Planning for cyber-crisis communications

Cyber-crises are a unique crisis category and require specific actions during your firm’s crisis planning.

AOE encourages all AEC firms to develop a crisis plan—a guidebook to lead your team during an unforeseen situation that has the potential to impact your reputation and operations.

A wide range of disruptions can be considered crises. Special considerations come into play when dealing with a cyber-crisis.

Standard recommendations apply. Your crisis communications must be transparent, concise and factual. They need to focus on people and reflect your firm's core values. To ensure this happens, your planning phase should include assembling the team, considering communication channels and creating building blocks such as templates and example Q&As. Since cyber-attacks affect a broad group and include security risks, there are specific actions you should take to prepare for this type of crisis.

For any cyber-crisis, the objective is to regain trust, since security breaches can damage your firm's perception and credibility. To regain trust, frequent and thorough communication is necessary. Your firm should be the first to announce the crisis, not react to external announcements. Plan to send updates about the steps you are taking, even if results are not yet visible. Consider in advance all stakeholder groups you must communicate with and draft content accordingly. It is important to own mistakes (within legal guardrails) during any crisis, but this is especially true during a cyber-crisis.

What are the deliverables in cyber-crisis planning?

Most crisis plans include drafts for social media, press releases and staff updates. For a cyber-crisis, consider adding a list of internal questions to help your team navigate technicalities. A strategy map can also assist with this.

Consider in advance how detailed or technical your communications will be. It may not be advisable to announce specifics about the cyber-attack immediately. One reason is that stakeholders and the audience may not understand and interpret the information correctly. Another reason is that your firm’s leadership and IT team may not immediately understand the scope of the attack, creating potential for errors in early communications.

Unique to cyber-crises, regulatory agencies such as The Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) will likely intervene if you have an incident. This means team members responsible for communications bear additional legal risks and must balance these risks against maintaining transparency. As you develop your Q&A banks and preapproved statements, consult with your legal department to get guardrails in place. This will ensure your outgoing communications do not jeopardize your firm’s legal standing.

Recovering from a cyber-crisis

There are three phases to any crisis: pre-crisis, during the crisis and post-crisis. Pre-crisis is the time for training leaders and setting expectations. During the crisis, you will implement the playbooks you have created. The post-crisis phase offers the opportunity to guide the firm’s culture and enhance its reputation. There are lessons to be learned from any crisis. Steps can be taken to build out aspects of the firm, whether improving technical infrastructure, providing new services to clients or building community relations. These steps are important not only because they rebuild trust, but because at the end of any crisis, your firm is again at the pre-crisis stage of the next unforeseen event.

AOE has expertise in developing crisis plans and will work with you to help build optimal communications. For more information, contact us today.