If companies are to communicate effectively following a cyber attack, they need to involve PR a lot earlier according to Peter Erceg of Lockton.
Reputational damage is often cited as a key risk relating to a cyber breach. Yet many companies are not doing enough to mitigate this risk. As part of Lockton's UK Cyber Security Survey 2017*, we asked 200 senior decision makers** which stakeholders were involved in their company's cyber-breach scenario planning.
Almost three quarters (74%) of companies said they do not involve their head of PR and communications when planning for a breach.
If these companies actually suffered a cyber breach, how quickly and accurately could they inform affected third parties? Or respond to media enquiries? And how quickly could they respond to/manage any negative news on social media?
Not very quickly, is the likely answer.
Speed and accuracy
When a company incurs a cyber breach, the speed and accuracy of its response can make all the difference. Yet if PR and comms have not been involved in the planning stages, the efficacy of a company's internal and external communication will be greatly reduced.
Social media really is a game-changer when it comes to cyber incidents and companies' reputations. The days when it might take days for a story to break are over - coverage of your cyber breach could be circulated across the globe within hours.
Consider: more than one quarter of social media crises spread to international media within an hour, and more than two-thirds within 24 hours. It still takes an average of 21 hours for companies to respond, leaving them open to "trial by Twitter".
Of course, you can never entirely control negative coverage on social media, but you do need to try to manage it. If your PR resource is not engaged, you've lost control of how your company is depicted, and have no hope of putting out the fire.
Prepare your message
PR and comms should be integral to the cyber scenario planning stages, according to Jonathan Hemus, managing director at Insignia Communications.
When planning for a cyber breach, Hemus recommends that PR and comms can help with the following tasks:
Of course, the exact role of PR and comms will vary between companies. All companies, however, should make PR and comms an integral part of the pre-breach planning process. If you wait until after you've suffered a breach to decide what to say, you've left it too late.
Peter Erceg is senior vice-president, global cyber and technology at Lockton.
*Cyber survey_Article 3_Are companies neglecting reputational risks when planning for a cyber breach_v1
**Respondents were CFOs, CROs, CIOs, Director of Risk and General Legal Counsel. Fieldwork completed in January/February 2017.