the message. Developing effective plans for direct engagement and communications with multiple external stakeholders – customers, partners, vendors/suppliers, elected officials, regulators and shareholders – is paramount to restoring trust in the wake of a cybersecurity event. This relentless focus on stakeholder engagement is especially important in the face of increasing instances of threat actors reaching out to organizations’ customers directly as part of their extortion attempts. Organizations not only need to think about what they are going to say, and to whom, but also how they are going to deliver that message – especially if traditional communications channels (i.e., email) are not accessible in a ransomware event.
Prioritize Internal Communications. Employees can be a neglected audience in incident response, and they can’t afford to be. Internal stakeholders are both an organization’s biggest risk and most valuable asset when it comes to communications. It’s critical to equip external facing staff – from your board to sales managers to front-line reception staff – with communications and messaging guidance, as well as escalation paths for triaging difficult questions. At the end of the day, executive leadership must be prepared to communicate frequently, clearly, and authentically with colleagues. Otherwise, they run the risk of turning neglected employees into potential disgruntled sources of media leaks.
Prepare for the Inevitable. To avoid being caught flat-footed when something goes “bump in the night,” leadership should invest in incident response planning with a keen focus on identifying external partners (insurance, legal, forensics, communications) in advance of an issue. Organizations need to establish clear roles and responsibilities, conduct robust scenario planning around priority and evolving security risks – including ransomware, supply chain attacks, insider threats, etc. – and invest in internal education and training programs to build muscle memory for effectively responding to these issues.
At the outset of a cybersecurity event – and ideally before that issue occurs – organizational leadership must recognize how an effective strategic communications response can help to mitigate reputational risk. Establishing strong partnerships with experts in reputation management and holistic approaches to stakeholder communications before the media firestorm will help organizations get to the other side of a crisis. Otherwise, the organization’s reputation and brand run the dangerous risk of becoming an afterthought in incident response.