The dilemma of crisis communication in cyber-attacks
Germany
As a result, here are some typical responses:
- “We will solve the issues internally first.“
- “Just make sure nothing gets out!“
- “We will not issue information before we have solved the problem.“
- “We’re only communicating what is already known.“
- “We are only communicating what is legally binding.“
What is a company obligated to communicate to its shareholders, customers or employees on the grounds of due diligence? What legal requirements need to be fulfilled here? According to § 33 and § 34 of the General Data Protection Regulation (GDPR), companies affected are obligated to inform the data protection authority as well as the parties impacted. German IT security legislation also stipulates that so-called KRITIS companies, meaning organizations that operate critical infrastructures such as energy and water supplies, are obligated to provide immediate information.
Attempts to cover up cyber-attacks may possibly make things even worse. Massive attacks will not remain unknown and concealment strategies vis-a-vis customers and the general public often result in embarrassing legal sequels. Salient examples abound:
- Uber pays a record EUR 126 million fine due to undisclosed data losses
- Data theft may prove expensive for Sony
- BKA only informed of data theft after significant delay
The communication dilemma
What are the best courses of action in the wake of a successful cyber-attack or data losses? If communication sets in too early, the attackers may be warned, while secured knowledge may be lacking. Perhaps the incident might be overrated, even if damage was rapidly contained. Negative media reporting will be highly likely. By contrast, communication setting in too late will incur unforeseeable reputation and liability risks, while negative media reporting will be all the more extensive. This appears to be the classic choice between the plague and cholera. But the answer is really quite simple: to speak out is silver, while remaining silent will cost you pure gold – because damage to your reputation will result in the greatest costs.
Good preparation is half of the story
In each individual case it is well to carefully consider at what point in time which information is to be communicated, and to whom. A fine-tuned communication strategy will be called for to avoid reputation damages. Ideally, such a strategy should not merely be devised when things have gone seriously wrong. In this case, it is most likely too late anyway.
As in other cases of crisis communication regular, proactive communication with the relevant stakeholders pays off handsomely. Based on good contacts to local media, but also to the specialized and technical press, companies will be able to present their position in a factual manner. In this context, social media guidelines for employees are not to be underestimated. Cases are not unknown in which in-house whistleblowers have leaked information – carelessly, or even intentionally – that set the negative spirals in motion in the first place.
When it comes to building up trust, and nurturing trust – companies undergoing a crisis situation will only be able to achieve this based on open dialog with their stakeholders. Stonewalling, “no comments“, piecemeal tactics or whitewashing facts and circumstances will only encourage journalists to dig deeper, or start speculating.
Here are 10 proven BSK tips to help ensure that the next (communication) crisis in connection with data leaks and cyber-attacks will not catch you off guard:
- Preparation, preparation, preparation: If you have not done any public relations work so far, now is the time to start!
- Integrate cyber-attacks or data leaks as possible events into a crisis response plan (for example, a part of QM, EHS, corporate communication); develop crisis communication plan/manual
- Compile a crisis team for cyber events consisting of representatives of management, IT, communication, legal and possibly external support
- Clarify the actual facts and circumstances as quickly as possible (if necessary involving a specialist for IT forensics)
- Convene a crisis team concurrently / inform supervisory authority, if appropriate
- Initial communication requirements: timely (“immediately“), truthfully; comprehensively; only proven facts; no assumptions or assignments of blame
- Information cascade: first in-house (employees, if appropriate, investors), then external (customers, suppliers, media)
- Emphasize direct communication (mail to employees / staff meeting versus note on the intranet; direct customer communication via e-mail/letter as opposed to notification on the website or customer portal)
- Defined contacts for queries (according to stakeholder groups, where appropriate)
- Follow-up communication in the event of new, secure knowledge and on conclusion: implemented prevention measures (no mere lip service!)