Our Blog: The Podium

Developing an Effective Cybersecurity Communication Plan

The Equifax data breach, which affected some 143 million people, is just the latest high-profile incident reported by a large corporation. Verizon announced that 14 million customer accounts were exposed; Bell Canada said the data of 19 million customers was hacked; education platform Edmodo said the data of millions of its 78 million users were sold on the dark web. And Yahoo’s 2013 data breach reached epic proportions this month, when it announced all 3 billion customer accounts were hacked in that attack four years ago.

The good news -- and there is good news -- is that companies are stepping up their efforts to protect data. Ten years ago, information security was seen chiefly as an IT topic. Now, it has been elevated to the status of a strategic boardroom issue. I attend a monthly meeting of corporate board members, and at nearly every event there is discussion about cybersecurity and how to prepare – at the board level –for cyberattacks.

There’s a saying in the IT world: There are two kinds of companies, those that know they’ve been attacked, and those that don’t know they’ve been attacked. With that in mind, here are five critical things every company can do to prepare for a cyber crisis.

Identify the Cyber Crisis Team

In a crisis involving information security, it’s important the right people within the organization be prepared to respond. They also should know what their responsibilities are within the crisis response team. Along with the CEO and CFO, the team should include the chief information officer or highest-ranking IT employee, as well as key people from public relations, corporate communications, investor relations and human resources. Make sure that at least two members of the crisis team have been trained to speak with the media. A major negative event is no time for a public audition.

Constantly Assess Your Risks

Take a strategic, proactive approach to cyber crises by continually assessing your risk of attack. It is likely your IT department is already doing this, so create open dialogue among information security, the executive team and the board. You also will want to establish a risk-aware employee culture and a process whereby employees can funnel their ideas about potential risks through management to an appointed member of the crisis communications team. For each risk, the team should assign responsibility for continual monitoring and assessment, taking actions to mitigate risk when possible.

Consider the Role of the Board

One lesson from the Equifax breach is that boards must stay informed about their companies’ data security. The SEC expects boards to be aware of their companies’ cybersecurity policies and procedures, so have at least one director check in with the head of IT or the crisis team periodically to understand the risks. The board need not be intimately involved in the crisis communication planning process, but it should be kept abreast of messaging in case a cyber crisis should arise.

Develop Messaging Ahead of Time

Once you have begun assessing your key risks and potential cyberattack scenarios, your team will be prepared to be prepared. Develop messages that could be used as talking points or as the basis of potential news releases related to the most probable risks. Developing a basic “template” will help the team to be prepared if a successful attack ever occurs, but you will still need to tailor your messaging to address the nuances of the actual crisis. However, developing messaging ahead of time will give you a head start when a swift response is critical. Whatever the details of the situation, make sure your public communications include a mitigation plan. Know who has been affected and to what extent. And if you don’t know, make every effort to find out as soon as possible to give your response credibility.

In conjunction with determining the messaging, develop a timeline to announce the incident. Equifax was heavily scrutinized for waiting 40 days to announce its attack, but data breaches can be incredibly complex. It can take months for a company to have all the answers. Law enforcement also may forbid communication during a criminal investigation, compounding management’s dilemma. Try to anticipate various scenarios and how they could affect the message you send.

Get to Know Your Stakeholders (before the crisis)

Maintain the current contact phone numbers and email addresses of all of your company’s major stakeholders. For public companies, this will include large investors and sell-side analysts, as well as major customers, partners, suppliers, local leaders and media members. Surprisingly, many companies skip this step because they mistakenly believe the numbers can be easily located. But in a crisis, there isn’t time to track down that potentially hard-to-reach salesperson to find the right contact at your largest customer. Note: Don’t just know the info; know the people. Having an established relationship with your stakeholders will make negative news easier to digest. It also will build confidence that you have the right team and plan in place when that cyberattack occurs.

Given the number and frequency of cyberattacks, it could be a matter of time before your crisis communication plan is tested. If you don’t have a plan in place, keep these themes in mind as you get started. Once you implement the plan, revisit it regularly to assure it is up to date and continues to be appropriate to your organization. Companies that continually walk through the planning process will fare better in the long run than those that create a plan once and never review it again.


Maureen Wolff is CEO at Sharon Merrill Associates. She is a National Investor Relations Institute Fellow, Senior Roundtable Member and Honorary NIRI Boston Director. She is a trusted advisor to CEOs, CFOs and boards of directors on critical communications issues, including corporate governance, shareholder activism and proxy contests, CEO succession planning and disclosure issues.

Crisis Communications, Cybersecurity, crisis communication plan, cybersecurity communication plan

Subscribe to The Podium!

Connect with your Investors

Establish a sincere connection with investors to communicate key messages during your Investor Day. Download our free e-book on effective presentation habits, and learn to deliver ideas with confidence and clarity.

Delivering Effective Presentations

When it's time for a change

Whether planned or sudden, it is crucial to communicate the succession of high-profile positions effectively. Download our three-part e-book and learn the best way to craft a plan for CEO, CFO and Board of Directors transitions.

Download Your Free eBook: Communicating Management Transitions 

Be Proactive, Not Reactive

With our new Proxy GamePlan, we create a year-round, data-driven strategic roadmap for effective shareholder engagement. Implement a best-in-class program rooted in a deep understanding of your company’s proxy practices, shareholder voting trends and peer landscape.

Learn More About Proxy GamePlan

Find Effective IR Counsel

Whether you’re seeking external IR counsel for the first time or evaluating your current provider, you need a firm that understands your strategy, adapts to your culture and tells your story. Download our free guide on how to assess the effectiveness of an investor relations firm.

How to Assess  an IR Firm

Activism Defense

No company is immune to shareholder activism. Sharon Merrill helps boards of directors and executive management teams identify the activist red flags lurking in your shareholder base, assess your governance risks and develop an action plan to prevent, detect and neutralize any threats. Download our free white paper, “Leveraging Institutional Shareholder Relationships to Reduce Activism Risk,” and learn how the best defense against activism is a strong offense.

Download Activist Defense White Paper

Captivate your Audience

Speaking persuasively is critical in today’s competitive business environment. Effective speakers use voice techniques and body language that project authority and credibility. Download our free e-book, “A Guide to Delivering Captivating Presentations,” for insight into good -and bad- presentation habits, and learn how to improve your skills.

Become a Persuasive Speaker 

Perceptions Matter

How do you ensure that investors clearly understand your strategy, growth drivers and market position? The most effective way is through a perception study. By periodically taking the investment community’s pulse you can avoid the knowledge gaps and misperceptions that hurt valuation. Download our free whitepaper, Why Perceptions Matter, to learn more.

Download your free copy of  'Why Perceptions Matter' 

Common Topics:

More topics