You’ve been hit by a cyber attack. What steps can you take to protect your reputation and value?

By Tim Field

It’s early in the morning, your mobile is ringing, and it’s the Head of IT. Your company is the victim of a cyber attack and all your systems have been shut down whilst your IT team assess the extent of the damage. In the meantime, you have no access to emails or contacts, and you are locked out of your file servers.

Do you know how you would communicate internally and externally and what you would say? Who’s responsible for talking to whom? Who will approve what you say and when you say it… but how will anyone approve anything if all systems are down?

With the frequency and sophistication of high-impact cyber attacks increasing at an alarming rate, questions such as these are demanding serious consideration from leadership teams in organisations of all sizes, from listed companies through to SMEs, charities and political parties.

One of the fastest growing forms of cyber attack is ransomware, which is evolving and escalating at an alarming rate. Ransomware is a specialised type of malware that encrypts your files, or limits your access to your data, unless a ransom is paid. In an increasing number of cases, even if the ransom is paid, the cyber criminals will release sensitive or valuable data into the public domain.

In October 2021 the Director of GCHQ, the UK’s cyber security service, warned it was seeing twice as many attacks on UK organisations as had been observed in 2020. Recent geopolitical events, such as the invasion of Ukraine, are predicted to further heighten the likelihood and severity of such attacks.

This increased frequency of cyber attacks risks a change in perceptions too. Once viewed purely as an act of terrorism in which the company was the victim, now they are increasingly viewed through a lens of blame – bad management, insufficient data protection or security mitigations. This isn’t just the perception of the public or the media, insurance companies are hardening their stance on cyber attack policies too, requiring companies to enact explicit processes or even technologies before they will provide coverage.

A risk, reputation and accountability study by Pentland Analytics in 2020 found a stark contrast in the positive or negative impact on shareholder value based on how a company responded to, and was seen to respond to, a crisis. Companies who respond well to a crisis go on to outperform investors’ expectations by 20% in the 250+ trading days after a crisis, whereas those who perform badly will underperform by 30%.

So what can you do?

PREPAREDNESS

Taking practical and technical steps is essential to reduce the likelihood of a cyber attack, but preparing the processes and critically the communications you need to deploy in the immediate aftermath, are also essential precautions. Questions to ask your business:

• Have you considered how you benchmark against international best practice for crisis communications?
• Have your people been trained in information security and how best to protect against a cyber attack?
• Have you simulated the wider impact of a cyber attack on your business above and beyond the essential technical measures you would need to deploy?

LEADERSHIP

Strong leadership with a visible and proactive CEO demonstrates that from the top downwards your company has concern for those affected and is committed to resolving the situation. Stakeholders are looking for reassurance: they want to know you’re taking the situation seriously at the highest levels of the business are taking responsibility for how you respond to and recover from the crisis. As business leaders, have you thought about:

• An action plan specifically tailored for response to a cyber attack
• What are your regulatory and compliance obligations?
• Do your employees know how best to identify the signs of a cyber attack and what to do in this situation?

COMMUNICATION

The effects of a cyber attack against your business could endure for weeks or more, but the time pressure will be immediate, and the impact could be felt for much longer – especially for a listed business. How you engage with your stakeholders from the outset will determine the impact on your reputation and the value of your business. Has your communications team considered:

• A specific cyber crisis communications plan?
• What crisis communications materials would you use at different stages for the various stakeholders affected?
• How will you communicate within your response team, internally with your employees and externally when you have no access to your systems?

Our team can help

Instinctif’s integrated approach brings together decades of capital markets, corporate communications and specialist crisis expertise to support your business in preparing to respond to and recover from a cyber attack.

Whether you need to create a full cyber response communications plan, to develop your stakeholder engagement activities or are seeking a review of your existing preparedness against best practice – we can tailor support and expertise to suit your tactical and strategic objectives. And if the worst does happen, we can guide you in navigating the challenges and protect your reputation.

In the last year our work has included supporting a listed North American company throughout an aggressive ransomware attack, developing cyber crisis communication materials for a FTSE250 food and drink manufacturer and many more preparedness and live response activities.

For more information and to discuss how Instinctif Partners can help you, contact Risk&Crisis@instinctif.com.