The Equifax data breach, which affected some 143 million people, is just the latest high-profile incident reported by a large corporation. Verizon announced that 14 million customer accounts were exposed; Bell Canada said the data of 19 million customers was hacked; education platform Edmodo said the data of millions of its 78 million users were sold on the dark web. And Yahoo’s 2013 data breach reached epic proportions this month, when it announced all 3 billion customer accounts were hacked in that attack four years ago.
The good news -- and there is good news -- is that companies are stepping up their efforts to protect data. Ten years ago, information security was seen chiefly as an IT topic. Now, it has been elevated to the status of a strategic boardroom issue. I attend a monthly meeting of corporate board members, and at nearly every event there is discussion about cybersecurity and how to prepare – at the board level –for cyberattacks.
There’s a saying in the IT world: There are two kinds of companies, those that know they’ve been attacked, and those that don’t know they’ve been attacked. With that in mind, here are five critical things every company can do to prepare for a cyber crisis.
Identify the Cyber Crisis Team
In a crisis involving information security, it’s important the right people within the organization be prepared to respond. They also should know what their responsibilities are within the crisis response team. Along with the CEO and CFO, the team should include the chief information officer or highest-ranking IT employee, as well as key people from public relations, corporate communications, investor relations and human resources. Make sure that at least two members of the crisis team have been trained to speak with the media. A major negative event is no time for a public audition.
Constantly Assess Your Risks
Take a strategic, proactive approach to cyber crises by continually assessing your risk of attack. It is likely your IT department is already doing this, so create open dialogue among information security, the executive team and the board. You also will want to establish a risk-aware employee culture and a process whereby employees can funnel their ideas about potential risks through management to an appointed member of the crisis communications team. For each risk, the team should assign responsibility for continual monitoring and assessment, taking actions to mitigate risk when possible.
Consider the Role of the Board
One lesson from the Equifax breach is that boards must stay informed about their companies’ data security. The SEC expects boards to be aware of their companies’ cybersecurity policies and procedures, so have at least one director check in with the head of IT or the crisis team periodically to understand the risks. The board need not be intimately involved in the crisis communication planning process, but it should be kept abreast of messaging in case a cyber crisis should arise.
Develop Messaging Ahead of Time
Once you have begun assessing your key risks and potential cyberattack scenarios, your team will be prepared to be prepared. Develop messages that could be used as talking points or as the basis of potential news releases related to the most probable risks. Developing a basic “template” will help the team to be prepared if a successful attack ever occurs, but you will still need to tailor your messaging to address the nuances of the actual crisis. However, developing messaging ahead of time will give you a head start when a swift response is critical. Whatever the details of the situation, make sure your public communications include a mitigation plan. Know who has been affected and to what extent. And if you don’t know, make every effort to find out as soon as possible to give your response credibility.
In conjunction with determining the messaging, develop a timeline to announce the incident. Equifax was heavily scrutinized for waiting 40 days to announce its attack, but data breaches can be incredibly complex. It can take months for a company to have all the answers. Law enforcement also may forbid communication during a criminal investigation, compounding management’s dilemma. Try to anticipate various scenarios and how they could affect the message you send.
Get to Know Your Stakeholders (before the crisis)
Maintain the current contact phone numbers and email addresses of all of your company’s major stakeholders. For public companies, this will include large investors and sell-side analysts, as well as major customers, partners, suppliers, local leaders and media members. Surprisingly, many companies skip this step because they mistakenly believe the numbers can be easily located. But in a crisis, there isn’t time to track down that potentially hard-to-reach salesperson to find the right contact at your largest customer. Note: Don’t just know the info; know the people. Having an established relationship with your stakeholders will make negative news easier to digest. It also will build confidence that you have the right team and plan in place when that cyberattack occurs.
Given the number and frequency of cyberattacks, it could be a matter of time before your crisis communication plan is tested. If you don’t have a plan in place, keep these themes in mind as you get started. Once you implement the plan, revisit it regularly to assure it is up to date and continues to be appropriate to your organization. Companies that continually walk through the planning process will fare better in the long run than those that create a plan once and never review it again.
Maureen Wolff is CEO at Sharon Merrill Associates. She is a National Investor Relations Institute Fellow, Senior Roundtable Member and Honorary NIRI Boston Director. She is a trusted advisor to CEOs, CFOs and boards of directors on critical communications issues, including corporate governance, shareholder activism and proxy contests, CEO succession planning and disclosure issues.