Losing data and trust: Why you need a cyber crisis communications plan

Cyber crisis strikes hard, fast and usually without warning, causing instant devastation.  

But beyond the initial impact there’s another danger lurking which can hurt you even more in the long run – reputational damage arising from poor communication. 

In recent years, we’ve seen large Australian corporates hit by cyber breaches dig themselves into deeper crises by failing to effectively communicate to their customers and the wider public.  

Even now, several months later, the effects are still being felt, with appearances on lists ranking Australia’s least trusted brands.  

It’s proof positive that silence isn’t always golden.  

The necessity of avoiding a public relations disaster during a cyber incident is further laid bare in the recently released report Governing Through a Cyber Crisis, developed by the AICD in partnership with the Cyber Security Cooperative Research Centre (CSCRC). 

It explicitly highlights that the reputational damage arising from poor communications can be more damaging than the incident itself. 

The 62-page handbook for Australian directors also warns that boards and management should expect all public-facing statements to be provided to regulators and used in any subsequent litigation, including shareholder class actions.  

It even suggests it may be appropriate to brief an external media consultant or public relations firm to assist, depending upon the size of the organisation and the potential for reputational damage. 

Planning ahead 

Before it even gets to that point though, there’s one crucial factor to note. Which is that all businesses should have cyber crisis communications plans.  

Why? Because no one these days is 100% immune from attack. And these plans go a long way towards helping with cyber preparedness. They are also increasingly required to take out cyber insurance. 

Your plan should identify the members of your crisis communications team and their roles, including who has the authority to release communications materials. It should also include pre-prepared statements for common cyber scenarios, so that you have a ready-made response you can tweak, rather than starting from scratch.  

Respond swiftly 

When a cyber attack strikes, you need to be ready to respond quickly.  

There’s a public expectation that organisations will respond to serious cyber incidents swiftly. 

Any communication also needs to be accurate and clear.  

Your customers or clients will be relying on you to disseminate information about the impacts of the cyber incident – particularly how it impacts them. The last thing you want is for them to find out details from other sources, such as online news sites.   

Be wise with your words 

When communicating about a cyber incident, you need to ensure emails, media responses and any other communications are correct and not potentially misleading. 

As noted in Governing Through a Cyber Crisis, all public-facing statements and internal documents could be provided to regulators and could be used in any subsequent litigation, including shareholder class actions. 

Media articles and interviews can also be used in litigation, so be selective in what you say and how you say it. Also be quick to amend any information you discover is incorrect. 

Every action counts, and any response must be well-informed and considered. Otherwise, you risk even further damage to your brand.   

You also need to remember any public communications, including media responses, could influence the actions of the individual or group behind the malicious attack.   

Who is speaking?  

Not only does your company need to be wise with words during a cyber incident, but it also needs to choose the right person to say them. 

In most cases, this should be the CEO. When a cyber-attack hits, customers and clients want to hear details from the top. Plus, if your CEO is not speaking, the media may start questioning why they are keeping quiet in the middle of a major crisis.  

To this end, it’s critical your CEO and executives are well-versed in how to communicate with the media. Cyber incidents have serious consequences, so they’re likely to face serious, hard-hitting questions from reporters. They need to know how to handle them under pressure, so your cyber crisis communications planning should accommodate media training to ensure they are comfortable in making public statements.  

Do you need a cyber crisis communications plan, help navigating a cyber incident or media training for your executive team? Get in touch with us today to find out how we can help. 

More from the blog

In the world of venture capital and angel investing, the adage “investors invest in people, not just companies” holds a lot of truth. Investors are not just looking for a groundbreaking business idea; they are looking for a solid leader who can navigate the tumultuous journey from startup to scaleup and beyond. Most founders have an extraordinary vision. But they need to convince investors they also have the leadership, technical skillset and resilience to see it through.
Raising capital? If so, you need a strategic timeline for your media campaign. Media hits spread out over six to 12 months (or more) leading up to a cap raise is the ideal scenario, with positive stories continuing to drop even as you begin meeting with investors. Media coverage is more important than ever for startups and scaleups, with the current market for raising capital proving challenging. For tips on doing media the right way, check out the latest story in our scaleup blog series.
With climate change affecting every country on Earth, there is a global market for climate tech solutions. But when does it make the most sense for a company to seek markets or investment offshore? It’s a question Bespoken General Manager Michaela Ryan recently explored with Monty Compost Co CEO and founder Ashley Baxter, GeoNadir co-founder Paul Mead and Ashurst Global Co-Head Energy Industry Dan Brown as part of a panel at Climate Salad’s Queensland Climate Tech Showcase 2024.
In the world of venture capital and angel investing, the adage “investors invest in people, not just companies” holds a lot of truth. Investors are not just looking for a groundbreaking business idea; they are looking for a solid leader who can navigate the tumultuous journey from startup to scaleup and beyond. Most founders have an extraordinary vision. But they need to convince investors they also have the leadership, technical skillset and resilience to see it through.
Raising capital? If so, you need a strategic timeline for your media campaign. Media hits spread out over six to 12 months (or more) leading up to a cap raise is the ideal scenario, with positive stories continuing to drop even as you begin meeting with investors. Media coverage is more important than ever for startups and scaleups, with the current market for raising capital proving challenging. For tips on doing media the right way, check out the latest story in our scaleup blog series.

Stay in touch. We love a chat.