8 tips for managing your reputation through a cyber crisis

Falling victim to a major cyber breach and having your personal details stolen by criminals is starting to feel routine to Australians. ?

The latest high-profile cyber victim was Latitude Financial, whose breach has become the largest-known data breach on a financial institution in Australian history, after an ongoing review revealed that 14 million people have had their data stolen; a hefty jump from the initial estimate of 328,000 people. ?

This news has certainly hit home at the BlueChip office where some of us are among the impacted 14 million. ?

One of our own heard about the breach from their partner who spotted the news while scrolling through their social media feed on Thursday the 16th of March and read it aloud, knowing of BlueChip’s cyber crisis management practice. ?

What that partner didn't know was that our team member has a forgotten and unused Latitude Mastercard. ?

It was 24 hours until they received an email from Latitude, at 5:33 pm on Friday the 17th of March, saying, in vague terms, that yes, a certain number of customers' personal data was breached, and that those customers who were affected would be contacted directly.?

Our team member has not been contacted since and is unable to log into their account. It’s anyone’s guess whether missed calls this week from unknown numbers were Latitude trying to contact them. Or maybe they were from criminals who now have their mobile number. ?

We don’t know what company might be targeted next, but what we do know for sure is that there will be a next victim and for financial services, the stakes are particularly high given the amount of sensitive personal data stored. ?

Whether lives hang in the balance, or the global financial system is unstable, there is one golden rule of crisis management. That rule, no matter what you communicate, is this: the greater good comes first. ?

With that in mind, let’s look at the current situation at Latitude Financial and some of what went right and wrong from a crisis management point of view as the crisis has developed.

?

?

Key takeaways for financial service leaders:?

1. Notify customers at the same time as any formal announcements.

No one wants to learn about anything that impacts them personally and negatively from the media so make it a priority to get an email notification out to your database with as many or as few details as you can share at that point along with next steps and resources. Customer communication templates should be ready to go in the event of a cyber crisis. ?

2. Provide clear actions and support for customers.

• Equip your customers or clients as best you can to protect themselves. Most people understand that cyber-attacks happen, however what is frustrating is when clear support and advice aren’t provided. This means a reminder of basic cyber security best practices as well as any specific advice relating to this specific scenario i.e. what they can do if they believe their accounts have been hacked. This should be an existing template which can be updated and shared with customers on day one. ?
• Provide direct links to support and resources. Rather than asking customers to monitor your website for updates, give them an exact link to a page which has been pre-populated with basic information in the event of a cyber-attack. This should then be updated with specific information as soon as possible. ?
• Don’t thank customers for their imagined “patience and understanding”. Customers will be cranky (and rightly so) so feigning ignorance of that won’t win you any points. Instead, deliver a sincere apology and then swiftly move on to how you are working to resolve the problem, and what support you are providing in the meantime. ?
• Focus on solutions. It was good to see Latitude come out with the offer to compensate its customers for replacement identification and other documents. ?

3. Stick to your commitments.

If you make commitments publicly, keep them all in a timely manner. Latitude has diligently worked through its commitments and shared regular updates via ASX announcements and the media. To bolster this, Latitude could share a timeline as part of the commitment so that its customers have greater certainty of what is happening and when. This also saves valuable resources going towards answering questions that a quick look at the website should be able to answer. ?

4. Be transparent.

The truth always comes out one way or another so it’s important to be honest about the situation with your customers. The reputational repercussions of a cyber breach compacted by lies from management is far worse than a cyber breach alone as it erodes trust in the entire business versus their cyber security alone. ?

5. Ensure you're contactable.

In an extraordinarily challenging situation, Latitude made the call to close its call centres until it had regained control following the hack to protect customers from further harm. However, this meant that customers looking for assistance could not call anyone and some also received an error message on the contact functionality website (depending on when it was accessed). Remember that your customers are in a crisis with you and even if you need to move heaven and Earth to make it happen – you need to keep the lines of communication open. ?

6. Make the hard calls.

It took bold leadership to shut down Latitude’s services. It’s a move which does hurt the business, however when weighed up with its potential to save its customers from further hurt, it was one that was worth taking.

7. Turn marketing off.

This one doesn’t require further explanation. If you’re in a cyber crisis which is exposing your customers’ data, it’s tone deaf to product push so turn your marketing off until it’s resolved. ??

8. Prepare before the cyber crisis, not during.

Latitude has been quite efficient from a communications perspective; however, it is clear from the timings that they weren’t prepared from a process point of view. This is where having clear crisis management training comes into play, each person has a role to play, understands how to operate under pressure and can immediately step into crisis mode. For teams that aren’t yet at this stage, we created our cyber crisis management training which is worth its weight in gold to the c-suite and management leaders who undertake it. ?

Having a Cyber plan is a good start, but until your plan is tested in a real life scenario you aren't as prepared as you could be. BlueChip has teamed up with Horizon to create Horizon Blue . Horizon Blue is a first-to-market cyber crisis training simulation that challenges and strengthens your organisation and leadership’s readiness for any expected “when, not if” cybersecurity crisis.

The Boards and executives that undertake this training gain immediate insights into their vulnerabilities and - crucially - the actions needed to strengthen their crisis response capabilities.?

Learn more about Horizon Blue here and ensure that you and your business are taking the necessary precautions to prepare for cyber crisis and respond with flexibility and efficiency.