Why Your Standard Crisis Communications Plan Won’t Work For Cyberattacks

Cyberattacks are distinct from other types of corporate crises—especially in how, when and why a company communicates with stakeholders in the aftermath. Ask these five questions to understand your company's preparedness.

On August 25, 2021, the Biden Administration summoned CEOs from the world’s largest tech companies to urge them to commit significant resources to mitigate cyberattacks. Google pledged to spend $10 billion over the next five years and Microsoft said it would allocate $20 billion over the same timeframe.

This level of public-private sector collaboration is a step in the right direction, but it won’t stop the torrent pace of cyberattacks aimed at wreaking havoc on companies and their stakeholders. In fact, cyberattacks represent one of the most significant threats to a company’s reputation and value. A misstep can sour investors, compromise customer loyalty, undermine employee commitment and damage credibility.

Today, boards of directors and their leadership teams face an unavoidable reality: it’s not if but when your company will face a cyberattack. Boards must prepare and in doing so, realize that cyberattacks are distinct from other types of corporate crises—especially in how, when and why an organization communicates with its stakeholders during and in the aftermath of an attack. To best prepare, below are five questions that boards should ask their CEOs before the next cyberattack occurs.

1. Are we ready to comply with regulatory reporting requirements?

It stands to reason that if your chief communications officer is leading the charge on the communications front, they should be as well versed in cybersecurity compliance and reporting requirements as your chief compliance officer. Whether publicly or privately traded, and regardless of industry, there are a range of reporting requirements to which companies need to adhere. 

For instance, UK General Data Protection Regulation requires organizations that are hit by personal data breaches that could “result in a high risk to the rights and freedoms of individuals” notify the Information Commissioner’s Office within 72 hours. Additionally, in the United States, a publicly traded company is obligated by the U.S. Securities Exchange Commission (SEC) to file a Form 8-K to “announce major events that shareholders should know about.”

2. How will we respond publicly without further inciting threat actors to wreak more havoc on the company?

If you’re a board member of a company facing a ransomware attack that involves ransom negotiations and stolen data, is there a communications governance plan in place to ensure that communications are measured and cognizant of specific demands? Whether delivered via email, a company spokesperson, social media post or press release, any message must strike the right balance of addressing stakeholders’ key concerns without further provoking the threat actors. How or when the company communicates can influence ransom demands, the length and severity of the attack and the release of stolen information that can have major repercussions on the reputation of the business. Thinking like a threat actor and knowing what will and won’t prompt them further can make or break negotiations and save the company from further losses.

3. Does your Cyber Incident Response Team include your chief communications officer and chief security officer?

Cyberattacks affect every facet of an organization; therefore, a multidisciplinary team should comprise the Cyber Incident Response Team (CIRT). On that team, it’s critical that a senior communications executive is present, along with legal, technology and security leaders, to ensure they are in lockstep with one another. This will help to build a bridge between IT, legal, the C-suite and outside partners, and ensure that the communications team has insights into accurate information as the breach unfolds. Having access is half the battle in a cyber-specific crisis. It ensures timely reviews and approvals of decisions and provides the team with the right information to communicate transparently, both inside and outside the organization, throughout the event.

4. What will you prioritize: accuracy or speed?

A slow, ineffective response during a cyberattack could prove disastrous for a company’s reputation. But while speed is important, incomplete or inaccurate information will cause more damage. If the crisis communications infrastructure is already in place, combined with the appropriate legal, compliance, operations and IT entities, your chances of communicating quickly and effectively increase significantly.

5. What will we do if our primary communications channel is compromised because of the breach?

A crisis communications response is dependent on having an efficient system of delivering information to key audiences in a timely manner. But what if one or more of those delivery channels are rendered useless or dangerous because of the nature of the cyberattack? It is, therefore, imperative to have backup communications channels ready to go to distribute information efficiently. Your communications team must be proficient in using them and your stakeholders must be reachable via these channels. Enterprises should consider cloud-based platforms that foster one- and two-way communications and can be turned live at a moment’s notice.

While it’s welcome news to see the public and private sector beginning to work together in earnest, board members must take a more proactive role and ask these questions to ensure their companies are well positioned to mobilize resources and respond effectively to an imminent cyberattack. Without asking these difficult questions, chances are your company’s standard crisis communications plan will prove woefully inadequate in the face of a sophisticated and debilitating attack.