Corporate Communications: Building reputational resilience to cyber attack Authors: Richard Meredith and George LittleSeptember 2016

Brunswick Intelligence

ContentsNavigating the Digital Age:

The era we are in

What the public thinks

First line of defense: Strengthening internal culture

Second line of defense: Preparedness

Third line of defense: Assurance

Fourth Line of Defense: A confident response to crisis

Reputational rebuild

Biographies

Brunswick group

4

5

6

7

8

8

9

10

12

32

What the public thinks

We the public still think of the world in analogue terms, as if privacy was an absolute – or a matter of choice. Few of us comprehend the analytical capabilities that metadata is already generating. Regulators, politicians, and companies find it difficult to communicate with a public (and media) that is often inconsistent, frightened, and uninformed about this new information world.

Loss of data will happen, and in this emotionally-charged environment, the public reputational consequences of

a cyber breach can be hard to predict. A company which has not established trust will find this to be a more difficult journey than a company that is already trusted for competency, professionalism, and stewardship.

Cyber attack is now a critical business risk. We believe it is possible to build defenses that reduce the likelihood of a cyber attack being successful and that ensure that companies are better prepared to manage cyber crises when they happen. Not preparing for a cyber crisis is increasing your risk.

Navigating the Digital Age: Communications Chapter

The era we are in

The corporate world is surfing the wave of a major technology revolution that is defining our times and lives. We are only at the start of it. The Internet of Things (IoT) promises to do more to change our lives in the next 15 years than we have gained in the last 15. So far, the revolution has provided digital connectivity and volume data access. The next phase will change our physical space – our travel, our health, and our working patterns. We now see our demands as customers and citizens are borderless. We want our technology always on, frictionless, everywhere.

The focus of our leaders and governments is rightly on ensuring the security of this personal and business data. If we are lucky, this may be a mid-term challenge - encryption or other technologies may solve the problem in two decades. The personal privacy threats (PPI, false flag, identity theft, etc.) may be solved sooner. In the meantime, we know we are living in a world where we cannot trust absolutely in the security of any data, however well we

protect it. We also know that our companies, customers and citizens are demanding absolutes: The ability trust the financial data we depend on to run our markets; the protection of our personal private information, even as our ideas of privacy morph and shift; and the need to be confident in the effective functioning of those systems which sustain our lives and businesses. Technology cannot, at present, provide these guarantees. Cyber security is now about managing risks, not eradicating them.

Assessing the threat has always been complex. In some ways, cyber criminality is at the easy end of the spectrum. These days, political or issue activism has a new instrument to use to make their case. In the future, national conflicts will be fought out – at least partly – in cyberspace, against critical national infrastructures. This is the new world that companies operate in.

Leaders and Boards will often now describe cyber as their most critical business risk. They know how the threat environment is changing. They are trying to keep up with shifting laws and regulations. And they also increasingly see companies’ reputations suffering in the public arena if cyber crises are mishandled. They are increasingly seeing cyber as a risk to reputation, as well as to business-as-usual.

For companies, the reputational damage of a cyber breach is often less the technical damage done, the money lost, or the regulatory fines. The highest cost is to reputation. Personal and corporate reputations have been lost because the public management of the crisis has gone badly. Companies too often project uncertainty, an interest in shifting the blame, and a lack of confident leadership. It is often this that has the bottom-line cost.

Cyber crises can be managed well, and companies can recover from them. Ensuring that a company is prepared for a cyber crisis is the vital first step, but building your defenses is as much about communicating well, as it is about your technical resilience.

A company’s long term public reputation depends on its capacity to handle a crisis

with perceived authority, putting customer reassurance at the centre of its response.

