What To Say to Your Stakeholders When You’ve Been Hacked (Hint: Don’t Say ‘Hacked’)
July 29, 2022
Having a comms strategy before a cyber attack occurs can help project confidence when the worst happens. Here, FTI Cybersecurity & Data Privacy Communications expert Jamie Singer looks at keys to message discipline.
Crisis communications is always a stakeholder juggling act. When it involves a cybersecurity event, it can feel like there are a million balls in the air.
As cyber incidents and threats continue to rise and evolve, so too does the pressure facing executive leadership and corporate comms teams.1 The demand for strategic responses across a cyber event’s life cycle that both mitigate reputational damage and keep stakeholders informed can be daunting.
“The goal is to communicate consistent messaging while balancing a range of perspectives across employee, customer and investor relations,” says Jamie Singer, Managing Director in FTI’s Cybersecurity & Data Privacy Communications group. Singer, who joined FTI Consulting in May of this year, has counseled Fortune 500 companies through high-profile cybersecurity crises for more than a decade. The FTI Journal talked with Singer recently to get her take on how companies can strengthen their cybersecurity messaging and preparedness in today’s environment.
FTIJ: There’s a lot written about cybersecurity communications these days. In your opinion, what aspect of that deserves more attention?
Singer: A large part of what I see is the demand for cybersecurity incident response communications counsel: A client is hit with ransomware and they need our help to determine what to say, when to say it, to whom to say it and how often to communicate. Having those answers is essential to successful stakeholder management. But equally important is establishing a plan before a business ever gets to that point.
Prepared companies project confidence in moments of crisis. They have clarity and consistency of message. For instance, when companies are faced with a cybersecurity issue, they often ask, “What should we call it? An outage? A cybersecurity incident? A ransomware attack?” There are pros and cons to each of these responses. If you're fully transparent very early on about a ransomware attack, for instance, people might be alarmed and press, “Did you pay the ransom? And if so, why?” These are tricky questions to respond to when investigations are just kicking off. On the flip side, if your systems are down for a week due to ransomware and you continue to call the event an “outage,” people will be skeptical, and you risk eroding trust.
That’s why it’s important for businesses to have cybersecurity communication discussions before an issue arises. By having executive-level discussions early and defining everything from your terminology to your transparency or risk tolerance, businesses ensure that their communications are timely, clear and consistent when it matters most.
FTIJ: Are there proactive, outside-the-box tactics that more businesses should embrace?
Singer: A couple of things: First, when these issues occur, it's important to be prepared to communicate about the rigorous security systems you had in place. It’s easier to project confidence when you can say, “We have multifactor authentication in place. We conduct end-point monitoring. Even despite our best efforts, this incident happened and here's how we're going to further enhance security moving forward.” Companies can gather that compilation of proof points on the front end as part of their communications playbook.
Another important proactive strategy is to build a cross-functional messaging and communications response team. Crisis communications is a stakeholder juggling act. The goal is to communicate consistent messaging while balancing a range of perspectives across employee, customer and investor relations. Think through those different stakeholders and who within your organization touches each to ensure that your message resonates with everyone. Along those same lines, businesses can consider the idea of a tool kit for issues management.2 The public environment is such that issues are fractured into multiple, sometimes competing perspectives. Having an internal team composed of various viewpoints, roles and regions is essential to communicating with a high degree of cultural literacy.
At the same time, the team reviewing messaging also needs to be nimble so organizations can quickly communicate information in a rapidly evolving cybersecurity crisis. Situations still arise where businesses are slow to respond because they require 20 to 30 people within the organization to review a holding statement or an urgent customer communication. Streamline your messaging review and approval process and team on the front end before you have a major issue.
FTIJ: Let’s fast-forward in time to the moments after a breach, when businesses must respond to a variety of stakeholders. That’s probably when you get calls in the middle of the night. What do you tell your clients at that time?
Singer: Message discipline is imperative during a cybersecurity crisis for minimizing not only reputational risk, but also legal risk and regulatory risk. A key tool to support message discipline is a “communications playbook.” That playbook is designed to house all the different messaging materials in one place so you can say, “Here is our media messaging, customer messaging, employee messaging, investor messaging, elected officials messaging,” and it’s all consistent.
Then, when you’re at the point of communicating, to the extent possible, businesses can make messaging action oriented. Stakeholders want to dive into the details of what happened, and the facts are often fuzzy early on. So your immediate goal is to try to direct stakeholders’ attention to what the company is doing, the action steps we're taking: whether we've notified law enforcement; how we’re shoring up our systems; the third parties we've brought in to investigate, remediate and recover if necessary.
One way to think about the approach is “demonstrating a bias toward action.” That’s how, against a backdrop of fluid facts that you may not be able to control, you can focus messaging on what you as an organization can control. We all know that actions speak louder than words. So having those actions embedded into your words is critical.
To that same goal, don’t communicate fluff and don’t overcommunicate. Frequent, consistent communications is important to reassure stakeholders, but if you don't have anything new to say, don’t say it. Ultimately, you must let the facts and the investigation efforts guide the messaging.
1: Fritz, Cory, and John Whitcomb. “The new issues management tool kit: how companies are rethinking strategic advocacy.” FTI Journal.com. May 17, 2022. https://www.fticonsulting.com/insights/fti-journal/new-issues-management-tool-kit-companies-rethinking-strategic-advocacy.
2: Anthony Spadafora. “Cyberattacks on businesses saw a huge rise in 2021.” TechRadar.com. Jan. 10, 2022. https://www.techradar.com/news/cyberattacks-on-businesses-saw-a-huge-rise-in-2021.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.