Why You Need a Communication Plan for Cyber Attacks

Management of cybersecurity risks is an enterprise-level issue and relegating your cyber-attack response to your IT department is insufficient. The risks posed by cyber-attacks are far-reaching and include legal, reputational, and financial losses. To manage these risks and prepare for a worst-case scenario you need well-defined roles and responsibilities spread throughout your organization. One critical role is communication, reaching out to stakeholders after a cyber-attack can be tricky but the key to well-crafted communications is planning. In a recent memo, Mayer Brown offers tips on how to be ready for external communications after a cyber attack stating:

“Delays in communications may give regulators, clients, and the public the impression that the organization is ill-prepared for a crisis, is not taking the issue seriously, and cannot comply with applicable regulations, particularly those involving public disclosure or operational resilience under SEC, NYDFS, and OCC rules. Before an incident:

Assemble a clearly defined team of “first responders” who have authority to work with outside counsel and other advisors to serve as the voice of the institution, coordinating and approving communications.

Ensure that all employees understand that during an incident only approved communications should be shared outside the company.

Prepare alternative communications channels in case of technical outages.”

Know which public disclosure laws your organization is subject to and be prepared to comply in a timely manner. Scrambling to put together a crisis team after an attack has already happened will take critical resources and time, so planning ahead is the best move. Mayer Brown also suggests practicing executing your plan under various scenarios so you can stress test your policies before a cyber-attack hits.