May 30, 2017

Cyber breach response: Be prepared with crisis communications planning

If your company possesses sensitive or confidential information, the mere mention of the word ransomware may be enough to make your heart race – particularly given the global reach and devastating impact of the recent WannaCry cyber-attack, so powerful that it crippled infrastructure in 150 countries. While your company may have strong operational plans for disaster scenarios, do they address how to contain and manage reputational damage?

When your senior team has just hours – or minutes – to react, how do you respond?

As the number of cyber-attacks continues to grow, so too do regulatory requirements. Companies in 48 states are now forced to address breaches quickly and publicly when “personal information” has been breached.

Attacks in the US have been on the rise for years, with a 38 percent increase in 2015 alone, according to a PwC study. Those affected face debilitating costs. IBM estimated an average price-tag of $4 million in 2016, with the average cost for each stolen record estimated at $158.

Without pre-planning, it’s impossible to act quickly. Indecision, conflicting opinions or a poorly chosen spokesperson can unravel even the best intentions. A crisis communications plan for a cyber-attack ensures that you are prepared to respond with some level of transparency, authenticity and accountability – tenets the public expects.

To ensure that your company is able to preserve and protect its reputation in the aftermath of a data breach, consider these steps:

Conduct regular risk assessments. Is the IT team up to speed on the best possible technology systems, are they conducting routine audits of business partners to ensure that anyone who has access to data is in compliance?  Know the plan for resolving the issue, returning to normal business and ensuring stakeholders that you have command of the situation.

Include a PR or communications expert on the crisis management team. As soon as a breach becomes public, the media will want to know why it happened, how you are responding and what you will do for those affected.

Create an inventory of audiences. Knowing your audiences ahead of time and documenting how you will reach them in a time of crisis – particularly if your systems are frozen, is critical to maintaining trust and confidence in the aftermath of a breach.

Know your communications tools. Depending on the severity of the attack, you may need a temporary website, a toll-free information number and a way to quickly reach employees (such as emergency text alerts). Find vendors and test technology in advance.

Create a clear line of communication between the communications team and legal counsel. The regulations in many states are different and nuanced.

Engage the leadership team in developing an overall crisis communications response strategy in advance. This makes it easier to get buy-in during an actual event and allows you to quickly and effectively answer questions from the media and the public.