Takes placewithout an emotional and poorly informed public debate on data and privacy

In an environmentof fragile brand loyalty and corporate trust

Made complicatedby the lack of information

often available on the scale and origins of the attack

Further complicatedby increased regulatory

pressure and focus on “people resilience” as well

as technical defense

Cyber crisis

54

First line of defense – Strengthening internal culture

Cyber is about people. People are your protection and your weakness. Your people make you vulnerable – because you have not trained them, enthused them, or vetted them. Knowing your people is your best defense, and building a culture where risks are spotted and reported – where behavioral abnormalities and discontent are noted and acted on. Building a security culture is about good management. Culture is not the responsibility of compliance or security, but of your leadership. A security culture is not built by accident, but through sustained communication campaigns and commitment.

� Have you defined your critical staff, or those with access and the capability to do you harm? What about third-party staff with access to your systems?

� What vetting processes do you have in place? Are you able to spot Bad Apples or Unhappy Apples?

� Is data security still seen only as a compliance issue? How are compliance requirements communicated? Do they change behaviors? How do you know? Do your people understand the why of security, as well as the what? Is data security hard-wired into the DNA of your company, its sense of professionalism, and the obligations it has to your customers?

� Do your staff know where the dangers are and what to be suspicious of? Your attackers are working hard to find out about these people, to spot their vulnerabilities, to build online relationships, and to employ deception to tease access codes out of them. Are you protecting them?

� Is IT security led from the top?

Second line of defense – Preparedness

Preparedness is as much about having an attitude of mind, as having a Crisis Manual. In the real world, cyber crises are best managed by a leadership that is confident and knowledgeable about the issue, and knows how to project authority and discipline.

But a crisis management process can help shape that discipline and confidence. Poor management of the public reaction to a cyber incident can easily turn an incident into a reputational crisis. The actual scale of the cyber incident or attack may be small, but the public reaction to it may be uninformed, critical, and emotionally-charged. Managing a company’s public response to this requires authority and discipline.

And whatever the scale of the cyber incident, crisis communications requires agility, confidence, leadership, quick decisions, and a clear understanding of the core narrative and messaging you

wish to project. Building a robust regime of rehearsal and review, at operational and executive levels, is a vital step in building an authoritative and disciplined communications response.

� Do you have a crisis team? Who is on it? Do you distinguish between an operational crisis team and an executive management team?

� Does your senior management team understand cyber? Does it understand the range of risks and systems that you own?

� Do you know what data you collect, buy or hold? Do your customers understand your data practices? Do you know how your company’s data security practices match up to industry standards?

� Are you confident that you will be alerted in the event of a cyber incident? Who needs to be told?

� Is someone tasked with assessing the potential reputational impact of an incident as it evolves?

� Do you have a communications toolkit – a set of messages around company’s data privacy messages, a company factsheet,

and draft communications to each stakeholder audience?

� Do you know who the spokespeople should be and what responsibilities they have? Have they been media trained for a crisis situation?

� Have you identified the range of your key stakeholders and their needs, and are you clear who is responsible for managing these range of relationships?

� Have you thought through your media strategy?

� Are you confident about your engagement with regulators and law enforcers, and know who can call whom at the moment of a crisis?

� Are you comfortable about how you will respond to criticism online, and how you engage with a crisis which is likely to play out through social media?

The best way of ensuring preparedness is to test it, so that your leadership understand the scope of the challenges, and can endorse the company’s approach.

6 76

Once it is public:

� Have you activated media monitoring? Do you know what is being reported?

� Are you clear who is leading the response?

� Are you keeping track of events and developing a clearer record of facts to adjust the public response?

� Have you communicated with all front line employees and management around media protocols and lines to take?

� Do you have a social media response plan for the crisis and separately for ongoing customer service?

� Have you agreed on answers and statements for each audience?

� Have you confirmed disclosure requirements?

� Does your senior management know who they need to contact? What is the Board’s role?

Facing a cyber breach is a critical moment for a CEO. News of the breach could come from the IT team or externally including social media, traditional media, the hacker, or a key customer. But it is unlikely that the company can be sure of many of the details – what has been lost, how much data has gone, or who might have been responsible. It could escalate quickly to the CEO being on the front line of media questions. There is a temptation to lay the blame somewhere, which doesn’t always help. The CEO will want to reassure customers, but may not have the facts that allow him or her to do this.

