The unrelenting pace of cyberattacks shows no signs of abating. Google and Microsoft have pledged billions of dollars to mitigate cyberattacks. The Biden Administration has made cybersecurity a core strategic imperative for America’s national security. State actors continue to unleash debilitating cyberattacks against companies of all sizes. The risk is omnipresent and will continue to intensify.
The level of public-private sector cooperation is unprecedented – and that’s a good thing. But here’s the rub: the sophistication, evolution, and lethality of these attacks will progress. Cyberattacks are one of the most significant threats that can destroy a company’s reputation, undermine customer loyalty, threaten investor commitment, and plunge overall value.
Boards understand an unavoidable reality: it’s not if, but when your company will face a cyberattack. Another thing they must realize is that cyberattacks are distinct from other types of corporate crises – especially in how, when, and why an organization communicates with its stakeholders during and in the aftermath of an attack. Here are five questions boards should ask the C-suite before a cyberattack occurs.
- How well do our Chief Security Officer and Chief Communications Officer work together? Cyberattacks affect every aspect of a business; therefore, it stands to reason that a multidisciplinary team should comprise the Cyber Incident Response Team (CIRT). It’s critical that a senior communications executive is included with legal, technology and security leaders, to ensure effective coordination. This will help to build a bridge between IT, legal, the C-suite, and outside partners, and ensure that the communications team has insights into accurate information as the breach unfolds.
- How will we respond publicly without inciting threat actors? A ransomware attack typically involves ransom negotiations and stolen data. This begs the question of whether your company has a communications governance plan that adheres to compliance, security, and messaging protocols. Any message — whether through a company spokesperson, social media post, or external announcement — must strike the right balance of addressing stakeholders’ key concerns without further provoking the threat actors. When and how the company communicates influences ransom demands, the length and severity of the attack, and the release of stolen information.
Do we have a plan in place that adheres to regulatory protocols? Put simply, if your Chief Communications Officer is spearheading the communications charge, they should be as knowledgeable in cybersecurity reporting requirements as your Chief Compliance Officer to respond to a host of international and domestic compliance protocols.
For instance, UK General Data Protection Regulation requires organizations that are hit by personal data breaches that could “result in a high risk to the rights and freedoms of individuals” to notify the Information Commissioner’s Office within 72 hours. For financial institutions (FI), if customer information is misused or breached, FIs need to inform regulators, under the Gramm-Leach-Bliley Act, in a specified timeframe. Similarly, at the state level, FIs based in New York that experience a cyberattack must follow compliance protocols outlined in the New York Department of Financial Services (NYDFS) Cybersecurity Regulation.
- If our primary modes of communication are compromised, what’s our plan? If one or more communications channels are rendered useless or dangerous because of a cyberattack, it’s critical to have backup communications channels established to disseminate information quickly and effectively. Your communications team must know how to use them and your stakeholders must be reachable via these channels. Your company should consider cloud-based platforms that facilitate one- and two-way communications, and can be turned live at a moment’s notice.
- Should we prioritize speed or accuracy? A slow response during a cyberattack can profoundly damage a company's reputation. Yet, although speed is important, inaccurate information will cause more damage. If the crisis communications infrastructure is already in place, combined with the appropriate legal, compliance, operations, and IT entities, your chances of communicating accurately and impactfully increase significantly.
Cyberattacks represent one of the most severe threats that can tank a company’s value and erode its reputation. The good news is, cyberattacks are front and center on most companies' radar of potential vulnerabilities. But many are still ill-prepared, especially in understanding the significant differences between standard crisis scenarios and cyberattack incidents. While the above questions are not a panacea for warding off attacks, they should help to put your company in a much stronger position to mobilize resources and respond effectively.