You are just about to go to sleep when you get a text from your SOC team: code RED. They have discovered your company has suffered a serious breach and you need to decide what to do. At this point, you are either in the position of having prepared for such an event and your team will follow checklists and playbooks. As part of this process, the team will inform the appropriate Execs on what the situation is and they will be ready to communicate the right information to the people who need to know using a tried and tested Crisis Comms plan. OR you do not have a plan, let alone a tested one, and panic mode sets in….
I am not going to go into all the reasons why you need to be prepared to handle Crisis Communications during a cyber incident, the most important thing to know is that it will make the difference between your organisation’s reputation and brand being damaged far more than it needs to be. The other key issue is that how the breach notification process is handled could make a massive difference to mitigating the fine from regulators.
So what Crisis Communications plans and processes do you need to have in place to handle a breach? Firstly, a cross functional crisis management team (including the board) needs to be established. From there, a monitoring strategy can be put in place to mandate who is responsible for determining when an incident has occurred and how serious it is as well as a developing a plan for the crisis – which may work best as a series of checklists or a playbook.
Some important things at this point to consider are how to prepare for different breach scenarios (ie is it employee or customer data affected? IP theft? Ransomware? etc…). This will influence your strategy with the different audiences. Don’t forget to do practice runs with your internal and external comms teams and include media training where necessary.
Once you have done the ground work what goes into a comms plan?
- Prepare crisis checklist to deal with potential scenarios
- Create a timeline so everyone knows who will do what when
- Team consults with legal and forensics team to determine what incident it is and establish who it affects
- Can you keep it under wraps? (hint: this is not usually an option!!)
- What are your regulatory responsibilities to disclose?
- Which stakeholders are affected?
- Who is responsible for communicating with each group and in what order?
- If a regulator is involved, how can you minimise a fine by demonstrating appropriate action taken?
- If customers are involved, what is the impact on them and how should they be informed?
- If the press are involved, how will you manage the communications?
It is also important to note that social media can exponentially increase if not responded to quickly and appropriately, so it will need to be determined who is responsible for these interactions. Keep in mind that messages must be consistent, so you will need to brief managers and employees, especially customer facing teams. In addition, it will be helpful to prepare:
- An FAQ on incident scenarios
- Media trained spokespeople
- An external comms plan with statements on anticipated likely breach scenarios developed by team
- An internal comms plan
Check and review these plans quarterly with the team to see if your organisation’s risk profile has changed.
Finally, breathe; keep Calm and Carry on and you will get through it. It is not a case of if, it is a case of when a breach will happen in your organisation. As breaches become more common, what counts is how you handle them that will set you apart as a leader in your organisation (and worthy of having that place at the boardroom table!)
If you would like to get some first-hand advice, I am organising a panel on Crisis Communications in a post-GDPR world at the IT Security Analyst and CISO Forum’s CISO Debates 2018 on Wednesday 2nd May 2018 in London.
With the EU’s General Data Protection Regulation (GDPR) on the horizon, what does the board need to make sure they are communicating to employees, customers and stakeholders should the worst happen and a data breach occurs? This discussion will offer best practice advice, what to steer clear of and when to notify when dealing with a data breach event.
Moderator: Lee Munson
Neil Stinchcombe, Eskenzi PR
Jonathan Armstrong, Partner, Cordery
Mark Deem, Partner, Cooley (UK) LLP
Sue Milton, Managing Director, SSM Governance Associates