Losing data and trust: Why you need a cyber crisis communications plan

Cyber crises strike hard, fast and usually without warning, causing instant devastation.  

But beyond the initial impact there’s another danger lurking which can hurt you even more in the long run – reputational damage arising from poor communication. 

In recent years, we’ve seen large Australian corporates in fields such as communications hit by cyber breaches dig themselves into deeper crises by failing to effectively communicate to their customers and the wider public.  

Even now, several months later, the effects are still being felt, with appearances on lists ranking Australia’s least trusted brands.  

It’s proof positive that silence isn’t always golden.  

The necessity of avoiding a public relations disaster during a cyber incident is further laid bare in the recently released report Governing Through a Cyber Crisis, developed by the AICD in partnership with the Cyber Security Cooperative Research Centre (CSCRC). 

It explicitly highlights that the reputational damage arising from poor communications can be more damaging than the incident itself. 

The 62-page handbook for Australian directors also warns that boards and management should expect all public-facing statements to be provided to regulators and used in any subsequent litigation, including shareholder class actions.  

It even suggests it may be appropriate to brief an external media consultant or public relations firm to assist, depending upon the size of the organisation and the potential for reputational damage. 

Planning ahead 

Before it even gets to that point though, there’s one crucial factor to note. Which is that all businesses should have cyber crisis communications plans.  

Why? Because no one these days is 100% immune from attack. And these plans go a long way towards helping with cyber preparedness. They are also increasingly required to take out cyber insurance. 

Your plan should identify the members of your crisis communications team and their roles, including who has the authority to release communications materials. It should also include pre-prepared statements for common cyber scenarios, such as a leak of customer details, so that you have a ready-made response you can tweak, rather than starting from scratch.  

Respond swiftly 

When a cyber attack strikes, you need to be ready to respond quickly.  

There’s a public expectation that organisations will respond to serious cyber incidents swiftly. 

Any communication also needs to be accurate and clear.  

Your customers or clients will be relying on you to disseminate information about the impacts of the cyber incident – particularly how it impacts them. The last thing you want is for them to find out details from other sources, such as online news sites.   

Be wise with your words 

When communicating about a cyber incident, you need to ensure emails, media responses and any other communications are correct and not potentially misleading. 

As noted in Governing Through a Cyber Crisis, all public-facing statements and internal documents will be provided to regulators and could be used in any subsequent litigation, including shareholder class actions. 

Media articles and interviews can also be used in litigation, so be selective in what you say and how you say it. Also be quick to amend any information you discover is incorrect. 

Every action counts, and any response must be well-informed and considered. Otherwise, you risk even further damage to your brand.   

You also need to remember any public communications, including media responses, could influence the actions of the individual or group behind the malicious attack.   

Who is speaking?  

Not only does your company need to be wise with words during a cyber incident, but it also needs to choose the right person to say them. 

In most cases, this should be the CEO. When a cyber-attack hits, customers and clients want to hear details from the top. Plus, if your CEO is not speaking, the media may start questioning why they are keeping quiet in the middle of a major crisis.  

To this end, it’s critical your CEO and executives are well-versed in how to communicate with the media. Cyber incidents have serious consequences, so they’re likely to face serious, hard-hitting questions from reporters. They need to know how to handle them under pressure, so your cyber crisis communications planning should accommodate media training to ensure they are comfortable in making public statements.  

Do you need a cyber crisis communications plan, help navigating a cyber incident or media training for your executive team? Get in touch with us today to find out how we can help. 

More from the blog

BREAKING NEWS: Brisbane 2032 Olympic and Paralympic Games to include whingeing and whining as a sport…home nation expected to dominate after diabolical levels of negativity. Of course, the above sentence is not true. But let’s be honest, the collective – or loudest - mindset towards Brisbane 2032 has been decidedly “unQueensland-like”.
Congratulations! You’ve made it into the media by appearing on TV, featuring in a newspaper or having a chat with a well-respected podcast host. It’s a shot of validation that feels all the better for being earned, and is most definitely worthy of a five-minute bask and a share with your family and friends. But before you rest on your laurels - there’s one more question to ask yourself - what next?
Once dismissed as a trivial app for teens to share dance videos, TikTok has emerged in recent years as a cultural compass – dictating what’s hot and what’s not in pop culture. And, unlike other platforms such as X and Facebook, its momentum has never looked like slowing. So, in hearing the success stories of other businesses and brands, it’s only natural to wonder how you can get in on the action (and get everyday people to do your marketing – for free).
BREAKING NEWS: Brisbane 2032 Olympic and Paralympic Games to include whingeing and whining as a sport…home nation expected to dominate after diabolical levels of negativity. Of course, the above sentence is not true. But let’s be honest, the collective – or loudest - mindset towards Brisbane 2032 has been decidedly “unQueensland-like”.

Stay in touch. We love a chat.