5 Steps to Bridge the Reputation-Reality Gap During a Cyber Incident

Eli Oshorov, Manager Communications and Security Awareness, elevenM and Alison Cripps, Legal Writer for Practical Guidance explain.

As 2022 cyber events have shown us, few crises have the potential to impact an organisation’s reputation as negatively as a cyber incident. When not handled correctly, the damage to an organisation’s reputation from a cyber event can be severe and long lasting.

A cyber incident that results in the theft or loss of customer personal information can irrevocably undermine trust in the organisation. This may erode market share, undermine revenue, and downgrade an organisation’s market cap. It may also result in the organisation facing lawsuits and serious regulatory repercussions.

In January 2023, Legal Writer, Alison Cripps spoke to Eli Oshorov, Manager Communications and Security Awareness, elevenM, to gain insight into what legal professionals should be considering from a communications perspective when advising Australian clients on how to mitigate and manage their reputational risk following a cyber attack.

All organisations can expect some degree of reputational fallout from a severe cyber incident, even with mature cyber security defences in place. No organisation is impervious to a highly sophisticated and determined threat actor. Still, following a cyber incident, Eli advises that your client’s reputation will often be shaped less by reality and more by public perception.

In other words, a substantial reputation-reality gap can open up.

It is in this context that an effective crisis communications strategy can limit the severity of any long-term reputational damage By incorporating the following five elements into an organisation’scommunications strategy, they will be well-positioned to protect their reputation during a cyber incident.

1. Only Disclose Verified Information During a Cyber Incident

In Eli’s experience, faced with a severe cyber incident, organisations and their lawyers will be tempted to control the narrative. This may result in premature public disclosure of unverified information in an attempt to quash online rumours or limit media speculation. No doubt, Legal and communications teams are also likely to feel pressure to urgently get in front of a rapidly evolving news story.

But if information later needs revising as it turns out to be inaccurate or incomplete, public trust in the organisation will be eroded. A perception will emerge that the management is either seeking to hide the full extent of the incident, spin the story in a self-serving way, or lacks a proper understanding of the incident.

Eli advises that organisations should be upfront and honest in all communications about what is verifiably known, and what is not yet known. A cyber incident is a moving target. Information comes to light in a piecemeal way. It may take days or weeks to know the full extent of a breach. While the public will inevitably demand instant answers, it is important to only disclose information once verified.

2. Do not play victim

As we all know, an organisation that suffers a serious cyber incident is usually a victim of criminal activity. However, despite this fact, the public will largely perceive organisations as villains, rather than victims, having fallen short in its information security.

Whether such accusations are justified or not, playing the victim will likely exacerbate criticism. As such, the primary focus in communications should be recognition of your client’s duty to protect individuals’ personal information. It should seek to empathise with innocent third parties, especially customers facing harm as a result of their personal information being compromised. Your client should demonstrate that it does not consider itself a passive victim, despite the attack, by taking concrete actions to redress the situation.

Eli recommends that organisations  should   develop playbooks that articulate communications principles that can guide responses to a cyber crisis and can help prevent mistakes such as claiming victim status.

3. Adopt a harm minimization strategy during a cyber incident

When an individual’s private information is compromised, there is a justifiable expectation that the organisation entrusted with their data will take steps to minimise any harm they potentially face.

In Eli’s experience, organisations that fail in this regard will be perceived as not acting in the best interests of impacted individuals, which will amplify the anger and criticism from customers and media, and lead to even more significant reputational damage.

Eli advises that organisations should therefore provide clear guidance to impacted parties on how they can minimise potential harm. This can include guidance about not clicking on links in emails or SMS messages, changing passwords, implementing Multi-Factor Authentication, and providing free access to credit monitoring services.

Whilst none of these measures reverses the situation, they can help minimise the harm to impacted individuals.

In advance of any cyber crisis, Eli recommends that organisations l establish a suite of measures that can be announced during a cyber incident to support affected people (such as credit monitoring services).

4. Select a knowledgeable spokesperson for the cyber incident

Faced with a severe cyber incident, organisations should rightly want to demonstrate    publicly that they are taking the cyber crisis seriously.

Often, the CEO will front the media to address public concerns, signalling that the highest echelons of the organisation are taking ownership of the incident and are personally involved in addressing its fallout.

Eli advises that this is the right approach, but also warns that it has its limitations.

If the CEO is not sufficiently versed in cyber security matters, they may deliver incorrect, incomplete or inaccurate information, which will result in further reputational damage. Cyber incidents are often covered by technology reporters with deep domain expertise. Any errors or incorrect terminology will immediately be seized upon, undermining confidence in the leadership.

In many cases, it may be beneficial for the CEO to front the media alongside a senior subject matter expert from the organisation, such as the CISO, CIO or CTO. Technical queries from technology or security reporters should be handled by those subject matter experts.

This will help instil confidence in its capacity to contain the incident.

5. Actively engage external stakeholders

In Eli’s experience, the public often perceives independent external voices to the organisation as more trustworthy and impartial than official spokespeople representing an organisation.

In the context of a serious cyber incident, it is worth advising clients to identify and engage external specialists, including communications specialists, who can corroborate the organisation’s messaging. This may also include engaging respected journalists with deep domain expertise. Organisations will need to consider bringing such individuals into their confidence, which may include demonstrating to them the precise measures being taken to contain the incident and providing evidence of the ways harm to individuals is being minimised.

It is also prudent to actively engage representatives from government or regulators. Their public comments carry a great deal of weight and will have a significant impact on public perceptions of the  incident and your client. Your client may wish to actively engage them and demonstrate the steps being taken to remedy the situation. This will help pre-empt any potentially critical commentary.

By following these five steps, your client can begin bridging the reputation-reality gap that exists around cyber incidents, thereby reducing the risk of long-term reputational damage.

The LexisNexis Practical Guidance has recently updated its Cyber module with the most up-to-date content, tools and expertise that help firms deliver the best advice to their clients or for organisations with in-house legal teams to advise their teams.