Cyber crisis strikes hard, fast and usually without warning, causing instant devastation.
But beyond the initial impact there’s another danger lurking which can hurt you even more in the long run – reputational damage arising from poor communication.
In recent years, we’ve seen large Australian corporates hit by cyber breaches dig themselves into deeper crises by failing to effectively communicate to their customers and the wider public.
Even now, several months later, the effects are still being felt, with appearances on lists ranking Australia’s least trusted brands.
It’s proof positive that silence isn’t always golden.
The necessity of avoiding a public relations disaster during a cyber incident is further laid bare in the recently released report Governing Through a Cyber Crisis, developed by the AICD in partnership with the Cyber Security Cooperative Research Centre (CSCRC).
It explicitly highlights that the reputational damage arising from poor communications can be more damaging than the incident itself.
The 62-page handbook for Australian directors also warns that boards and management should expect all public-facing statements to be provided to regulators and used in any subsequent litigation, including shareholder class actions.
It even suggests it may be appropriate to brief an external media consultant or public relations firm to assist, depending upon the size of the organisation and the potential for reputational damage.
Planning ahead
Before it even gets to that point though, there’s one crucial factor to note. Which is that all businesses should have cyber crisis communications plans.
Why? Because no one these days is 100% immune from attack. And these plans go a long way towards helping with cyber preparedness. They are also increasingly required to take out cyber insurance.
Your plan should identify the members of your crisis communications team and their roles, including who has the authority to release communications materials. It should also include pre-prepared statements for common cyber scenarios, so that you have a ready-made response you can tweak, rather than starting from scratch.
Respond swiftly
When a cyber attack strikes, you need to be ready to respond quickly.
There’s a public expectation that organisations will respond to serious cyber incidents swiftly.
Any communication also needs to be accurate and clear.
Your customers or clients will be relying on you to disseminate information about the impacts of the cyber incident – particularly how it impacts them. The last thing you want is for them to find out details from other sources, such as online news sites.
Be wise with your words
When communicating about a cyber incident, you need to ensure emails, media responses and any other communications are correct and not potentially misleading.
As noted in Governing Through a Cyber Crisis, all public-facing statements and internal documents could be provided to regulators and could be used in any subsequent litigation, including shareholder class actions.
Media articles and interviews can also be used in litigation, so be selective in what you say and how you say it. Also be quick to amend any information you discover is incorrect.
Every action counts, and any response must be well-informed and considered. Otherwise, you risk even further damage to your brand.
You also need to remember any public communications, including media responses, could influence the actions of the individual or group behind the malicious attack.
Who is speaking?
Not only does your company need to be wise with words during a cyber incident, but it also needs to choose the right person to say them.
In most cases, this should be the CEO. When a cyber-attack hits, customers and clients want to hear details from the top. Plus, if your CEO is not speaking, the media may start questioning why they are keeping quiet in the middle of a major crisis.
To this end, it’s critical your CEO and executives are well-versed in how to communicate with the media. Cyber incidents have serious consequences, so they’re likely to face serious, hard-hitting questions from reporters. They need to know how to handle them under pressure, so your cyber crisis communications planning should accommodate media training to ensure they are comfortable in making public statements.
Do you need a cyber crisis communications plan, help navigating a cyber incident or media training for your executive team? Get in touch with us today to find out how we can help.