Cyber security is often left in the hands of the IT department but the risks are not just systems and data related. Cyberattacks can also cause huge reputational damage, especially when they are not handled professionally, proportionately and in a timely fashion.
“To lose one parent, Mr Worthing, may be regarded as a misfortune; to lose both looks like carelessness.” – Oscar Wilde, The Importance of Being Earnest.
Given the amount of information and guidance to organisations, as well as a weight of governance for regulated businesses, any organisation that suffers a cyberattack has difficulty avoiding the charge of negligence, and an impact on their reputation, resulting in:
- Loss of customer trust
- Negative media coverage
- Impact on stock prices and financial loss
- Loss of business opportunities
- Employee morale and recruitment.
Be prepared ahead of time
Reputation is critical to any business, and particularly where the impact of a cyber security breach can have consequences and immediate impact on customers if their data is exploited.
To maintain its reputation an organisation needs to demonstrate it has done all that is reasonably possible to minimise the risk of attack. It must also show that measures have been taken to minimise the impact and optimise the ability to restore its service. How you deal with an incident might even enhance a reputation if you can be an exemplar.
When an incident like a data breach or ransomware attack occurs, an unprepared organisation will typically be paralysed or in turmoil, officers besieged by different stakeholders and media wanting information immediately and continuously. There will be little time to think and so plans must already be in place and practiced, hence ready to action, but modifiable to meet the specific situation. Any instinct to ignore the issue, keep quiet or bend the truth should be quickly dismissed.
There is very good information available to help an organisation manage incidents and one example might be the NCSC:
https://www.ncsc.gov.uk/collection/10-steps/incident-management
Be aware of evolving regulatory responsibilities
Legislation may well force your hand. In many countries and certain industries there are specific regulatory deadlines on when an incident must be reported. In the UK the ICO (Information Commissioner’s Office) has details of your reporting responsibilities. Failure to meet incident reporting rules will just add to the reputational damage from any cyberattacks and may incur penalties.
Since May, 2018, recognising the potential impact on critical infrastructure and the working of the single market, EU member states have had to adopt the NIS Directive (Network and Information Systems Directive) to provide common levels of cyber security and incident reporting. The UK applied the NIS Directive principles in legislation introduced in the same timeframe, despite preparing to leave the EU.
New legislation and responsibilities
Regularly monitoring information from the ICO is especially important as the laws around resilience of supply chains come into force through the introduction of NIS2 and DORA regulations country by country.
For critical industries in the EU, including transport, banking, healthcare and energy, NIS2 extends incident reporting requirements, including the content, timing (within 24 hours of discovery), and the process for reporting. Within 72 hours of becoming aware of the incident, organisations should provide an incident assessment, followed by a final report within one month. This also applies to providers outside the EU which deliver services to Operators of Essential Services (OES) within the single market – so there is a potential impact for UK businesses.
The UK government is also looking at enhancing its own requirements which will likely diverge from Europe’s NIS2. So certain UK businesses will be required to serve both masters – so much for reducing red tape. The mandatory reporting deadline will leave no time to invent a response strategy to minimise reputational damage when an attack has been discovered and the relevant authorities informed.
The Digital Operational Resilience Act (DORA) is an EU regulation which will be applied in each member state from January 2025. Its aim is strengthening the security of the European financial supply chain, focusing on the IT security of banks, insurance companies and investment houses. DORA is more prescriptive around IT and cyber resilience than current UK regulations, so it is important to assess how you might be affected if you do business in the finance sector.
Create a realistic response policy
Preparation and planning prevent poor performance. The above references give a clear set of tasks to carry out to prepare response plans, identify your response team, which may well include external suppliers, and to ensure that preparatory work is undertaken. Your information security policy should include actions to capture the information you need for your recovery plan, and put in measures to detect when you are attacked so that you can respond.
Perhaps however, the most significant single element related to reputation is how you manage communications. Poor communications, early, when you do not understand the cause, the extent and the impact on stakeholders can be a disaster. The situation might not be as bad as you first think so unnecessary concerns are raised if you report too early.
Communication Plans
Practice incident management responses and prepare your communication plan, draft internal and external communications. Then after reflecting on the potential impact of these modify them accordingly.
Define key messages, designate official spokespeople, and put in place controls to ensure consistency in the messaging across all channels.
Bear in mind that in the event of an incident you may not have access to some or all of your systems so have printed copies of the plan on hand for all key players. Your email system may have been hacked and be unavailable or untrustworthy as a method of communication, so include workarounds in your plan. You may need to fall-back on paper, phone and post!
In some instances, the right spokesperson may not be the head of the organisation. An expert voice may be needed at some points depending on the message and audience, so the CFO, CIO or a communications professional might be involved. Media training for all spokespeople is a very good idea to help ensure consistent messaging and prevent miscommunication.
Be honest, proactive and solution-focused
Be open and honest about what has happened. Attempting to hide or downplay the incident can lead to more severe reputational damage later. Acknowledge the breach, apologise for any inconvenience caused, and express your commitment to resolving the issue. It is especially important to notify any affected parties such as business partners, investors, customers and employees.
Ensure you have robust legal advice for serious incidents. Separating your obligations between criminal law and civil law and then obtaining legal advice on what you must disclose is vital to ensure you meet your legal obligations. Yet don’t say more than you need if it means creating unwarranted concern, unnecessary reputational damage and the risk of commercial suicide.
When scandals occur, its generally not the incident itself. Rather, it is when the parties enter into a conspiracy to cover up.
If personal data or sensitive information has been compromised, promptly communicate with effected individuals and organisations about the breach and the steps you are taking to address it. Provide guidance on what actions they can take to protect themselves. Follow up communications should outline the steps you are making to rectify the situation and prevent future incidents. This could include enhanced cyber security measures, audits, or external security assessments.
Use all appropriate channels
If you have an internal and/or external Public Relations (PR) team, work closely with them to craft messaging that focuses on your commitment to security and customer well-being. Communications should always show that you take the incident seriously and are actively working to improve the situation. Acknowledge what you don’t yet know.
Monitor and utilise your official social media channels. You need to know what the general public, media and specific groups are saying about you. You may or may not choose to respond. Address concerns and questions, and provide updates on your progress.
Existing communication plans, marketing, advertising and events may well need amending or cancelling. For example, running an advertising campaign or providing a speaker at an event during an ongoing cyber security incident may, at best, be a waste of resources, and at worst, provide fuel to the fire. Learn from other organisations and incidents.
To discover more about how to protect your business when it comes to cyber security visit our website for more hints and tips.
Nick Denning is the founder and CEO of Policy Monitor.
Further reading:
- Published in May, 2023, Eleanor Fairford, Deputy Director of Incident Management at the NCSC, and Mihaela Jembei, Director of Regulatory Cyber at the Information Commissioner’s Office (ICO), reflect on why it’s so concerning when cyberattacks go unreported – and look at some of the misconceptions about how organisations respond to them:
https://www.ncsc.gov.uk/blog-post/why-more-transparency-around-cyber-attacks-is-a-good-thing-for-everyone - How to report breaches related to GDPR and NIS:
https://ico.org.uk/for-organisations/report-a-breach/