A recent edition of the Wall Street Journal featured a thought-provoking story about hacking disclosures that should serve as a wakeup call for publicly traded companies and their communications C-suite. While the Securities and Exchange Commission (SEC) does not currently require such disclosures, it is simply a matter of time before they act. So, prepare now and don’t wait to become the next poster child for poor governance around breach disclosure, a la Yahoo.
The Problem: Despite the glaring example of Target, since 2010, just 95 of the nation’s roughly 9,000 publicly traded companies have informed the SEC of a data breach, according to an analysis of their filings by Audit Analytics. Yet the number of breaches across all U.S. businesses totaled more than 2,600 during the same period, per the Privacy Rights Clearinghouse. The reason many data breaches aren’t reported to the SEC is that the damage isn’t significant enough to influence an investor’s stock purchase decision. But while a perceived lack of “material damage” may be a reason NOT to disclose, there is a greater and more compelling reason TO disclose: Potential and probable damage to the company’s reputation.
As a corporate communicator who has handled dozens of crises, not disclosing hacks is a disturbing practice as the company runs the real risk of being found out (perhaps by the very predators who hacked the business in the first place), in which case the company looks like they’ve tried to manufacture a cover up – a cardinal sin in crisis communications. In this day of public mistrust of big business, corporate America, and the federal government, I believe that the industry is ripe for the next big Target. Don’t be that company.
The Opportunity: I am certainly not recommending that every breach be disclosed; but I am suggesting that the C-suite convene formal conversations about when, how, and to whom cyber security issues should be communicated. One would think that is currently happening, but in my own experience working with a variety of highly sophisticated and well-run companies, I am increasingly aware that while hacking incidents are taking place, there is scarce process around how to manage them beyond making them go away without letting word get out.
Airfoil Guidance: Cyber crises are very different from traditional crises and the reputational and revenue risk associated with them is potentially far more damaging to a company for three reasons:
1. Compared to conventional crises that often present a physical threat to people and/or property, a data breach rarely poses direct physical harm but it can lead to severe financial consequences. While the business may be the VICTIM of a cybercrime, it frequently is perceived as a PERPRETATOR of harm for failing to sufficiently defend against cyber intrusion.
2. With a traditional crisis, the communications team can take immediate action. With cyber security crises, communications must be issued in response to the intrusion and in fact, the action causing the crisis likely has been completed with resolution months away.
3. In a typical situation, post the Tylenol crisis of 1982, communicators prepare messaging for a small group of people, perhaps the media spokesperson, a backup person, and other internal leaders who will be communicating with regulators and customers. In a traditional crisis, impact is easier to define both geographically and by audience. With a cyber crisis, impact is typically far and wide, given the reach and interconnectedness of technology. So, messaging and communication needs to reach every corner of the company. For example, if a retailer suffers a data breach, checkout clerks may need to be equipped with messaging. Offhand, unprepared remarks from employees can lead the company to find itself at even greater risk.
"The decision about disclosing or not disclosing often has to be made before all the facts are in.The scope of the breach usually isn’t immediately known. The potential impact of the information on customers or clients isn’t usually clear. Often, it takes time to determine what information has been stolen. Crisis managers need to ask questions about how bad could it get, how long will it take to get the information and what is the cost of not disclosing. If the decision is made to disclose, careful framing of the message in a way that recognizes the uncertainty inherent in these circumstances is imperative,” Matthew Seeger, Ph.D., Dean of The College of Fine, Performing and Communication Arts at Wayne State University, crisis expert and author or co-author of six books on crisis and risk communication.
Your CTA: In a recently published Airfoil eGuide, “Seven Ways Cyber Threats Should Turn Your Crisis Communications Plan on its Head,” I provide practical guidance for how crisis and corporate communicators, especially those who head publicly listed companies, can counsel their clients and stakeholders to prepare for the day when hack disclosure will not be an option. At a minimum and short of crafting new policy, I encourage companies to at least put in place protocols for evaluating, assessing and yes, communicating, about cyber security intrusions.