Social media can be used as a data tool to indicate whether the public crisis is getting better or worse. But it can also be used to reach your public and customers directly and provide reassurance and information. The general rule of thumb is that anything the company does to engage on social media will increase the volume around the incident. This may be what you want, but it may not be. You may not have a choice. Customer service through social media cannot go quiet. If social media activity is only a spike, then company engagement might re-energize the debate. If it is an escalating public conversation, there may be no option but to engage.

The best approach is having a clear set of messages, and a track record of data stewardship and security that you are proud of. You will need to be able to say quickly the immediate steps taken to manage the breach and ensure the most sensitive data is protected. You will want to be clear about your cooperation with the authorities. And you will want customer communication to be at the heart of your approach.

Reputational rebuild

While resolving these incidents is always a critical focus of management, shaping the longer-term reputation and external engagement of the company through these periods is of central importance.

Some crises are quickly forgotten. Others have a long-term impact on reputation of the company and the leadership. Once the headlines are over, it is always tempting to believe that a company’s reputation has been restored. Understanding the long-term impact on perceptions of your company and leadership among customers, employees, investors and the media is a critical tool in shaping your public engagement. This can be done by guesswork, or by hard data. But having a clear sense of how your reputation has changed allows you to respond. Crises present opportunities to drive through change that can be more difficult to achieve in other circumstances.

Third line of defense – Assurance

Increased scrutiny from the media and all stakeholders on the strength of a company’s data security stems from the increase in public attacks and increasing regulation, including the EU’s General Data Protection Regulation, which in 2018 is scheduled to impose new disclosure requirements across Europe and raises the potential for significant fines. A company seen to be competent, authoritative, and transparent about their data and security of it will be better disposed in the eyes of the public and the regulator. Regulators are also seeking assurance that companies are prepared for crises. Companies need to reassure all audiences that customer data is safeguarded and that this stewardship extends beyond simple adherence to the law.

Fourth Line of Defense – A confident response to crisis

The guiding principles for any crisis are the same:

� Discipline and coordination are critical. A crisis response needs to deliver a coordinated approach, with clear and disciplined messaging.

� Timing is critical. The media operates continually, and social media gives the public an immediate voice and platform. Decisions need to be made quickly, particularly around media communications.

� Leadership is critical. Managing public sentiment in crisis depends on projecting an authoritative and commanding narrative, and leading the story. Leadership, both externally and internally, is required to project authority and competence.

� Transparency is critical. Your reputation depends on being regarded as honest and forthright in your public responses.

Reacting to a cyber breach demands a clear process, and clear responsibilities for action and decisions. A company needs to ask itself:

� Is the breach public? What judgements can be made on whether it will go public? Can you control the timing?

� Are you monitoring the media and digital discussion forums for public disclosure?

� Have you convened your crisis team?

� Have you notified external counsel and other advisors?

� Is it clear how sensitive the data is that has been breached?

� Who else needs to be notified or warned?

� What should you tell your people?

98

Richard Meredith Partner, London

Richard is co-head of Brunswick’s Crisis Advisory Group. Drawing on his political experience, he has worked with a number of senior corporate clients on preparing them to manage crises better.

He also leads the Brunswick Private Client and Family Business Group along with being a key partner in Brunswick’s Corporate Data Group, advising clients on data and cyber issues.

Before joining Brunswick in 2012, Richard was Communications Director for national security issues in the UK government. Richard’s long career in the HM Diplomatic Service took him to many parts of the world, and he lived and worked in Africa, Germany, the US and the Middle East.

Richard has advised a number of major global companies, including BAE Systems, Rolls Royce, and MTN on their management of global crises. Richard’s senior clients also include international private family businesses in the UK and internationally, where he works with them to build communication programs that underpin their reputational standing.

George Little Partner, Washington DC

George is a Partner in the Washington DC, office specializing in crisis communications, cybersecurity, reputational and public affairs matters.

