Breaches and crises can make or break business value for years to come, knocking billions off company valuation or even revenue. One of my favorite panels at the recent Shared Assessments Summit tackled the topic of post-breach communication.
- Davia Temin, President and CEO, Temin and Company
- Tom Davis, VP, Susan Davis International
- Jesse Bryan, CEO and Creative Director, Belief Agency
- Teri Robinson, Executive Editor, SC Magazine
The following are a few of Chmielewski’s questions:
Do Businesses Have Sufficient Awareness of the Reputational Risk in Crisis Communications?
Panelists were mixed on whether awareness of reputational risk is where it should be. SC Magazine’s Robinson thought it was low. However, Bryan of Belief Agency noted that younger managers at smaller companies understand the news cycle and the need for transparency.
What Aare Some Examples of Successful and Unsuccessful Post-Breach Communications?
The panelists cited the Target breach of 2013 as a counter-example. In the figure above, I show the timeline of the company’s crisis communications and how its position deteriorated rapidly in one or two months. (For more detail on this timeline of what not to do, see International Business Week’s article on how cybertheft snowballed for the giant retailer).
Do Companies Need a Crisis Communications Plan and What Should it Look Like?
Panelists disagreed on the need for a Crisis Communications Plan. Temin and Company’s Temin argued that although planning is OK, a plan is useless because a real crisis is never what you expected. However, Susan Davis International’s Davis felt a plan is an extremely useful exercise that any entity has to go through.
Together, the panelists came up with some great general guidance, amalgamated from my notes. “By the time Teri (Robinson) calls you up … it’s already too late for spin control. You never have the whole story, and you have to assume in today’s porous news environment that the journalist may know as much as you. Whatever you do, don’t lie. It is OK to say: ‘We don’t fully know yet, but I’ll call you back this afternoon.’ Lead with intent. Don’t make excuses. Take responsibility: Here’s what we did wrong, what we’ll do to fix it, and how we’ll continue communicating.”
To this excellent advice, I’ll come down on the side that one should have a crisis communications plan and it should define the thresholds for notifying executives, general policies on how to respond to different types of issues, and basic roles and responsibilities. In addition, any business under high or very high security pressure should have breach response, legal, law enforcement and PR contractual relationships or contracts established or on retainer.
Rocco Grillo, executive managing director at Stros Frieburg (an AON Company), was also at the conference. He pointed me to an article that goes further:
“Organizations must have an incident response plan, exercise it against two to three likely attack vectors, and see how well the company reacts. … Be prepared to respond at your very best in a real breach scenario by conducting simulation exercises for different types of breaches that could affect your organization. Extend your plan and simulation exercises beyond the IT staff to … Legal, HR, Executive Management, and PR / Communications. Have a plan that includes your 3rd-party vendors [and SLAs for 3rd parties’ incident response].”
Grillo’s recommendation to include third-party risk management in the incident process is worth noting, especially at a Shared Assessment Summit. Many breaches do result from a failure of third-party security, however, the fifth annual “Vendor Risk Management Benchmark Study: Running Hard to Stay In Place” found that fully 40% of companies still don’t have a formal risk management program in place.
My other Shared Assessments Summits recap, “Helping CISOs and Board Members Communicate on Risk,” discusses the need for resilience in managing disruptive risks, such as cyber risks. The preparation and execution of crisis communications are where the rubber meets the road.