The World Economic Forum recently released its annual Global Risks Report. The report charts ten years of the largest risks to global stability, both in terms of likelihood of occurrence and also in terms of potential impact. It won’t surprise anybody within financial services communications to know that, in terms of both likelihood and impact, the list over the first five years (2007-2011) was dominated by categories like “asset price collapse” and “fiscal crises”.
In 2017, there are only two risks in either top ten that are categorized as economic, and neither are particularly specific to financial services (illicit trade and unemployment/underemployment). The Dow Jones Industrial Average just crossed 20,000 points and many bank stocks in the U.S. have benefited from talks of loser regulation. With these positive indicators not measured by fears of major risk, at least in the WEF’s assessment, updating the crisis communications plan might not be a priority for many financial institutions.
However, numbers five and six on the “likelihood” list, must surely give financial services PR pros pause for thought: “data fraud or theft” and “cyberattacks”. It’s now two and a half years since the mega breach at JPMorgan Chase and, according to data from the ITRC and CyberScout (client), the financial services industry experienced 26% fewer data breaches in 2016 than 2015. However, the damage of major frauds conducted by cyberattack, including the spate of SWIFT focused hacking attacks last year, make clear how vulnerable the industry is to cyber risk. So what are the key steps comms pros can take to get their ducks in in a row should the worst happen in relation to a major hack? Two elements should be top of mind right now.
Preparation begins with a crisis plan. There are several key components this should include to ensure optimal response to a hack that leads to data breach or fraudulent transactions:
- Audience mapping – Assess each of the audiences. There are obvious constituents like investors, customers and employees, but there are often critical audiences that require tailored communications depending heavily on the scenario.
- Tailor messaging – Take the audience map and assure that the format and message for each audience is tailored and appropriate.
- Assign ownership – Organize a response/responsibility flow chart which creates clear accountability and timeline for all actions, ensuring a fleet of foot response.
You should build response plans for each of a number of variables because the specifics in each case will impact the messaging and response plan. Should it be responsive or proactive, should the tone be mea culpa, or more aggressive? The type of variables companies should plan for, include:
- Losses – is it personal identifiable information on customers or employees? Are they financial transaction records? Have funds been moved fraudulently?
- Attack vector – how did the hack occur, through a third party integration, via spear phishing to an employee, weak passwords/authentication methods or simply through inadequate IT server protections?
- Defenses – were the measures taken and the technology in place as robust as they could have been to prevent an attack?
Ensure coordination with compliance
As of March 1, many leading financial institutions are subject to New York State’s Department of Financial Services’ cybersecurity regulations, which are expected to heavily influence policy in several other states. This will mean a number of things for communications professionals within the financial services industry as they plan their response to cybersecurity incidents.
Firstly, corporate communications teams will have unparalleled access to information on how their company’s cyber policy is set up. The regulations require written policies and procedures, risk assessments, monitoring and testing, audit trails, access controls, application security, third party service provider cybersecurity standards, encryption, data retention, specific hiring and training practices, incident response planning and annual compliance certifications. Collecting and digesting the outputs of all of this data will position the PR team far better for handling related crises.
Secondly, the rules require banks and other financial institutions to appoint a Chief Information Security Officer. This will provide a clear, responsible individual that can provide the answers to any cybersecurity related questions that need to be answered in response to a breach. It also provides options for the PR team. Should the CEO be the publicly named spokesperson? In cases where customers, employees or partners have suffered substantial losses or distress, that might still need to be the case. But in more minor incidents, the CEO does not need to be the figurehead answering questions on IT security and there are clear reputational (as well as scheduling) benefits here for the bank in question.
Thirdly, the requirements include the need to inform the DFS within 72 hours of a breach, bringing into play the question of when it is appropriate to inform other key audiences. Banks might decide that after informing the regulator they need to accelerate the timeline on other disclosures and this may also help with the preparation and speedy resolution of crisis-level cyber incidents. But it may also make the advanced preparation of materials crucial to success!
While this blog post is far from an exhaustive list of the complex array of actions that need to be taken to prepare for cyberattacks, some of the above ought to be top of mind in responding to the WEF’s pertinent risks for 2017. Whether the next few years will see the specter of asset bubbles and systemic financial risk rise up the rankings remains to be seen, but we can be certain that cyber risk is here to stay for generations, and there are few institutions that are more highly prized targets than financial services companies.