Crisis communications for cybersecurity incidents

by Tang Wai Leong

Cyber threats are on the rise in Asia Pacific, with organisations in the region experiencing an average of 1,835 attacks weekly, according to The International Institute of Strategic Studies. There is an increasing acknowledgement among companies that it is a matter of not if, but when they will have to manage a cybersecurity crisis.

Here are five key points that we share with our clients to preserve trust and their reputation during a cybersecurity crisis:

  1. Be prepared to manage a cybersecurity crisis on multiple fronts

When you face a cyber crisis, it’s likely to bring a range of implications—from legal and regulatory compliance challenges to client and partner assurance issues. Organisations should be prepared to manage these challenges from multiple fronts.

  1. Recognise that cybersecurity crises are dynamic and constantly evolving

Cyber crises are often dynamic and can escalate rapidly. What may start as a ransomware attack can quickly become a larger issue if the hacker decides to leak or sell commercially sensitive data online. Leaked sensitive data might spark a greater crisis and a cascade of repercussions, as seen in the Panama Papers scandal. Being prepared for this evolving nature means continuously monitoring the situation and adapting the response plan accordingly.

  1. Understand your audience

The concerns of consumers during a data breach are different from those of the regulators or media. While core messaging and facts disseminated must always be consistent, the tone of voice and phrasing used may vary with different stakeholders and audiences.

  1. Be clear about what you can and cannot provide

In a fast-moving crisis, avoid speculation about unknowns. You do not have to know everything and could offer to find the information and get back to the stakeholder. Avoiding rushed statements minimizes the risk of having to retract or amend inaccurate information later.

  1. Demonstrate that corrective action is being taken

It is important to demonstrate that significant remedial corrective steps are being taken to restore trust and confidence in the organisation. These actions could include strengthening internal controls and processes, in addition to providing additional training for employees.