Crisis communications: IR and the cyber-attack
Companies face numerous risks every day and cyber-security, in particular, has become a major issue for corporates around the world. If not handled appropriately, the fallout from a cyber-attack, beyond a short-term impact on financial performance and share price, can have dire longer-term consequences for a firm’s reputation and future. Given recent high-profile cyber-attacks on prominent organizations in Asia and across the world, this is a rising threat companies cannot afford to ignore.
The financial implications of cyber-attacks are severe: Lloyds of London, the world’s specialist insurance market, has estimated that such breaches cost businesses as much as $400 bn a year. In the US, the SEC says cyber-security is the biggest risk facing the financial system.
As such IROs need to be able to address investor concerns in this area and answer company-specific questions such as: what data do you hold? Where are you at risk? What measures have been put in place to safeguard the business and its reputation? In order to do this effectively, IROs need to make sure they are familiar with all pertinent information on their company’s cyber-security measures and that the data they store is kept up to date.
Given the impact to a share price a data breach can cause, it is important that IROs take an active role during a cyber-attack. The role will stretch from guiding the crisis team on which situations and in what circumstances an official market announcement is required to managing investor and analyst queries and educating them on the extent and likely impact of the breach.
It is important that IROs manage the information flow with great care to ensure all relevant stakeholders and the market are simultaneously updated with material developments. This is particularly challenging given that data breaches are often consumer-led crises and therefore play out in real time largely on social and digital media channels.
According to the guide to managing data breaches issued by Singapore’s Personal Data Protection Commission (PDPC) in 2015, organizations are encouraged to proactively prepare and implement a management and response plan, with a clear line of responsibility and communications, to manage data breaches; communicating with investors will form a significant part of these plans.
In the event of a breach, efforts made by an organization (such as making timely market announcements and the presence of adequate recovery procedures) will affect PDPC’s decision on whether the organization has reasonably protected the personal data in its possession. Acting in accordance with such guidelines should ensure IROs are in a position to fully demonstrate to investors their preparedness in the event of an attack.
While you cannot plan for every eventuality, you can – and must – be prepared for likely crises such as cyber-attacks. With thorough preparation, an IRO can work effectively with the rest of the crisis team to manage one of the key stakeholder groups and minimize the short-term financial impact and longer-term risk of irreparable damage. It is also important to maintain a log of all activity during a crisis so that during the post-mortem you are able to analyze your actions, learn and improve for the next potential emergency situation.
In times of crisis, senior management and IR teams need round-the-clock, instantaneous information as well as counsel on what to say to investors, when to say it ‒ and how to say it. Preparation and simulation training are imperative because when a crisis hits, you need to be ready to act decisively and with speed.
Angela Campbell-Noë is senior partner, Asia at Tulchan Communications