This is part of an ongoing series from our Issues Response Team on insights and best practices for how to navigate sensitive situations and crises.
Even companies with the best-laid plans and technology investments may fall victim to a cyberattack.
Communications plays a critical role in how a company comes out on the other side of a cyberattack. The actions a company takes in this scenario – how swiftly, frequently and honestly you communicate – can either build or erode trust.
So what actions can you take to ensure your company is prepared?
“Communications plays a critical role in how a company comes out on the other side of a cyberattack. The actions a company takes in this scenario – how swiftly, frequently and honestly you communicate – can either build or erode trust.”
Plan for the Inevitable
Have your crisis plan in place BEFORE a crisis hits. Best case scenario, you never have to touch the plan. Worst case scenario, you have to use it, and you don’t have to scramble to put it into place in the midst of the crisis when you will be expected to move quickly.
Key components to your crisis plan:
- Define Your Crisis Team – This is the team that would immediately gather if a cyberattack occurred. Typically, your crisis team includes representatives from your C-suite (CEO, COO, CMO, CSO), Head of Communications, Head of Internal Communications, General Counsel and your PR team. But this list may look different for your company, so outline your key lieutenants up front.
- Outline Roles and Responsibilities – Define who will own what in a crisis scenario (e.g., who will communicate with your board, your internal team, your customers and partners; who will monitor your social channels; media scanning, etc.). This is also a good time to define who your lead spokesperson would be in this event (note: this spokesperson may evolve depending on the level of crisis).
- Outline Your External Stakeholders – In the event of a cyberattack, who are the key stakeholders you need to communicate with? Typically, this would include your employees, customers, partners and BOD.
- Define Your Levels of Crisis – What is a Level 1, 2 and 3 crisis for your company (with Level 1 being the worst case scenario involving the biggest business impact)? Draft sample holding statements and develop sample FAQs for each of these levels of crisis. For example, you can prepare for three cyberattack scenarios:
- Level 1 Crisis: A cyberattack that has hit the majority of your customers, is not contained and customer personally identifiable information (PII) has been compromised.
- Level 2 Crisis: A cyberattack that has hit more than 50% of your customers, is working to be contained but customer PII was not compromised.
- Level 3 Crisis: A cyberattack that is contained and only impacted a small number of customers with no customer PII compromised.
Going through the exercise of preparing holding statements can help your company define how you would speak in these scenarios (tone, etc.) and also help prepare you for questions you may be asked. For example:
- When and how was the cyberattack discovered?
- Who was impacted?
- What is the level of impact?
- Is the cyberattack contained? If not, what is being done to contain it?
- What caused the cyberattack?
- How is your company preparing to ensure this doesn’t happen again in the future?
The Inevitable Happened… You’ve been Attacked. Now What?
Get Your Crisis Team on a Call
The purpose of the call should be to get a brief on the cyberattack: What’s the level of impact? Who was impacted? Is it contained? If not, when do you expect it to be contained?
Discuss your key messages for your customer communication and holding statement. While your tone may change for your audiences (customers versus media), your messages should remain consistent. Be aware that anything shared internally or externally, could be “leaked” on social channels or to the press. So don’t share something that you’re not willing to share publicly.
“Be aware that anything shared internally or externally, could be “leaked” on social channels or to the press. So don’t share something that you’re not willing to share publicly.”
Other actions to be taken on this call:
- Define your stakeholders who need to be communicated to.
- Agree whether your holding statement will be proactively or reactively shared (the higher level the crisis, the more proactive the response). And if it will be made public (on your site) or shared with select parties via email (again, the higher level the crisis, the more public the statement will be).
- Define roles and responsibilities. Who is developing the holding statement? Who is it attributed to? Who is it going to (assuming you’re proactively sharing it)? Who is responsible for internal communications? Who should inquiries be funneled to (typically this is the comms team)? Who will be monitoring your social channels and the press?
- Determine a date/time for your next check-in as a crisis team. You may also agree on sending hourly updates on activities (e.g., social team reports hourly on any activity on social).
