PR News | Are you prepared for a cyber incident?

In a live discussion on cybersecurity hosted by O’Dwyer on LinkedIn with crisis communications experts John Lovallo and Max Marucci of Leidar and data privacy attorney Christian Lee of law firm Cooley LLP, the overarching theme was that companies need to get everything in order in advance of the inevitable crisis resulting from a data breach.

According to a study by Cybersecurity Ventures, a cyberattack occurred every 39 seconds in 2023. In 2022, it was every 44 seconds.

Gone are the days when the person hacking into your company’s data is sitting alone in the basement. More likely, a sophisticated entity is targeting you, Lovallo explained.

“Threat actors are organized companies that use tools like AI to carry out cyberattacks,” Lovallo said.

Here is a horrifying example of the nefarious use of AI. Financial Times A May 16 report detailed how British engineering firm Arup, which employs 18,000 people, was defrauded of $25 million when a deepfake version of a senior manager at the company ordered a fraudulent money transfer during a video conference.

You may not be aware that the Securities and Exchange Commission has created Form 8-K in late 2023, which requires publicly traded companies to disclose material cybersecurity incidents within four business days.

This opened up a new avenue for hackers to extort and embarrass companies, according to Lee. He described how they contact the SEC directly with details of their latest breach and have SEC officials be the first to contact the affected company.

Another, more banal but equally damaging trick is to set up a website to leak data, Lee explained.

Unlikely bedfellows

So how do a law firm and a crisis communications company like Leidar work together to help a client who has been the target of a cyberattack?

Lovallo described Cooley as a “quarterback” during a cybersecurity event.

Lee said a law firm is usually the first point of contact for a company that has been hacked, but then Cooley turns to communications experts like Leidar to handle outreach to groups like internal employees, affected customers and the press.

However, managing a cyber incident is very different from managing any other crisis, Marucci stressed, explaining that the urge to get ahead of things and be proactive must be tempered by considering the regulatory requirements that come with responding to a cyber incident and that you may not have all the information you need at first.

“You have to find a balance between when you communicate and how you communicate information,” Marucci stressed.

Lee echoed Marucci’s sentiments, noting, “The point here is that what you say can be used against you in the future.”

In fact, the way you handle communications and respond in the event of a data breach of any kind is often more important than the incident itself, everyone agreed.

Data breaches are so common that the media only discusses those that are large or poorly handled. The smartest thing any CMO or CCO can do is to engage outside experts who know how to communicate during an active incident so they don’t fall into the second category,” Marucci said.

Plan in peacetime

You need to plan your communications strategy in “peacetime,” Marucci stressed. He noted that it’s impossible to consider every possible scenario, but you can at least identify the audiences you need to speak to internally and externally.

An important point to consider is having access to your crisis communications plan in case you become locked out of your company’s systems, Lee noted.

Lovallo said Leidar is actively working with clients on cyber incident response apps to help executives respond effectively.

According to Lee, simulations are a good way to stress test a company. For example, you can simulate a reaction to the publication of confidential data on the dark web.

Lee described how the daughter of a senior executive was the first person contacted after a cyber incident involving one of his clients.

The goal is to create a plan that assigns specific monitoring activities and tasks to individuals and teams, Lee said.

An important element that every company should consider when it comes to data security is to articulate existing standards in marketing materials, Marucci explained.

For Marucci, there needs to be a balance between the sales language that marketing wants and what legal counsel thinks is appropriate. He urged companies to stay away from making definitive claims that could come back to haunt them later.

Marucci pointed out that companies must also be prepared for reputational damage from an incident involving a third-party provider, such as a file-sharing service.

“When faced with a cyber incident or other potential crisis situation, hope is not a strategy, it is preparation. The best time to prepare to respond to a cyber incident is before it happens. This includes having experienced legal and communications advisors as part of your team to guide you through the process and mitigate both legal and reputational risk,” Lovallo said.

Watch the full discussion on LinkedIn.

Contact John O’Dwyer at (email protected) if you propose a topic, be a panelist, or are interested in sponsoring a LinkedIn Live event.