A few years ago, if a company suffered a cyberattack, the message they would relay was often: “We’re experiencing technical difficulties,” or “We’re dealing with a cyber incident.” But in today’s technology-first society, with ransomware and other cyberattacks so prevalent, crisis communication strategies have changed.
Ransomware is “no longer a dirty word,” according to Meredith Griffanti (pictured), managing director at FTI Consulting, and head of the firm’s global cybersecurity & data privacy communications practice. Rather than trying to hide a breach, today most companies will come out and say: ‘We’ve been hit with a ransomware attack. Here’s what we’re doing to contain it, remediate it, protect consumer information, and this is how we’re planning to strengthen our systems going forward to make sure this doesn’t happen again.’
We’ve seen that strategy in multiple high-profile ransomware attacks this year, including the attacks against meat processing giant JBS and the Colonial Pipeline. Interestingly, not only did both companies publicly disclose relevant details of their attacks, but they also revealed that they had paid ransoms of approximately US$11 million and US$4.4million, respectively, to free up their systems.
These are not decisions that any company takes lightly. In fact, most companies will require the help of a crisis communications expert to guide them through an incident. This is where Griffanti and her specialist cybersecurity & data privacy team at FTI come in.
“Companies are not only worried about the media coverage of cyberattacks, but also, if they’re experiencing operational disruption or technical difficulties, they’re worried about how to communicate with their own employee base and their customers, vendors, partners, investors, shareholders, and the board. That’s really where we come into play,” said Griffanti.
“Typically, we’re engaged a few hours after an attack is first discovered. We will partner with the company’s internal communications team, their legal counsel, IT team, and sometimes their operations or customer service departments, to figure out exactly what happened, and what’s impacted from an operational disruption standpoint. What are we dealing with in terms of the attack? Is it just encryption or has the threat actor exfiltrated sensitive data? Is corporate email offline? Can employees turn their workstations on? Is the website down?
“As the investigation progresses and unfolds, we advise on what they need to be saying to all of their different stakeholders. This is often pretty difficult in the early hours after an attack, because you don’t necessarily know the full extent of what happened. You might just know there’s a ransom note and some of your computers or systems are encrypted and aren’t working, but you might not necessarily know how the attackers got in, or what exactly has been exfiltrated. Those details can take some time to figure out.”
Read more: CNA finalizes investigation into cyberattack
Even without all the details of an attack, it’s important for companies to take control of the narrative and tell it on their own terms, according to Griffanti. This is preferable to a whistleblower leaking information to the press or even the threat actors contacting impacted stakeholders directly. Proactive communication is important not only for a company’s reputation, but also in terms of their legal liability and breach notification obligations.
FTI partners with the victimized company’s internal and external legal counsel to ensure the crisis communication strategy is aligned with any data protection regulations or notifications that need to be made. This can be difficult, especially if the victim is a large multinational organization that had data impacted in various geographies or jurisdictions, where there are different legal and regulatory requirements.
“It’s a high-stress situation, which is why strong partnership between legal and communications is so important,” Griffanti told Insurance Business. “For us, the key is consistency in the message we’re delivering, regardless of geography or jurisdiction, and making sure we’re as transparent as we can be about what we know about the attack, and how the company has responded to the attack in collaboration with law enforcement, regulators and so on.
“People often think of crisis communications as just handling the media message and triaging media requests, but it’s so much more than that. It’s about positioning the company to be transparent, to take control of the narrative and tell the story on their own terms, and ultimately, to protect their reputation. So often, these ransomware attacks are just crimes of opportunity. Everyone is susceptible and no organization is immune. We consider ourselves lucky to be on the good guy side and to do everything we can to help a company that’s been victimized.”
Effective crisis communications play an important role in reducing the severity of cyber insurance claims. As such, FTI works closely with insurers around the world to assist clients with pre- and post-loss mitigation. Griffanti added: “We help companies to form a crisis-ready culture, and we help them build communications into their existing business continuity, disaster recovery, and incident response plans. We also provide lifelike tabletop exercises or simulations so they can practice their escalation protocols and decision-making skills, so that the first time they’re facing that situation isn’t in the middle of a real crisis. The more you practice, the better off you’ll be.”