October 2016 - Leaders of financial institutions have to anticipate and manage all kinds of risk – operational, financial, and technological. A risk that is top of mind for most executives today is cybersecurity. Cybersecurity transcends individual risk categories, influencing operational, technological, and importantly, reputational risk. In the event of a data breach, applying technology solutions can fix the problem, but how the targeted company responds to customers will determine the impact to its reputation and the long-term effects to the business.
The financial industry has struggled with its reputation over the last decade. While the industry is still digging out of the financial crisis, its reputation has improved in recent years. According to a 2016 American Banker and Reputation Institute survey of 33 banks, this improvement is not because of performance, it’s because of leadership. Leadership has surpassed performance as one of the top reputation drivers, and during a cybersecurity crisis, how leaders react and respond affects reputation for both the targeted company and the industry as a whole.
Plan and Prepare
Just as an institution prepares its staff and systems to prevent and remediate a cybersecurity breach, it is also imperative to plan how to respond when a breach occurs. During a crisis, everything a company says or does is important to its customers, regulators, and employees. Particularly during a crisis, communications should focus on the three S’s:
Speed of response – Based on the severity of the breach, how quickly should the company respond? It is important to get in front of the story.
Strength of the spokesperson – Who delivers the message and is that person already established?
Substance of the message – What does the company say and how?
Getting the three S’s right in the heat of a crisis is difficult, so it’s important to have a plan – even if it’s just a skeleton – that outlines key stakeholders, the members of the internal team, and the decision-makers around communications. A few key steps can help guide development of an effective response plan.
Before the Crisis
Establish the response team and define roles. Data security is a senior-level priority, so the team should include senior representatives from legal, human resources, IT, communications, operations, and all other relevant departments. Ensure external partners, including public relations firms and legal counsel, are in place before a crisis.
Create a plan and practice. Develop escalation protocols in advance and establish a streamlined approval process for communications.
Monitor channels. Setup monitoring for the institution’s name in traditional and social media.
Train spokespeople. Set aside time throughout the year to go through communication exercises with spokespeople. Build real-world scenarios that touch on key points for the team. Walk through the plans and talk through what could happen, what might happen, and what will happen.
During the Crisis – Prepare, Monitor, and Respond
Gather the facts. Look at the scenario as a whole and gather all of the details from internal and external sources. This will help determine next steps to solve the problem and communicate clearly.
Inform stakeholders and staff. Determine the best channels to communicate with stakeholders. At the same time, inform staff who interact with those stakeholders to maintain a consistent message throughout the crisis. Talking points are a great way to distribute information internally.
Activate a call center. Whether the company has a fully staffed call center or not, have a plan in place to use an external source when and if it’s needed.
Distribute statements. Not all the facts may be known but customers always come first. Over- and under-communicating often create reputation issues. Be thoughtful and accurate so customers know everything is being done to manage the situation.
After the Crisis
Debrief. Review the action plan and see what worked well and what could have worked better. Review statements and the comments and questions received. Adjust the crisis plan as needed.
Continue monitoring. As the crisis sunsets, continue checking online, print, and broadcast outlets for mentions.
Maintain team meetings. Open communication before, during, and after a crisis is key. Ensure everyone is in sync with the actionable plan and discuss areas for improvement.
Reputation risk can affect every aspect of operations so preparation for a crisis event is key. According to the Ponemon Institute, an independent organization that researches privacy and data security, the majority of consumers think data breaches are unavoidable. Getting hacked will not necessarily cause a major disruption to a company’s reputation. It’s the response after the breach that will make or break them.
McGreer, Bonnie, “Big Banks Improve, Regionals Stuck in Neutral: 2016 Reputation Survey,” American Banker, June 27, 2016.