Cyber crisis, stakeholders and transparency


An open, transparent communication: that’s how cyberattack victims can avoid a reputation meltdown

Cybercrime is nowadays a global business, with highly structured players and so lucrative tactics, that damages are expected to cost the world $6 trillion annually by 2021. In the year of pandemic several negative records were reported in the number and frequency of cyberattacks, as well as in their extensiveness and impact.

Over 500 attacks were reported in Italy in 2020, mostly featuring malware and ransomware, blackmail DDoS attacks, phishing and APT (Advanced Persistent Threats) campaigns. In the US, there were about 1 thousand data breaches, causing personal data from over 155.8 million individuals to be exposed.

No doubt cybersecurity awareness is increasing, and we have a stricter data protection regulation pushing organisations to better protect their digital infrastructures. Despite relevant investments (for instance in the medical and financial sectors, that are the most affected by data breaches), facing a cyber crisis is not such an improbable event.

Cyber crisis – crisis triggered by cyberattacks – have a specific trait. Differently from adverse events that are immediately visible, in a cyber crisis weeks, months, and even years can separate the attack and the moment it goes public. Let’s think of Yahoo, that suffered two major data breaches in 2013 and 2014, but they were reported only in late 2016. Initially believed to have affected about 1 billion user accounts, the company later confirmed that 3 billion user accounts were impacted – to date, this is the largest data breach on record.

In a cyber crisis, if the affected organisation does not communicate quickly, it leaves a vacuum period that can seriously erode stakeholder confidence and spoil corporate and brand reputation.

In the paper “Managing stakeholder communication during a cyber crisis”, Caroline Sapriel, founder and managing partner of CS&A International, underlines that stakeholder outrage can drive crises into reputation meltdowns. While there are acknowledged virtuous examples of cyber crisis where effective media and stakeholder relations contributed to mitigate reputation damages (Sapriel discusses Norsk Hydro, the Norwegian aluminium company that became the victim of a cyberattack in March 2019, and the massive attack against Twitter in July 2020, impacting a number of high-profile accounts), there are lots of notable cases where the lack of transparency caused severe reputational harm, as well as considerable costs. Do Marriott hotels and Cathay Pacific remind anything to you?

Clear, timely, transparent, and consistent communication is pivotal in any effective crisis management strategy, but it is absolutely critical in cyber ones where the resolution of the issue might take time, and the escalation might be quicker than expected.

Accurate crisis preparedness is to be recommended, including a specific vulnerability assessment, internal and external stakeholder mapping, worst case scenario exercises, and trainings for Crisis Committee members and spokespeople. That’s the demanding, but necessary way to go.