Cyber Crisis Stakeholder Management

SCENARIO 1

Your sales team reports not being able to access internal systems. While the IT team investigates, more alarms come flooding in. Several applications are down, and groups across the business are locked out of files—a suspected cyber attack. No ransom note has been provided, and whether data has been collected is unclear. The security team suspects a third party might be liable for the breach. You decide to notify the ICO within 72 hours, but clients and other stakeholders have not been told yet…

In the immediate aftermath of an attack, there are few certainties. As IT teams scramble to collect information – what’s been affected, how the incident occurred and what kind of data has been encrypted – corporate comms teams may already be beginning to act. While technical teams might have early theories on what’s happened – how much can these be trusted? It is often prudent to delay action as teams collect and confirm the facts. 

At the same time, businesses may be subject to various notification requirements. Before acting, most of our teams decided to seek advice on such conditions and check any relevant agreements or regulatory requirements they have in place that require them to declare breaches. Beyond following these, our teams collected more information before pointing the finger at any third party. 

SCENARIO TWO:

As time passes, some clients notice a drop in communications and make enquiries. Employees are aware of the situation but not the details. They ask for guidance on what to communicate to clients who have yet to be told about the ongoing situation. 

While it’s essential to gather information and not rush decisions, there comes a time when you have to act.  At a certain point, inaction is action. Ignoring it and leaving customers in the dark is an option, but it should not be taken lightly. Not communicating with customers could quickly erode trust and damage or even end relationships. There’s also the risk that media outlets will learn about the attack before your customers, making matters far worse. 

So, releasing a statement is often a necessity. Our crisis teams all recognised this, but there is huge scope for what this type of message can entail. Do you try to calm customers by assuring them their data is safe while you try to salvage the situation and gather more info? Or do you decide honesty is the best policy and release a statement that tells the world everything?

Our teams opted for a more balanced approach. But even in this, there are lots of choices to be made. One team focused on keeping messaging consistent across customers and internal comms to control and mitigate any speculation across the media. Another group opted to tweak their message depending on the client and any legal/jurisdictional variances they might face.  

SCENARIO THREE:

After a cyber security provider tweeted about the hacker’s publication on the dark web, the attack came to a journalist’s attention at a UK newspaper, and your comms team was approached for comment on a proposed story. It also plans to republish false allegations they have been fed by a competitor that you deliberately failed to protect information and sensitive data due to cost-cutting and that the breach could threaten people’s lives. 

With internal teams and customers informed of the incident, it is often only a matter of time before the media learn of a cyberattack. At this point, journalists may reach out for direct comments from the company. While there are limitations to what you can (and should) say, it often doesn’t help to be overly defensive in such situations.

While engaging with media can be beneficial, the situation becomes more complex if journalists have incorrect information. Our crisis teams weighed their options carefully here. While not engaging and letting the situation play out (and the information eventually proved wrong) is an option, the reputational damage in the short term could be costly. On the other end of the spectrum, you could go on the offensive and threaten litigation over the publishing of misinformation, but our teams were hesitant to add a hypothetical legal battle on top of an already complex situation. 

Instead, our terms opted to engage with their PR specialists to advise on the best response and how to fit it into the timeline alongside other stakeholder communications. Once happy that partners and customers were in the loop, they sought to engage with the journalist to prevent the publishing of false information and provide a statement to balance coverage.  

SCENARIO FOUR

You consider paying the ransom and start to negotiate with the hacker. You are concerned about the reputational impact. The hacking group publishes the data on the dark web as threatened. 

Whether to pay or not pay ransom demands is a highly debated question in the security industry. Is there a right or wrong answer from a reputational perspective? While paying a ransom could prevent data from being published, there are no guarantees. If your payment is somehow made public, there could still be reputational damage from paying criminals and funding further crime. 

But this decision was taken out of their hands for our crisis teams. The data has been published. How to respond? Ignoring it is not a viable option due to the damage it could cause affected partners or customers. Instead, some of our teams opted to start investigating to learn exactly whose data had been published. From there, plans could be made for those who need to be informed. Some teams also decided to send an interim communication to staff and clients, telling them about the publication and offering assurance that the situation is being investigated. 

SCENARIO FIVE

Sometime later, you receive a letter from a law firm acting for a disgruntled client whose data was stolen during the cyber-attack, threatening to issue proceedings unless a settlement sum is paid. The law firm has published an account of the cyber-attack on its website to attract others with similar claims against you.

Although it can feel like the dust has settled on a cyber incident, some of the impact can be delayed. This is particularly true when it comes to reputation management. In the aftermath, affected customers, partners, or employees may seek to make claims. This situation is particularly delicate, as mishandling could further damage relationships or re-sparking media interest. 

Our crisis comms teams were divided on how best to respond. Some suggested paying the settlement might be the easiest way to shut the situation down and preserve relations with the customer. Others argued that if other claims emerged, this tactic could quickly backfire. Instead, they considered refuting the claim and fighting the case or challenging what the law firm has published on its website. Finally, one team, unsure of how to proceed, opted to first take advice from PR and litigation specialists on responding – always a good option.  

The discussion demonstrated the vast decision tree for managing reputations with shareholders, employees, customers, suppliers, partners and the media following a data breach. There was a healthy degree of debate within and between our four teams, showing that there is no easy decision or one correct answer in many cases. Appropriate action depends on the situation’s specifics, any legal or contractual obligations that might be in play, and the business’s priorities. Ultimately, having a well-defined team for handling such situations – including appropriate legal and communications council – is the best way to be prepared to weather the storm. If you’re looking for any additional support in auditing your cyber crisis response considering reputational and stakeholder management, get in touch with the team at info@babelpr.com.