The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.
This blog summarizes Chapter 39: Communicating after a cyber incident by Scott Lindlaw, Principal at Sard Verbinnen & Co. Please refer to the original article for any direct quotations.
The NYSE Law in the Boardroom survey found that data security is the number one concern that keeps board members awake at night.
Recent lawsuits have shown that directors must ensure their companies are prepared to deal with the aftermath of a data breach as well as ensuring the company’s cybersecurity defenses are strong.
To mitigate reputational damage and loss of custom, companies must communicate clearly with multiple audiences. Board oversight of this aspect of cybersecurity must start well before an incident.
The director’s duties and cybersecurity-related communications
Measuring a data breach’s impact on share price is difficult, but companies should expect revenue and profits to be affected by an incident. A primary goal of a post-breach communications strategy should be to mitigate this impact.
Directors must have a high-level understanding of communications strategies as part of their crisis-management duties.
Almost all US states have data breach notification laws, and directors and companies have been sued for failing to notify customers of data breaches. From a communications standpoint, complying with breach notification laws should be the minimum, however: Companies must move beyond compliance to stewardship.
The following principles should guide them:
- Preserve the company’s credibility with all constituencies (e.g. consumers, customers, partners, regulators, employees, investors, journalists, analysts).
- Maintain control of the communications process so the company speaks with one voice.
- Provide pertinent, confirmed facts.
- Coordinate all public communications with legal counsel.
- Prepare for potential negative legal, financial, and customer scenarios.
The tactical goals of post-breach communications should be to:
- Reassure all constituencies that you are taking steps to contain and fix the issue.
- Manage how the breach is portrayed in news and social media. Position the company as victim, not villain, where possible.
- Confine public statements to what you know. Don’t speculate.
- Avoid unnecessarily prolonging news coverage.
- Do and say nothing to heighten the interest of regulators.
- Provide no fodder to plaintiffs’ attorneys.
- Minimize damage in the eyes of consumers, customers, and investors.
- Protect share price.
These principles and goals must be integrated into an incident response plan before a data breach occurs so that it can communicate quickly and effectively.
Incident response plan
The incident response plan should identify interested parties, such as legal, IT, and communications team members.
Documents such as press releases, Q&A documents, contact lists, and letters to stakeholders such as employees and investors should be prepared in advance as much as possible, with blank spaces for emerging information.
The plan should consider the establishment of a dedicated website and the use of the company’s social media accounts.
The plan should be a living document – regularly reviewed, updated, and tested.
Audiences to consider when responding to a breach
Many different audiences must be addressed, so it is essential to ensure communications are coordinated and consistent, and that the company is prepared to address, among others:
- Consumers, customers, and partners. The breached company should communicate what it is doing to contain the incident, provide assurances about the safety of customer information, give front-line customer service representatives guidance on handling customer inquiries, provide a dedicated call center or website to deal with customer inquiries, and provide third-party credit monitoring if appropriate.
- Journalists and social media communities. The breached company must be prepared to deal with media inquiries and leaks. A process should be developed for engaging the news media, including designating spokespersons, preparing executives for media exposure, monitoring news and social media, correcting factual inaccuracies in reports, and using social media to distribute company messages.
- Investors and analysts. The breached company must be prepared to answer financial questions from interested parties. It may need to fill out a Form 8-K if shareholders view the impact of the incident as material.
- Internal audiences. The breached company must keep employees informed about the incident, and any changes to security policies and processes. They should avoid talking publicly about the incident and be alert to future incidents.
Breached companies must also consider that all statements may be monitored by plaintiffs’ attorneys, banks, and credit card companies. Every statement could also end up on social media.
Lawsuits against directors: Communications issues
Breaches are not the only cause of sleeplessness for directors; there’s also the potential for shareholder derivative and securities lawsuits after an incident. Suits typically follow two arguments: first, that directors failed to prevent the breach; second, that they covered it up and/or failed to notify investors and consumers – i.e. there was a failure of communication. The cases against the directors of Target Corp and Heartland Payment Systems demonstrate how plaintiffs use derivative and securities suits to blame directors and officers.
Directors kept awake at night worrying about data security can rest a little easier by preparing and rehearsing an effective post-breach communications plan. This will help the company meet its legal requirements, limit reputational damage, and keep plaintiffs at bay. It is incumbent on directors to ensure that the plan is ready to activate when a data security incident occurs.
Best-practice information security management
The international standard ISO 27001 sets out a best-practice approach to enterprise information security that can be adopted by all organizations. Encompassing people, processes, and technology, an ISO 27001-compliant information security management system (ISMS) is tailored to the outcomes of regular risk assessments so that organizations can mitigate the information security risks they actually face in the most cost-effective and efficient way.
Certification to the Standard demonstrates to investors, stakeholders, customers and staff that information security best practice is being followed.