No one thinks it will happen to them, but data breaches and hacks are all too common. And now that the new disclosure rule from the SEC, making publicly traded companies required to disclose “material” cybersecurity incidents to the agency went into effect on December 18th, it’s time to make sure your business is prepared not only for a breach, but everything that comes with reporting it. Companies that this rule governs now are required to disclose their cyber incident within four days “after the company determines the incident to be material,” according to Erik Gerding, director of the division of corporation finance at the SEC.
This is a short timeline and there is a lot to get in order within the 4-day window – a lot of ducks to get in a row with legal, compliance, the board, and the company’s communications team. In the kerfuffle of it all, it is imperative that the PR team is not left behind and has a main seat at the table to help streamline communications confidently and transparently… and get ahead of the news cycle to come.
Often with cybersecurity incidents and data breaches the situation isn’t what it seems to be at first. It is the norm for more data to surface about attacks days or sometimes weeks after first popping up, which makes it particularly challenging when approaching crisis comms around a breach. This new rule has changed the game for disclosures, requiring a tightened-up strategy and a strong, well-prepared approach to crisis comms.
When it comes to crunch time (crisis time), you don’t want to be left scrambling.
The moment a cyber crisis occurs is not the time to solidify (or build) your PR strategy. With the SEC rules going into effect, now is the time to prepare for how the comms team will support transparency both internally and externally. Crises are inherently stressful, but with the right preparation in place, the chaos of it all can be lessened. Your plan should include understanding the stakeholders ahead of time (who needs to be communicated with and in what order), brushing up on cybersecurity lingo and what is happening in the industry as companies are forced to disclose, and more.
Here are some tips to help communication and PR teams prepare ahead of a cybersecurity incident – because you never know when it is going to happen to you.
- Store templated drafts of key communication tools: Kick-off drafts of critical communication documents, like press releases, FAQs, media statements, and internal communication memos that hit on core tenants of your crisis strategy, and emphasize key elements of how your business is showing up for its customers. These draft templates will help to cut down the time spent on processes, allowing for more room to make your communications clear and concise while falling in line with the SEC requirements. Depending on the complexity of the incident and the teams involved in the reporting, it is not uncommon that communication teams take – or get put in – a backseat position to legal, compliance, and security teams. Being prepared with a strategy to take control of the communications will allow the security, legal, and compliance teams to focus on the SEC disclosure process. PR teams are extremely important in the process, deserve a seat at the table, and should be taking the lead on all communications.
- Make sure you have a media-savvy team at the ready (like the #HWCyberSquad): Before this SEC rule, a lot of cybersecurity incidents and breaches flew under the radar – and unless truly catastrophic or made public knowledge for another reason, reporters would really have to dig in to find details on who was breached. With the new disclosure rule in place, it will be much easier for reporters to find who has been breached and the fallout of cyber incidents. When faced with a crisis, it is about getting ahead of it, including with the media. You’ll want a connected and savvy team of media relations experts to disseminate or respond on behalf of your company to reporter inquiries – and trust me, you’ll get them. When the story breaks, you should plan to have your media team track all coverage for inclusion of your company’s statement and proactively share the statement if not included to help control the narrative and messaging around the incident.
- Don’t think this won’t happen to you: Breaches happen every day and are inevitable – look at Clorox or MGM – it can happen to anyone. Public or private doesn’t matter to hackers when picking a target. Even if your company does not currently sit under the umbrella of those required to disclose, it is good practice to update your crisis communications plans ahead of your company getting breached.
For more tips on building thought leadership ahead of time, crisis plan preparedness and more, check out this article by Highwire's EVP and cybersecurity lead Christine Elswick. And, if you'd like to see how your crisis preparedness stacks up, take our crisis communications assessment.
Highwire PR has a unique set of skills in crisis communications, media relations, and most importantly in the scenario of a cybersecurity incident, the deep cyber knowledge to help your company get ahead of your PR strategy. Interested in getting your ducks in a row for the SEC rule or curious about Highwire’s other offerings? Let’s chat!