Prior to joining Brunswick, George was head of Marketing and Communications at Booz Allen Hamilton, a leading provider of management consulting, technology and engineering services to the U.S. government, corporates and non-profits. He brings extensive expertise from the highest levels of the national security and defense community, as well as the private sector. Before joining Booz Allen Hamilton, he served as Assistant to the U.S. Secretary of Defense for Public Affairs and Pentagon Press Secretary, and as Director of Public Affairs and Chief of Media Relations for the U.S. Central Intelligence Agency (CIA). In these roles, he worked closely with counterparts from other governments to address the full range of security challenges facing the U.S., its allies and partners around the world. He also spent five years at IBM advising corporate and government clients on business and technology strategy.

Mark Seifert Partner, Washington DC

Mark co-leads the privacy and data security practice at Brunswick and has advised clients on various issues, including crisis, government affairs, corporate communications, financial-related communications work, media relations, and issues management.

Mark has extensive experience within the government based on more than a decade at the Federal Communications Commission, as well as his service in all three branches of the federal government. Immediately prior to Brunswick, Mark oversaw a $5bn broadband infrastructure program at the US Department of Commerce. In addition to his time as a regulatory lawyer at the FCC, Mark also served as counsel to the House Committee on Energy and Commerce on telecommunications and technology matters.

Mark has led retained accounts, projects and transactions with public and private clients, which have included EADS (Airbus), Novo Nordisk, GE, AT&T, and Facebook.

Siobhan Gorman Director, Washington DC

Siobhan Gorman is a Director in the Washington DC, office focusing on cybersecurity and privacy. She specializes in breach preparedness, breach crisis response, and thought leadership initiatives in the cybersecurity arena.

Prior to joining Brunswick, she had a successful career as a reporter, most recently at The Wall Street Journal where she covered topics that are critical to our clients such as cybersecurity, data and privacy issues, terrorism, counter terrorism, and intelligence. Prior to joining The Journal in 2007, Siobhan was a Washington correspondent for The Baltimore Sun covering intelligence and security. From 1998 to 2005, she was a staff correspondent for National Journal covering similar issues. She has been nominated three times for the Pulitzer Prize and is a graduate of Dartmouth College.

She has worked on confidential cybersecurity breaches, as well as preparedness projects in the airline, automotive, and retail sectors. She has also worked on public affairs and reputational projects in the financial sector.

Wendel Verbeek Director, London

Wendel Verbeek is a Director in London advising a range of clients on building their corporate reputation with over 15 years of cross border communications experience with Brunswick.

She is focused on advising companies on crisis preparedness and cybersecurity and privacy. She also recently spent two years working directly with the Chairman of Brunswick coordinating internal programmes across the Group around management, operations, finance and people.

Wendel started in the New York office and has been in London for over 10 years. In addition to her crisis work, she has significant corporate positioning and financial communications experience having managed international corporate reputation programmes, M&A and IPOs. Her clients have included AT&T, Barratt Developments, Amadeus, Sophos, Pearson and Ophir Energy.

Biographies:

Authors and Brunswick Cybersecurity team members

1110

For more information Contact Brunswick

London16 Lincoln’s Inn Fields London WC2A 3ED United Kingdom

Tel: +44 20 7404 5959 Email: londonoffice@brunswickgroup.com

Washington, DC1099 New York Avenue, NW Suite 300 Washington, DC 20001 USA

Tel: +1 202 393 7337 Email: washingtonoffice@brunswickgroup.com

www.BrunswickGroup.com

Richard MeredithPartner, Londonrmeredith@brunswickgroup.com

George LittlePartner, Washington DCglittle@brunswickgroup.com

Brunswick Group

Brunswick is an advisory firm specializing in critical issues and corporate relations: a global partnership with 23 offices in 14 countries. Founded in 1987, Brunswick has grown organically, operating as a single profit center – allowing us to respond seamlessly to our clients’ needs, wherever they are in the world.

12