Preparing for a Cyber Crisis: Critical Steps to Protect Your Firm

Preparing for a Cyber Crisis: Critical Steps to Protect Your Firm

The cyber threat landscape is rapidly evolving, and increasingly rising to the top of the agenda for those responsible for leading America’s financial institutions and for regulators tasked with overseeing the industry. New regulatory requirements at the federal, state and global levels have made cybersecurity risk management even more challenging.

Cybercrime alone costs nations more than $1 trillion globally. This year, Harvard Business Review, ranked cyber attacks as the biggest threat facing the business world today — ahead of terrorism, asset bubbles, and other risks. CEOs and board directors continue to evolve and improve their cyber oversight as Cybersecurity continues to be front and center on board agendas. Every time a cyber-attack hits the headlines, board members and other stakeholders are reminded of the possible material threat such incidents pose.

Preparing ahead of time for such an incident can make all the difference in customer experience and public confidence. Understanding the key actions, stakeholders and messages your firm needs to be focused on is essential. Getting ahead means better preparation for when the crisis hits.

BITS, the technology policy division of the Bank Policy Institute, recently hosted a cybersecurity discussion with CEOs and directors that included a focus on crisis preparedness as part of it ongoing cybersecurity board governance program. Chris Feeney and Heather Hogsett lead BITS’s work in this area concentrating on the boards role in the cybersecurity context (here and here).

Chris Feeney, President of BITS, recently sat down with Hannah Stott-Bumsted, a partner at the leading advisory firm Brunswick Group and featured panelist at the event, to discuss best practices and opportunities for financial firms to better prepare for a cyber crisis.


CHRIS FEENEY: How has the crisis preparedness landscape changed as firms have shifted to more digital, technologically-driven entities?

HANNAH STOTT-BUMSTED: The new digital landscape presents both a challenge and an opportunity for every organization, including financial institutions, as they work to prepare for—and to respond to—emerging issues that are of concern to their key stakeholders.

It’s a challenge because information—true and false—travels so quickly through digital platforms and social media. An organization’s key audiences, including employees, customers / consumers, regulators, and investors are watching—and commenting on—situations in real time. Because situations can evolve and metastasize so quickly, being prepared is more critical than ever. It’s also important to think carefully about tone—for example, the more casual tone used on social media channels can be inappropriate if the organization is dealing with a significant issue of concern to consumers, like a cyber breach.

But it’s also an opportunity. Social media can act as an early warning system on emerging cyber issues. For this reason, we recommend that organizations make sure that their traditional and social media teams are being asked to monitor for emerging issues through social channels and that these teams know what and to whom they should escalate what they’re seeing. Social media channels can also provide an opportunity because they are an effective way to communicate information to an organizations’ most important audiences.


CHRIS: How has what is “best practice” evolved over time?

HANNAH: What is considered “best practice” on how to communicate about any emerging issue is ultimately governed by public expectations. It’s been fascinating to watch how those expectations have shifted, particularly with respect to cybersecurity issues involving customer data. Some things remain the same: for example, it has always been critically important that organizations provide accurate and complete information to their key audiences, and that their words and actions demonstrate that they are on top of the situation and putting their customers first. Having to backtrack or correct yourself on any details conveys the opposite.

But it used to be that the fear of providing inaccurate or incomplete information meant that organizations waited to communicate about a cybersecurity issue involving until they could answer all of the questions they would be asked as accurately and completely as possible. That’s really changed. Organizations now have grown to understand that they are expected to begin as soon as possible after they learn customer data is in danger, so they can take appropriate steps to protect themselves and their information. But it’s still critical to provide accurate information, so organizations need to be careful that in the rush to be transparent and respond quickly, they don’t communicate information that could change as an investigation proceeds.


CHRIS: What can firms do to be better prepared to respond to a crisis event?

HANNAH: Don’t treat crisis response preparation as a static, one-and-done, kind of activity. I like to describe a virtuous circle of preparation, which means the work is ongoing.

The first step—which most organizations know and have tackled—is to develop a crisis response plan. However, many organizations haven’t devoted the time and energy to a plan that is truly comprehensive, particularly as a guide to internal and external communications. While it may seem hard to justify devoting significant resources towards planning for an event that one devotedly hopes never comes to pass, as someone who regularly deals with crisis situations, let me tell that the effort is worthwhile. Because the process of developing the plan doesn’t just prepare you to manage a crisis if it erupts, but also helps you understand how to identify emerging issues and nip them in the bud before they become crises. A crisis response communications plan helps an organization anticipate and answer as many questions as possible in advance of a crisis. Some of these questions are tactical: what conference call number will we use? Where will we convene? Others raise important strategic issues: what functional areas need to be represented on a crisis response team? Some questions raise business/ethical questions: would we pay a ransom to a hacker? Working out the answers to critical questions in advance will help you react to the situation more quickly and allows you to respond in a way that demonstrates that you are in control of the situation. In addition, when a crisis occurs, everyone involved will likely feel an enormous amount of stress. A certain amount of emotion begins to creep its way into the decision making of ordinarily extraordinarily rational business executives. Answering as many business questions as you can while there is no emotional component involved will lead to better outcomes.

