Reputational damage is often cited as a key risk relating to a cyber breach. Yet many companies are not doing enough to mitigate this risk. As part of Lockton's UK Cyber Security Survey 2017*, we asked 200 senior decision makers** which stakeholders were involved in their company's cyber-breach scenario planning.
Almost three quarters (74%) of companies said they do not involve their head of PR and communications when planning for a breach.
If these companies actually suffered a cyber breach, how quickly and accurately could they inform affected third parties? Or respond to media enquiries? And how quickly could they respond to/manage any negative news on social media?
Not very quickly, is the likely answer.
Speed and accuracy
When a company incurs a cyber breach, the speed and accuracy of its response can make all the difference. Yet if PR and comms have not been involved in the planning stages, the efficacy of a company's internal and external communication will be greatly reduced.
Social media really is a game-changer when it comes to cyber incidents and companies' reputations. The days when it might take days for a story to break are over - coverage of your cyber breach could be circulated across the globe within hours.
Consider: more than one quarter of social media crises spread to international media within an hour, and more than two-thirds within 24 hours. It still takes an average of 21 hours for companies to respond, leaving them open to "trial by Twitter".
Of course, you can never entirely control negative coverage on social media, but you do need to try to manage it. If your PR resource is not engaged, you've lost control of how your company is depicted, and have no hope of putting out the fire.
Prepare your message
PR and comms should be integral to the cyber scenario planning stages, according to Jonathan Hemus, managing director at Insignia Communications.
When planning for a cyber breach, Hemus recommends that PR and comms can help with the following tasks:
- Compile lists of all internal and external stakeholders who might need to be contacted following a breach.
- Ensure there are up-to-date contact details for all stakeholders.
- Decide, everything else being equal, what channel your company would choose to communicate with relevant stakeholders - whether by email, phone, face-to-face meetings or website.
- Work with other parts of the company to agree the message you would deliver following a cyber breach. Though the specifics would depend on the nature of the breach, the company should agree before a breach, in principle, the type of information you would provide, the tone of voice, the headline messaging and so on.
- Develop template material/messaging - for example, following a breach you may be required to issue media statements, so prepare as much of these as you can in advance so that you're not starting from scratch.
- Decide your strategy for posting information on your website - for example, which part of your website you would use, how much prominence it would be given.
- Agree the approval process for post-breach communications. For instance, who needs to approve the messages, what is the timeframe? Ensure that all relevant parties are aware of this.
- Ensure adequate media training is provided to spokespeople.
Of course, the exact role of PR and comms will vary between companies. All companies, however, should make PR and comms an integral part of the pre-breach planning process. If you wait until after you've suffered a breach to decide what to say, you've left it too late.
Peter Erceg is senior vice-president, global cyber and technology at Lockton.
*Cyber survey_Article 3_Are companies neglecting reputational risks when planning for a cyber breach_v1
**Respondents were CFOs, CROs, CIOs, Director of Risk and General Legal Counsel. Fieldwork completed in January/February 2017.