Prepare Your Holding Statement and Customer Communication
Remember the key elements to your holding statement:
- The Facts: While your facts are likely limited early on, acknowledging the attack is important. Take ownership and don’t hide from the reality of the situation. (e.g., “We discovered a cyberattack that has impacted XX% of our customers.”)
- Empathy: Put yourself in your customers’ shoes. They want to know that you care about the integrity of their data. (e.g., “We take the utmost care in the integrity of our customers’ data.”)
- Action: State the actions that are being taken to address the cyberattack. (e.g., “We are working with a third party to investigate the attack.”)
- Expectation Setting: Define when you will be in touch next with updates. This last piece is critically important, especially for cyberattacks that are not yet contained. While you don’t want to outline a day/time it will be contained (unless you’re highly confident that it is accurate), you do want to set expectations on when customers (and other external stakeholders) will get an update from you. (e.g., “We will provide an update by 5 p.m. ET.”)
- Your holding statement should be succinct, but its goal should be to provide confidence that you’re addressing the issue swiftly and head on and are working in the best interest of your customers.
- With cyberattacks, if you are able to alleviate concerns around the cyberattack not impacting PII, that is a critical piece to address. Your customer communication – which is typically the holding statement in an email form – should also supply an email address to funnel customer inquiries.
Suggested Read: Issues Response Framework: Guiding Your Internal and External Communications
Prepare Your FAQs
While you may not need to use these, outlining questions you may receive from customers and the media allows you to be prepared with responses. You may also want to consider support materials (e.g. your privacy policy or past blog posts on how you manage data) to point to published materials on how you handle data. If appropriate, you may also choose to share these FAQs internally; for example, with your sales and customer care team, to be prepared to answer customer questions.
Develop Your Media Strategy
While customer communication is typically the first order of business during a cyberattack, you also need to have an agreed-upon media strategy. Will you proactively or reactively share your holding statement? Where will media inquiries be funneled and who is the spokesperson?
In a Level 1 crisis, a proactive strategy may be in order (getting out in front of the inquiries). In other levels of crises, it may be just responding with the holding statement that has been prepared. We typically do not recommend media interviews while in the midst of the crisis. A holding statement that is updated as needed is the right response, as getting the cyberattack resolved is the primary focus. For Level 1 crises, you may also appoint a place on your site (for example, your blog) where you update your holding statement with a date/time stamp. This is where you can point press to for consistent updates on the crisis.
“We typically do not recommend media interviews while in the midst of the crisis. A holding statement that is updated as needed is the right response, as getting the cyberattack resolved is the primary focus.”
Ensure Your Team Knows Where to Funnel Questions
Whether it’s your sales team, customer care team or your internal staff, make sure your team knows who to funnel inquiries to and who the appropriate person is to address the questions.
Listen & Monitor
This step is critically important, as tuning into key channels – customer care team inquiries, internal team questions, activity on your social channels, media inquiries and/or coverage of the cyberattack – will play a role in your evolving strategy.
In the scenario where you’re getting more inquiries and the cyberattack is gaining more public visibility, it can turn your Level 2 crisis into a Level 1 crisis. Set up a cadence for reporting out regularly on this listening and monitoring (even if it’s to say there are no updates!). If your social media channels are heating up with inquiries, you may consider posting your holding statement somewhere on your site (homepage or blog) and pointing all social media inquiries to that holding statement.
Suggested Reading: Issues Response: Mitigating a Sticky Social Situation
Be Fluid & Agile
As a crisis evolves, so does the level of response. While an agreed upon “reactive” strategy might have been in place, an ongoing attack may require a shift to a “proactive” response. There is no hard and fast rule for when this shift happens, so you need to be prepared to be agile and fluid. Customer inquiries, media inquiries or activity on your social channels can quickly move a reactive strategy into a more aggressive proactive strategy.
While the cyberattack can be difficult to navigate, there are opportunities to turn a negative into a positive. In fact, your key learnings just might be the start of your next thought leadership platform.
Stay tuned for our next IRT blog on best practices for handling internal comms when working through crises and issues.
Need more crisis communications advice? Download our guide.