If a little knowledge is a dangerous thing, when it comes to cybersecurity, any knowledge is subject to debate.
Consider the recent troubles of Equifax, which reported a massive breach and later faced allegations that several top executives had sold company stock before the public was alerted. The board later cleared the officers, but not before the outgoing CEO was brought before Congress to answer for it.
“That’s the kind of stuff that bites you,” said Kevin Elliott, US Risk + Crisis Communication practice director at Hill+Knowlton Strategies.
That’s why “Investor Relations” (IR) walks a fine line between protecting consumers and shareholders, fulfilling regulatory requirements, and possibly giving information to bad actors. The remit is becoming increasingly fraught, according to experts. Overlap between stakeholder groups, the varying privacy and security requirements in different jurisdictions, and, of course, the issue of cost in belt-tightening times make the job of planning and executing around cybersecurity increasingly complicated.
“All of the common ways that we have been thinking about crisis communication have failed in the wake of these big data breaches,” said John Kindervag, field CTO at Palo Alto Networks, in an interview. “The old way to dealing with things has turned out to be an embarrassment for the companies that have been breached. Their communication is so ham-handed that it just makes the situation worse.”
Plan in advance
Cybersecurity and crisis communications professionals agree that pre-planning is essential. “You can’t wait for the bell to ring,” said Elliott. “You have to have a plan in advance, and it has to be multidimensional in terms of drawing from all parts of the business.”
Plans have to take into account that social media now distributes information in real time across all stakeholder groups, including employees, customers, and shareholders. Kindervag noted that he’s seen situations in which customers noticed something was wrong and were posting about it on social media long before the company itself knew they were breached.
“You should be prepared for it. You should be doing communications exercises,” said Kindervag. “It’s way too late once you’ve found out you’ve had a breach. It’s way too late to do anything.”
Plans should include having an on-call forensics investigation service on retainer, as well as anticipating situations with both internal and external legal counsel and PR firms. The plans should have a commitment from the highest levels of the organization to be much more transparent with all stakeholders—and not just shareholders—than we’re seeing today, according to Kindervag.
IR has to work closely with legal to avoid liability while also keeping up with necessary disclosure, including reporting requirements that vary from state to state. It also needs to work with IT to communicate the fine points of how the breach happened and how it is being addressed so it won’t happen again. This means three groups that don’t normally communicate on a regular basis have to do so, explained Elliott.
The Ponemon Institute’s annual survey of data breach costs found spending on communications as a part of a cybersecurity plan has been minimal, barely registering over the 12 years the institute has benchmarked. In 2017, spending on public relations was only 1 percent of the cost incurred from an average breach.
“You need a more modern response, and we haven’t figured it out yet,” said Kindervag.
Word gets out
Elliott said his company recently handled communications for a shoe manufacturer that had a data breach that did not trigger a regulatory obligation to make a report. A contingent within management wanted to let it go, but others argued that once the people affected were notified, word would get out anyway.
“Social media makes that likely today,” said Elliott. “You want to tell people the whole truth, even though it will be a blemish.”
Indeed, transparency is the one commitment all experts agree on. Keeping a lid on bad news—even if regulations allow it—does not work. Companies need to make official announcements and state what they’re doing in response right away.
“As they say, bad news does not age well,” noted Lawrence Chin, security market architect at Palo Alto Networks. “Uber tried to sweep a breach under the rug and subsequently had to deal with even more fallout. Attempts to cover up a breach will be additional fuel for any potential shareholder or class-action lawsuits, and [bring on] even more regulatory scrutiny.”
Kindervag noted one recent breach for which the company’s CEO went before Congress and incorrectly blamed a breach on a failure to install a patch, when any IT professional could tell that information was incorrect. Ducking responsibility or passing the buck won’t work either, Kindervag warned.
“There has to be more transparency,” he continued. “You have to say: ‘Hey, man, we screwed up, and we’re trying to figure it out. We’re going to do everything we can to solve this problem.’ But you have to accept responsibility without any caveats, because it was your job to protect that data.”
Earn their trust
The 2017 Edelman Trust Barometer found that 93 percent of investors say keeping shareholders consistently well-informed is necessary to earn their trust, and nearly all say they trust companies that have a clear strategy more than those that do not. And for large institutional investors, trust beats performance: 94 percent of respondents say trustworthy companies deserve larger premiums than those considered untrustworthy. “My trust in the company” is the top driver of investment decisions, mentioned by 82 percent of investors, followed by ethical standards (76%), current valuation versus peers (75%), product R&D/innovation (74%), and historical financial performance (70%).
Companies should beware of segmenting shareholders; their message must be consistent across all stakeholder groups, said Elliott. He noted that, in many companies, employees are shareholders as well, so any internal communication must match investor information. It wouldn’t do for an employee to get one communication from HR regarding his 401(k) and a different one from his supervisor.
The communications plan has to establish one central source of information as the single source of trust. Having a consistent message is a best practice, anyway, said Elliott.
“Data breaches are really complex in terms of how the communication flows and how the process moves forward,” he said. “One of the greatest challenges to us is being really, really consistent with the way we’re communicating.”