Resilience through readiness: mastering cyber incident communications

KEY TAKEAWAYS 

• Effective crisis preparedness is essential for business resilience.
• However, conventional crisis playbooks typically fall short when addressing cyber risk scenarios.
• Best practice cyber incident response requires tailored communication planning and execution, built on a detailed understanding of the unique reputational, legal, and commercial complexities.

The commercial, legal, and reputational damage posed by cyber threat actors has never been greater. For corporates large and small, the question is no longer whether your organization will experience a damaging cyber incident but when — and how effectively you respond. 

The cyber threat landscape is dynamic and complex, defined by relentless threat actor activity, tightening data privacy regulations, heightening litigation risk, persistent stakeholder scrutiny, and exacerbated by geopolitical tension. Against this backdrop, leadership teams must take every step to prepare comprehensively for the communication and reputational requirements of a cyber event.

Unique risks require specialist communications

Cyber incidents pose a unique challenge containing interlocking risks.

• Firstly, the potential business interruption (BI) impact that can, in some cases, have catastrophic effects on the delivery of products and services.
• Secondly, the potential data privacy exposure can have far-reaching consequences for varied data subject stakeholders and significant regulatory and legal implications for the company. 
• Thirdly, the potential for share price volatility or lasting damage to corporate reputation generally, including as a direct result of your handling of the crisis and any resulting litigation.

Leadership teams and risk managers must prepare to respond decisively and authoritatively when an incident occurs. This is necessary to maintain business continuity and address legal and regulatory requirements, as well as to ensure stakeholder needs are met, trust preserved, and corporate reputation protected.

What is best practice? 

Effective cyber incident communications begin with crisis preparedness. However, due to the unique nuances in digital threats, conventional crisis communication plans and playbooks often fall short in addressing cyber incident risk. Generic scenario planning and a draft ‘holding statement’ for the media are not fit for purpose. Corporates need detailed specialist planning, adapted to their risk profile and unique stakeholder audiences, and deployed with expert advice and guidance. 

What then are the building blocks of effective cyber incident communications? Core requirements include: 

1. Effective board leadership is crucial in overseeing an organization's comprehensive cyber risk governance framework. Cyber risk must be treated as a strategic enterprise-wide challenge, not just an IT issue, with incident response and communication prioritized accordingly. Boards should ensure members and management receive proper cybersecurity training, have access to external expertise, and continuously enhance their cyber literacy to keep pace with technological advancements and evolving threats.
2. A communication strategy that addresses the varying interlocking risks described above. Some cyber incidents have major BI implications, others have none. Some cause significant data impact, others less so. No crisis occurs in a vacuum, so the company’s reputational history will also affect communication planning.  
3. Clear understanding of legal and regulatory requirements – and their impact on communication strategy and messaging, and how this evolves over the course of an incident. This requires experienced collaboration between cyber-specialist communication advisers, digital forensics, and data specialist legal counsel, working closely in advising the Chief Information Security Officer (CISO), Data Protection Officer (DPO), and senior leadership teams. 
4. Detailed understanding of the company’s data exposure, its data controller and processor responsibilities, and how this impacts communication strategy. This includes distinct data subject notification planning, including advice and practical support on data security. 
5. Stakeholder relationship planning for the short, medium and longer-term. Cyber incidents routinely play out over periods of weeks or months. Managing stakeholder demands through this period of difficulty may require careful escalation of message, method and channel, at times on an individual stakeholder basis. 
6. Detailed scenario planning and template materials, using best practice messaging and language, adapted to differing stakeholder audiences (general vs specific, technical vs non-technical), for ready use. Careful messaging governance is essential to ensure compliance while meeting stakeholder expectations. Media handling strategy is also key here, as best practice differs from other crisis scenarios. 
7. An effective command structure, underpinned by project and information management plans, capable of monitoring and coordinating significant quantities of data and decision-making on an hourly and daily basis, over time. 

How Sodali & Co can help 

Cyber incident communication preparedness and response are complex and cover a multitude of requirements and actions—this blog touches on but a few. If you would like to discuss this further, our specialist team is here to help.