Over the past year we have seen many examples of breach notifications ranging up to millions of victims. Looking further into the business impact of the post-breach process we can quickly see that how the organization reacts to a security breach can make the difference between a minor financial impact and a complete corporate meltdown. "A firm's failure to communicate effectively after an emergency strikes can be more destructive than the emergency itself," writes Richard Bierck in Harvard Management Communication Letter.
The real costs in any security breach are the long-term financial impact of lost customers and potential negligence lawsuits—not the immediate remediation costs. Well after the event, you will still experience a productivity reduction due to increased oversight and audits by regulators, clients and business partners. (Recently, one such court-enforced penalty was biennial reviews over a 20-year period.) Whether that additional scrutiny shows an effectively managed organization deserving of the continued trust of your stakeholders is entirely in the hands of top management in the moments following a major emergency. Clearly, establishing good security measures and controls is the first priority. However, in the era of rapidly evolving cyberthreats, even a well-defended organization may suffer a breach at some point. Given that reality, your public reaction to any incident should be meticulously planned in advance.
Establishing a management incident response team (MIRT) is the key. The MIRT is sometimes called the crisis response team. This is very different from the commonly understood cyber incident response team (CIRT). The CIRT is focused on answering such questions as What happened? How did it happen? What damage has been done? And how do we prevent it from happening again? The primary task of the MIRT, on the other hand, is to take the information from the CIRT and begin the process of managing the event from the perspective of the critical stakeholder groups you depend on.
The MIRT is a cross-functional team consisting of the CISO/CSO, chief privacy officer, general counsel, chief compliance officer, business line presidents and public relations (or functional equivalents). The MIRT must first ensure that accurate and complete data is gathered concerning the incident and continue to get reports from the CIRT about necessary remediation. But the MIRT's primary role involves communicating to its stakeholders in a highly targeted manner. The team will determine the appropriate parties that must be notified both under the law and consistent with corporate values, as many organizations will decide to go beyond the legal or contractual requirements to protect the clients and consumers. The ultimate goal of all crisis communication is essentially to uphold long-standing relationships and assure key stakeholder groups that your company understands how the breach impacts them and what you intend to do about it.
The MIRT's preincident planning should start by developing realistic scenarios that could arise; typical examples would deal with external fraud, a malicious insider, a technology hack, lost media, a data center disaster and an external security breach.
The next step is to create a high-level set of tasks that must be done in each scenario. Examples include: Notify the MIRT of the incident (this task is usually assigned to the CIRT, members of which may also be part of the MIRT); gather the facts of the incident; determine who should be notified; create the notification letters and notices. Given the members of the MIRT are leaders in your organization, a completely detailed task plan is not necessary or appropriate, but a list of tasks in the form of a RACI (responsible, accountable, consulted and informed) chart can be very effective.
As part of your scenario exercise, prepare the press releases and major stakeholder communications for review by your executive team and your internal and external public relations teams. The style of the communication is very important; it should be informative, take responsibility and reassure your audience that the matter is being handled. The CISO can help by compiling a reading file for members of the MIRT consisting of studies and thoughtful news stories covering similar events in your industry and elsewhere.
Thorough preparation will put your company in a position to minimize the impact of a breach. Without preparation, you may be lucky even to survive it.