[BreachExchange] Is Your Company’s Crisis Communications Plan Prepared for Cybersecurity Incidents?

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 5 18:11:09 EDT 2017


A well-written and consistently updated crisis communication plan ensures
that a company has the infrastructure in place to respond to a range of
natural or man-made crises. While many companies have a crisis
communication plan in place, not all plans are equipped to handle
cybersecurity-related incidents. Below are six key elements to ensure that
your crisis communication plan is prepared to effectively handle
cybersecurity incidents.

1. The plan is comprehensible, short, and flexible.

One of the most common mistakes that a company can make when creating a
crisis communication plan is attempting to cover every “what if” situation
and making the document too complicated for an employee to comprehend.
Especially during times of crisis, making a plan overly complex can
paralyze the employee in charge and cause additional confusion. In certain
circumstances, this lack of action or unnecessary delay can make a company
susceptible to allegations of misconduct or negligence.

2. One individual should be designated as the spokesperson.

One individual should be designated as the primary spokesperson to
represent the company and answer media questions throughout the crisis.
Allowing one individual to be designated as a spokesperson ensures the
company is able to control its message and prevents the public and its
employees from receiving information that may be untrue or potentially
misleading. In addition, a company’s employees should be instructed to
refrain from making any comments until directed by the company. In order to
prevent rumors from spreading, the company may want to consider creating an
FAQ of pre-approved questions and answers once detailed information about
the breach has been gathered. This could be used on a public website, or to
respond to media or consumer inquiries about the cybersecurity incident.

3. A legal representative should be involved in the crisis communication

A company’s in-house counsel or outside counsel should be involved in the
crisis communication process by discussing, reviewing, and approving all
external messages. Obtaining feedback from counsel reduces the risk that
confidential attorney-client information is inadvertently released, or that
misleading statements are inadvertently made about the incident. Releasing
confidential information and providing false or misleading statements may
damage the company’s chances of prevailing in potential litigation, and
injure the company’s reputation.

4. The plan provides proper and clear guidance to the public.

Many crisis communication plans take an obligatory, proactive approach to
notifying the public with a statement like the following: “The company is
aware of the crisis and is responding rapidly and responsibly.” While this
approach may be appropriate for an earthquake or an active shooter, it may
not be the right approach for a cybersecurity incident. Unlike crisis
situations where the details of an event are usually known and then
released in a matter of hours, data security incidents are often extremely
complex and accurate information about a breach may not be known for days
or even weeks.

Furthermore, a company may not want to issue a public statement prior to
understanding whether a breach actually occurred or the magnitude of the
breach. A premature public statement about an incident that turns out to be
false can have serious ramifications for the company’s data subjects. These
data subjects may be subjected to unnecessary worry, cost, and
inconvenience, or attempt to mitigate a harm that may never materialize or

5. The plan does not conflict with other corporate plans or policies.

A company’s communication plan for a cybersecurity event is typically used
in conjunction with an incident response plan. The crisis communication
plan must be reviewed and vetted against the company’s incident response
plan and with consideration for other policies to ensure that there are no
conflicts between policies. Any discrepancies or conflicts between these
policies may create delay, confusion, or inaction, and could have serious
legal and economic ramifications for both the company and the individuals
impacted by the security incident. Discrepancies and conflicts between
various plans may also make a company susceptible to allegations of

6. The plan is tested on a yearly basis.

An incident response plan should be tested on a yearly basis. During the
annual test, it is important not to neglect a company’s crisis
communication plan. Conducting a walkthrough or tabletop exercise will
allow a company to address any performance issues or policy gaps that may
arise during the testing process. Testing the policy also allows company
counsel to effectively train employees on how to handle a real crisis.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170505/5eb4b86b/attachment.html>

More information about the BreachExchange mailing list