Are You Ready for a Cyber Incident?

In an O’Dwyer’s LinkedIn Live discussion on cybersecurity with crisis comms pros John Lovallo and Max Marucci from Leidar and data privacy attorney Christian Lee from law firm Cooley LLP , the overriding theme was that companies must get their ducks in a row in advance of the inevitable crisis resulting from a data breach.

According to a study from Cybersecurity Ventures, a cyberattack took place every 39 seconds in 2023. In 2022, it was every 44 seconds.

Gone are the days when the person hacking into your company’s data is sitting alone in a basement. More likely a sophisticated entity has targeted you, Lovallo explained.

“Threat actors are organized businesses using tools such as AI to facilitate cyberattacks,” Lovallo said.

Here’s a scary example of nefarious AI at play. A Financial Times May 16 story detailed how UK engineering firm Arup with 18,000 employees was bilked out of $25 million when a deepfake version of one of the company’s senior managers ordered a fraudulent financial transfer during a video conference.

You might not be aware of the fact that the Securities and Exchange Commission created Form 8-K at the end of 2023 requiring public companies to disclose material cybersecurity incidents within four business days.

This opened a new way for hackers to extort and embarrass companies, according to Lee. He described how they’ll go straight to the SEC with details about their latest breach and let SEC officials be the first to contact the affected company.

Another, more mundane, but equally damaging trick is set up a data leak website, Lee explained.

Unlikely bedfellows

So, how do a law firm and a crisis communications shop like Leidar work together to help a client that has been the target of a cyberattack?

Lovallo described Cooley as the “quarterback” during a cybersecurity event.

A law firm is typically the first place an organization will turn to after it’s been hacked, according to Lee. But then Cooley reaches out to comms pros such as Leidar to handle outreach to groups such as internal staff, affected customers and the press.

Handling a cyber incident is a different animal though from any other crisis, Marucci stressed. He detailed how the urge to get ahead of things and be proactive must be tempered with recognition of the regulatory requirements implicit in a cyber response and the fact that you might not have all the information you need at first.

“You have to balance when you’re communicating and what information you’re sharing,” Marucci stressed.

Lee echoed Marucci’s sentiment, noting that “it’s a case of what you say can be used against you in the future.”

In fact, how you manage communications and respond during a data breach of some form is often more important than the actual incident, everyone agreed.

"Data breaches are so common that the only ones discussed in the media are the ones that are larger in scale or are badly handled. The smartest thing that any CMO or CCO can do is hire outside experts who understand how to communicate during an active incident so they do not fall into the second category," Marucci said.

Plan in peacetime

You have to plan your communications strategy during “peacetime” Marucci stressed. He noted that it’s impossible to account for every possible scenario, but you can at least identify the audience groups you’ll need to talk to internally and externally.

An important point to consider is access to your crisis communications plan in the event that you’re locked out of your company’s systems, Lee noted.

Lovallo said Leidar is actively working with clients on cyber incident apps to help executives navigate an effective response.

Table-top exercises are a good way to stress test a company, according to Lee. For instance, act out a response to sensitive data released onto the dark web.

Lee described how the daughter of an executive was the first person contacted after a cyber incident involving one of his clients.

The goal is to put a plan in place with individuals and teams assigned specific monitoring activities and duties, according to Lee.

An important element for any company to consider with regard to data security is the language in marketing materials for standards already in place, Marucci explained.

For Marucci, there must be a balance between the salesy language that marketing wants and what is appropriate according to legal counsel. He urged companies to stay away from definitive claims that can come back to haunt them.

Marucci pointed out that companies must also be prepared for a reputation hit from an incident with a third-party vendor such as a file sharing service.

"For a cyber incident, or any potential crisis matter, hope is not a strategy, but preparation is. The best time to prepare for responding to a cyber incident is before it happens. This includes having experienced legal and communications advisors in place as part of your team to guide you through the process and mitigate both legal and reputational risk," Lovallo said.

View this full discussion on LinkedIn.

Contact John O'Dwyer at john@odwyerpr.com if you'd like to suggest a topic, be a panelist or are interested in sponsoring a LinkedIn Live event.