Insights

Speaking on Cyber: Communications planning before a cyber breach

Posted by
Anne Marie Quinn
Insights

Speaking on Cyber: Communications planning before a cyber breach

Écrit par
Anne Marie Quinn

October is Cybersecurity Awareness Month, and while most companies are well prepared for the financial, legal and technical implications of a cyber breach, many continue to overlook the critical importance of developing a robust communications strategy to guide them in the early hours and days after a breach. This is especially true at the outset, when every word uttered about the incident could have a dramatic, lasting impact on a brand’s reputation.    

Getting your business back up and running after an attack is crucial, of course, but how you communicate about a cyber incident - when, to whom and what you say - also needs full consideration before, during and after a breach.  

In part one of our Speaking on Cyber series for Cyber Security Awareness Month this October, we sit down with Anne Marie Quinn, Senior Vice President & Partner at FHR, to learn why all businesses should have a cyber communications plan ready in advance of a data breach. Anne Marie specializes in issues and stakeholder management, and over the years she has helped a wide range of clients both prepare for and respond to cyber incidents of all shapes and forms.

Key takeaways - planning before a cyber breach

  • Having a cyber comms plan is crucial to safeguarding your reputation in a breach
  • Testing your plan with a cross-functional team is as important as having one in place
  • Mapping your stakeholders across the organization will make a huge impact on your breach response
  • Determining communications roles and responsibilities well in advance will help you avoid tripping over one another once you’re in crisis

Speaking on Cyber: Q&A with Anne Marie Quinn

Why is having a cyber crisis communications plan so important?

Businesses need a road map. A data breach is unlike any other crisis in that you are often in the position of not knowing very much in the early days: it can be weeks before you have any details about the breadth of the incident and whether or not data was accessed or exfiltrated. So, while your legal, IT and forensics teams are focused on determining the extent of what happened, you need a communications plan that guides you in what to say to the stakeholders that need to hear from you.

Your comms team has a crucial role to play in responding to both internal and external questions about what has happened and when it will be resolved - they need that roadmap in place before anything happens so that they can hit the ground running.

What are some of the key elements of an effective cyber crisis comms plan?

A good plan should outline who is responsible for communications and spell out everyone’s roles on the team. It should also make clear the approvals process for making any comments - internally or externally - about the breach. The plan should include draft content - key messages or talking points, a Q&A and a playbook for the breach scenarios that are keeping you up at night. The purpose of all this is to give some thought ahead of time to what you want to say in different scenarios - the tone you want to strike and the overarching message you want to convey about how your company is dealing with the breach.

Your plan should also have a robust stakeholder list that identifies who needs to be communicated with, how often, and who owns the relationship. Often, communicating with stakeholders is the last thing companies think of, and this can create a lot of additional stress and panic during a breach.  

What advice would you give on mapping out stakeholders?

Companies should think broadly about their list of stakeholders and map them in advance. Consider the worst-case scenario - say you’ve been hit by ransomware, your systems are locked down and a ransom demand has been made. Who will need to hear from you? Work with a cross-functional team to identify the relevant stakeholders across the organization. Talk to your executive team, government relations, sales and marketing, supply chain, your finance team and, of course, your communications team. Finally, don’t forget the importance of internal communications - your own people can help you communicate, but in the absence of getting information from you, they can also speculate in unhelpful ways.

How else can companies prepare to communicate in a cyber breach?

Businesses need to test their communications plan by simulating a breach scenario. There is often confusion about who communicates what in an actual breach, so you need to pressure test your plan with a cross-functional team well in advance of any incident. Take one of the scenarios in your playbook, the one that keeps you up the most at night, and have your team walk through a simulation, so you're not tripping over one another to communicate once the crisis hits.

How can businesses get started on developing a cyber comms plan?

Look for a partner that has deep experience in dealing with the communications elements of responding to a cyber incident. If you haven’t suffered a breach before, a cyber incident is unlike any other crisis. For this reason, you may need an external resource who has seen all the different iterations of communicating about a cyber breach and brings that accumulated knowledge to the table. The stakeholder work, how the government will respond, the Privacy Commissioner reactions - an external firm will have a big picture on all of this. Secondly, it will serve as an extension of your team when a breach hits, providing trusted guidance at all hours, around the clock, when effective communication is most critical to safeguarding your brand’s reputation.  

In the next installment of our Speaking on Cyber series, our Senior Vice President & Partner Charles Muggeridge will take you through the communications actions you need to take during a breach, so be sure to check back on the blog next week.  

For more information on navigating a breach, visit the Canadian Centre for Cybersecurity. To protect your organization from unpredictable threats and cover your workforce devices and IoT, SaaS and email, consider deploying FHR client Darktrace’s self-learning cyber AI. To make sure your team is cyber security aware, train your employees using FHR client Terranova Security’s people-centric security awareness training.

October is Cybersecurity Awareness Month, and while most companies are well prepared for the financial, legal and technical implications of a cyber breach, many continue to overlook the critical importance of developing a robust communications strategy to guide them in the early hours and days after a breach. This is especially true at the outset, when every word uttered about the incident could have a dramatic, lasting impact on a brand’s reputation.    

