CIOREVIEW >> Critical Infrastructure Protection >>

What to Say and How to Say it when Systems are Down

Siobhan Gorman, Partner, Brunswick Group and Will Rasmussen, Director, Brunswick Group
Siobhan Gorman, Partner, Brunswick Group

Siobhan Gorman, Partner, Brunswick Group

The perils to company infrastructure from cyberattacks are well known. Maersk’s closing of cargo terminals and inability to take new orders following the Petya attack is one prominent example. Many remember the DDOS attacks that disrupted websites including Twitter, Netflix, and Airbnb.

As devastating as these attacks are to operations, they can be even more damaging to a company’s reputation if the public response isn’t handled well.

There’s a potentially even more tricky—and increasingly common—operational challenge beyond crippled infrastructure: what do say when you have to take your systems down not because of the cyberattack itself, but in order to get the attackers out and fix it.

These circumstances pose a significant risk to a company’s reputation, because the cyber incident immediately becomes public, and rarely does a company have answers to the most basic question: When will you be back up and running?

Reputational challenges include:

• What do you say to your customers and stakeholders when you have to go offline?
• How do you communicate with key stakeholders and the public about the unknown time your company or service will be offline?
• How do you manage the internal pressures to get back online for business reasons and the legitimate security concerns related to getting back online before everything is fixed?
• How do you handle the announcement that your system is back up?How do you assure your stakeholders it is safe to use your system?

  Tell customers what you’re doing to protect them and what they can do to protect themselves​  

Whether systems are taken down voluntarily to address an ongoing issue, or they are brought down by attackers, the best way to protect reputation is to focus communications on customer needs: Demonstrate that your commitment to customers is your highest priority.

Tell customers what you’re doing to protect them and what they can do to protect themselves. Avoid delving into details about the scope of the incident, because until a forensic investigation is complete, the data you have on the incident will continue to change—and if you’re discussing these details publicly you run the risk of appearing not to have a handle on the situation.

Increasingly, companies are judged more on their management of a cyber crisis than the incident itself, which puts a premium on planning now for what could happen later. Here are six steps you can take now to prepare yourself to communicate during an outage:

Have a back-up communications system tested and in place

Companies will depend on effective internal (and external) communications to coordinate a response. If the network is down, you will need an independent emergency communications system, and many companies don’t have one in place. Sixty-five percent of companies said they would only consider an emergency communications plan after a business-affecting event, and only 49 percent of companies deploy emergency communications software, according to Business Continuity Institute’s 2017 Emergency Communications Report.

Develop a dark site

Develop a response website with draft text that can be tailored to the specific outage and keep it offline and stored on a server separate from the company’s network. In an outage, you should be able to get it online if you need to communicate externally, even if your main systems are down. When systems are taken down, this site can help communicate with customers, partners, and other stakeholders. The dark site should include a holding statement and a set of FAQs, and should be updated as more information becomes available.

Plan operational response

If systems are down, you will need to find other ways to serve customers. Options include expanding call center capacity, keeping call centers open longer, and expanding branch or outlet hours. You may also need to compensate customers if the shutdown sets them back financially. Companies should think now about “trigger points” for these actions, so they appear well-planned and coordinated in a crisis situation. Will Rasmussen, Director, Brunswick Group

Prepare draft communications in advance

One of the toughest communications to write in a cyber crisis, especially one with operational impact, can be your initial statement. Many internal parties, like your legal, operational, and technical experts, will need to weigh in. It’s much easier to get that input in advance, without the pressure of crisis decision making.

You will face multiple challenges: unknown duration of the shutdown, tensions between security requirements and restoring operations quickly, and nervousness about using the system again once it is restored.

Communications in this difficult environment should:

• Lead with the reason for the shutdown (e.g., the importance of keeping customer data secure)
• Promise updates, but do not make any statements about the expected duration of the shutdown
• Avoid apportioning blame; customers’ main priority is understanding how the shutdown affects them, and what the company is doing to stop it.

Ensure key parts of the company know their roles in a crisis

A cyber crisis that shuts down all or part of your business is not time to decide who is quarterbacking the response. Ensure your crisis response team is designated in advance—and that each member of the team knows his or her role and has practiced it in a simulation.

Have a written plan that is comprehensive, yet clear, readable, and usable. Show who will come together and how to develop and approve communications materials, how communications will work with other internal teams, and how to escalate issues.

Be prepared on social media

If your company network goes down, social media is likely to be the first—and may be the only—forum you have to communicate immediately during a cyber-related outage. Best practice is to keep social media engagement limited in a crisis and make sure your responses on social media only repeat approved public statements. Plan A is usually to keep your communications confined to your website or microsite and, if needed, use social media to direct your customers to that site.

If your company is very active on social media, however, you may need to adjust that plan to reflect the communications posture your customers expect from you on social media. Before an incident occurs, ensure all relevant groups in the company align so they share the same approved public messaging across all platforms.

Read Also

The Intelligent Legal Department

The Intelligent Legal Department

Mick Sheehy, Partner, PwC NewLaw
Data Protection Trends - GDPR as a forthcoming global privacy benchmark

Data Protection Trends - GDPR as a forthcoming global privacy benchmark

Jiri Cerny, Legal & Corporate Affairs Director, Microsoft
Technology as a Tool to Aid the Legal Function

Technology as a Tool to Aid the Legal Function

Surabhi Madan, Senior Global Legal Counsel, ASM Front-End Mfg (S) Pte Ltd
Building On Your Legal Tech Journey

Building On Your Legal Tech Journey

Neil Blum, National IT Manager, Barry.Nilsson
Enhancing Productivity of Lawyers with Technology

Enhancing Productivity of Lawyers with Technology

Vimaljit Kaur, Senior Legal Counsel, Sembcorp Industries