Last week we had the pleasure of presenting to the Institute of Directors on the topic of cyber breach communications. The IOD and its members should be commended for organizing dialog on the topic of cyber intrusions for members of the boardroom. For most large companies, such as those present last week, a cyber breach is a fact of life. It’s not a matter of if it will happen, but rather a matter of when it will happen.
This is a fast-moving, evolving topic and we welcome feedback and insights on best practices around handling PR in a cyber breach.
Following are some of the key points of our presentation.
1) It’s all about trust.
A cyber breach badly damages trust among customers, employees and stakeholders. The objective of managing PR in a breach is to rebuild this trust. And the way to achieve this objective is by thoroughly managing communications in way that is transparent, action-oriented and highly caring for those customers who have faced damages as a result of the breach. Corporations that attempt to minimize the severing and impact of a breach compound the loss of trust.
2) Being actionable is key.
Communications in the midst of a breach must demonstrate action. Engaging with authorities. Offering customers free credit monitoring. Releasing new features to enhance security. These are all examples of actionable items that work to re-build trust.
3) Communicate like a human.
A heart-felt letter from a CEO can go a long way to repairing the relationship with customers – and can help to rally the mood internally. People recognize that some of the biggest and best companies are targets – and that breaches are almost inevitable. Companies must respond with empathy.
4) Timing is tough.
Getting the timing right for announcing a breach is a challenge. Announcing too soon may make a company look uninformed. Too late and the company looks as if it is hiding information. But the bottom-line is that if customers personal information is impacted, then they have a right to know as soon as possible.
5) Trust in the corporate web site.
Fake news has one upside for corporations – higher levels of trust in corporate web sites. In a breach, the company web site becomes a vital portal for sharing information. All communications on a breach should link back to the web site. We suggest using lots of channels to distribution information about a cyber breach. Facebook, twitter, blog posts, traditional press releases are all useful – but the key is to bring people back to the corporate web site for all of the relevant information.
6) Danger & Opportunity.
The Chinese word for crisis includes the characters for danger and opportunity. And this is a perfect description for managing PR around a cyber breach. The danger is a loss of trust among customers. It is our jobs to ensure this is only a temporary loss of trust – and that following the storm, trust is re-built to even higher levels than before the breach. It is possible – and we have seen many great companies with the right playbook come back even stronger following a cyber breach.
We thank the Institute of directors for raising this topic – it’s a vitally important for all corporate board members. And with proper planning, we are certain that board members can protect the reputations of the companies they serve.