Getting your business back up and running after an attack is crucial, of course, but how you communicate about a cyber incident - when, to whom and what you say - also needs full consideration before, during and after a breach.  

In part one of our Speaking on Cyber series for Cyber Security Awareness Month this October, we sit down with Anne Marie Quinn, Senior Vice President & Partner at FHR, to learn why all businesses should have a cyber communications plan ready in advance of a data breach. Anne Marie specializes in issues and stakeholder management, and over the years she has helped a wide range of clients both prepare for and respond to cyber incidents of all shapes and forms.

Key takeaways - planning before a cyber breach

  • Having a cyber comms plan is crucial to safeguarding your reputation in a breach
  • Testing your plan with a cross-functional team is as important as having one in place
  • Mapping your stakeholders across the organization will make a huge impact on your breach response
  • Determining communications roles and responsibilities well in advance will help you avoid tripping over one another once you’re in crisis

Speaking on Cyber: Q&A with Anne Marie Quinn

Why is having a cyber crisis communications plan so important?

Businesses need a road map. A data breach is unlike any other crisis in that you are often in the position of not knowing very much in the early days: it can be weeks before you have any details about the breadth of the incident and whether or not data was accessed or exfiltrated. So, while your legal, IT and forensics teams are focused on determining the extent of what happened, you need a communications plan that guides you in what to say to the stakeholders that need to hear from you.

Your comms team has a crucial role to play in responding to both internal and external questions about what has happened and when it will be resolved - they need that roadmap in place before anything happens so that they can hit the ground running.

What are some of the key elements of an effective cyber crisis comms plan?

A good plan should outline who is responsible for communications and spell out everyone’s roles on the team. It should also make clear the approvals process for making any comments - internally or externally - about the breach. The plan should include draft content - key messages or talking points, a Q&A and a playbook for the breach scenarios that are keeping you up at night. The purpose of all this is to give some thought ahead of time to what you want to say in different scenarios - the tone you want to strike and the overarching message you want to convey about how your company is dealing with the breach.

Your plan should also have a robust stakeholder list that identifies who needs to be communicated with, how often, and who owns the relationship. Often, communicating with stakeholders is the last thing companies think of, and this can create a lot of additional stress and panic during a breach.  

What advice would you give on mapping out stakeholders?

Companies should think broadly about their list of stakeholders and map them in advance. Consider the worst-case scenario - say you’ve been hit by ransomware, your systems are locked down and a ransom demand has been made. Who will need to hear from you? Work with a cross-functional team to identify the relevant stakeholders across the organization. Talk to your executive team, government relations, sales and marketing, supply chain, your finance team and, of course, your communications team. Finally, don’t forget the importance of internal communications - your own people can help you communicate, but in the absence of getting information from you, they can also speculate in unhelpful ways.

How else can companies prepare to communicate in a cyber breach?

Businesses need to test their communications plan by simulating a breach scenario. There is often confusion about who communicates what in an actual breach, so you need to pressure test your plan with a cross-functional team well in advance of any incident. Take one of the scenarios in your playbook, the one that keeps you up the most at night, and have your team walk through a simulation, so you're not tripping over one another to communicate once the crisis hits.

How can businesses get started on developing a cyber comms plan?

Look for a partner that has deep experience in dealing with the communications elements of responding to a cyber incident. If you haven’t suffered a breach before, a cyber incident is unlike any other crisis. For this reason, you may need an external resource who has seen all the different iterations of communicating about a cyber breach and brings that accumulated knowledge to the table. The stakeholder work, how the government will respond, the Privacy Commissioner reactions - an external firm will have a big picture on all of this. Secondly, it will serve as an extension of your team when a breach hits, providing trusted guidance at all hours, around the clock, when effective communication is most critical to safeguarding your brand’s reputation.  

In the next installment of our Speaking on Cyber series, our Senior Vice President & Partner Charles Muggeridge will take you through the communications actions you need to take during a breach, so be sure to check back on the blog next week.  

For more information on navigating a breach, visit the Canadian Centre for Cybersecurity. To protect your organization from unpredictable threats and cover your workforce devices and IoT, SaaS and email, consider deploying FHR client Darktrace’s self-learning cyber AI. To make sure your team is cyber security aware, train your employees using FHR client Terranova Security’s people-centric security awareness training.

Anne Marie Quinn
Senior Vice President & Partner
Drawing on an extensive background in government, politics, public affairs and issues management, Anne Marie provides counsel across a variety of sectors, including financial services, real estate development, food manufacturing, information technology and municipal government. She excels at helping clients navigate the complex world of public policy and government in ways that build relationships and get results.
Anne Marie Quinn
Vice-présidente principale et associée
Mettant à profit une vaste expérience dans les milieux gouvernemental, politique, des affaires publiques et de la gestion d’enjeux, Anne Marie offre ses conseils dans une gamme de secteurs, y compris les services financiers, l’aménagement immobilier, la fabrication d’aliments, les technologies de l’information et l’administration municipale. Elle excelle en matière de soutien aux clients quand il est question d’aider ces derniers à s’orienter dans l’univers complexe de la politique publique et du gouvernement, afin d’établir des relations et d’obtenir des résultats.