The second step is to practice. The process of simulating a crisis and practicing the response will help you identify weaknesses or gaps in your policies and response processes. You will quickly identify where roles and responsibilities of the crisis response team members are unclear or overlap. And most importantly, you will develop and strengthen the relationships of your crisis response team.

The third step—and this is the piece that can be hard—is to remember to do steps 1 and 2 regularly! The world is not static, and neither is any organization. A crisis response plan needs to be regularly revisited to assess how and where the world—and the organization—has changed and what new risks are emerging.


CHRIS: What recommendations would you make to executive management to help them engage the board of directors in crisis preparedness and response? What recommendations would you make to board directors?

HANNAH: First, make sure you’re communicating regularly with your board about the challenges that you’re managing. When we think of a crisis, we all think of the same kind of crisis—the one that erupts suddenly and unexpectedly. But there’s a second type of crisis: the one that emerges as an accumulation of small events that eventually bubble up into public lack of trust in an organization, at least on a particular issue. Getting in the habit of communicating regularly with your board about challenges that you are managing will help ensure that they are not blindsided in the event of the second type of crisis.

Second, keep your board informed about—and include them in—your crisis preparation efforts. Talk with counsel about whether and how they recommend engaging board members in crisis simulations. In the event of a crisis, you will need to keep the board informed and you also may need them to speak on your behalf. Good crisis response plans think through both how and when to inform boards, as well as how and when to arm board members with talking points.


CHRIS: Who are the key stakeholders that senior management should be thinking about as they craft crisis response plans?

HANNAH: When we talk about stakeholders, we mean who are the key audiences that an organization must communicate with on any given issue. Which stakeholders are key will vary for each organization and may change depending on the nature of the issue the organization is facing. Stakeholder mapping is an important part of crisis preparedness and is another aspect that needs updating on a regular basis.  Typically, for financial institutions facing cyber issues, key stakeholders will include consumers/customers/ affected individuals, government or regulatory agencies, or local, state, or federal elected officials, investors, and the general public. One key stakeholder group that can be overlooked or taken for granted is employees. In a crisis, an organization’s executive leadership should plan to engage early and consistently with employees, while staying mindful that you must be prepared that anything you say to your employees may well be shared with the broader public.


CHRIS: Table top exercises and simulations are an important part of crisis preparedness—what advice do you have for senior executives to make these exercises as effective as possible?

HANNAH: Table top exercises and simulations require a significant investment of time by busy senior executives. And it can be challenging for busy executives to devote real energy to these exercises when they have so many real-time concrete issues that they are dealing with. But busy executives should realize that the value that an organization derives from these exercises is directly proportionate to the seriousness with which senior executives treat them. Participants need to be invested in the scenario, dedicate time to the exercise, and role play as if the situation were really happening. Simulation organizers can help by making simulations as realistic as possible—inserting unexpected facts, having real people role play as reporters, analysts, or other external forces, and doing research to ensure that the scenario is plausible—and by helping simulation participants practice role-playing techniques in advance of the scenario.


CHRIS: What other advice do you have for financial industry leaders as they think through the big challenges of communicating with key stakeholders in the event of a cyber or technologically-driven crisis?

HANNAH: First, pat yourself on the back, but don’t let down your guard. Financial institutions have been leaders in cyber preparedness on a variety of fronts, from threat sharing to crisis planning. They really have engaged in a meaningful way and we are all better off because of it. This industry is also under constant cyber assault—more than any other industry, so there is no room for complacency.

Second, if trouble strikes, hold firm to your organizational values. Your employees and other stakeholders will look to you for leadership at a time of considerable personal and professional strain. Your best response is the one dictated by your values, which will allow you to respond in an authentic way, show your commitment and calm confidence, and lead your organization through the crisis.

Third, listen to your trusted outside advisors. Leadership often feels significant emotional strains in a crisis. Trusted outside advisors—law firms, communications firms, forensics firms—have the benefit of both having a lot of experience responding to these events and a degree of distance from the situation you’re facing. Trust their advice, even if it sometimes feels uncomfortable.