Managing fallout? How to survive a Hack Part III

Final post in a 3 part cyber breach simulation from the 2nd ASEAN Regulatory Summit. #advicethatsticks #TRREGSUMMITS @rlexperts @ey @jaydeconsulting @leesasoulodre @trtworld

See also part 1 - Data Breach? How to Survive a hack and part 2 - Ransom? How to survive a hack.

----

This is the final post in the 3 part series, that covers the highlights from the Cyber breach simulation delivered in Singapore on the 1st September 2016 at the Thomson Reuters 2nd ASEAN Regulatory Summit.

As Chief Reputation Risk Officer and Managing Partner, RL Expert Group, I had the opportunity to collaborate with Ernst & Young Lead Partner Cybersecurity Asia Pacific, Paul O'Rourke, Counter-espionage Expert and Managing Director of Jayde Consulting, Julian Claxton, and Thomson Reuters Senior Editor, Patrick Fok.

The event triggered robust debate among the audience of senior governance, risk and compliance practitioners, and leaders from across the region. Given that this breach scenario is relatively common today, we thought it useful to share the simulation and challenge your thinking.

What would you do?

The case so far...

Context: You are the Chief Risk Officer at ABC Bank. You discover that someone has hacked into your servers. The perpetrators have stolen your customer information and financial records and published them online.

Your investigations showed that your primary servers were attacked by ransomware software and the attackers were demanding 1 million USD to unlock your servers. As a result of the hack, ABC Bank switched to their redundant servers offsite which have lower security. This meant that a phishing email was able to leak through the firewalls, which an unsuspecting member of staff pushed into the organization and was the root cause of the data leak. 50,000 customer financial records have been leaked to the public.

Part 3. You decided to tell the authorities, and chose not to pay the ransom. The story has now leaked to the public, and people are demanding you tell them how this happened and why.

How do you manage the fallout? 

1. Identity management & access controls
2. Strong external PR campaign
3. Engage the regulators and authorities
4. Immediate upgrade of BCP and DRP infrastructure
5. Internal reinforcement of risk culture

The results:

• 15.3% of the audience would focus on identity management and access controls.
• 23.7% would focus on a strong external PR campaign
• 34.5% would engage the regulators and authorities.
• 12.4% would focus on an immediate upgrade of BCP and DRP infrastructure and
• 14.1% would focus on internal reinforcement of the risk culture.

We discussed that in this step it is more likely that you would deploy all of the above simultaneously. The governance, risk and compliance audience's vote for a strong external PR campaign and regulator/authority engagement was of no surprise, particularly given the significant penalties and fines related to a data breach and/or ransom. 

Companies must also remember that it’s a balancing act. When the reality of the "inside out" operations is bad and the "outside in" perception is good – they must instrument the necessary changes in order to alter both the operational and/or strategic reality - AND collaborate with the communications and crisis management teams to limit stakeholder issues.

When the reality of the businesses operations are good and perception is bad "marketing and communications" is required to capitalize on the good reality and overcome poor stakeholder perceptions.

Stakeholders will be looking here for inconsistencies between what was said during the crisis and now after the crisis. They will expect answers on compensation and seek evidence on what has changed since the incident.

In this phase, they will be looking for :

1. Proof that the incident is over,
2. To identify a person who will accept responsibility on behalf of the company (ideally CEO), and
3. Company assurances that the measures are in place to mitigate the likelihood of the damage happening again.

During this period it is important to provide as many facts and information about what the organisation has learned and achieved as possible. Continuing to demonstrate empathy and concern towards the victims, as well as demonstrating the company's competency in managing the issue, are both critical to effectively managing any residual outrage, as the company now works to rebuild relationships and trust.

Beware if you do not have an individual at this stage who will accept accountability. Internal / external whistleblowers may come forward.

Key Takeouts from Leesa Soulodre, Chief Reputation Risk Officer, and Managing Partner, RL Expert Group:

1. What to Communicate? The facts. In any major breach event, a company’s stakeholders need the facts in order to be able to adequately assess the situation. They want to know:

• What has happened
• What and who has been affected? Where?
• When did it happen?
• Who is involved?
• What caused the breach?
• What has been done to ensure it does not happen again?

2. What to do? Take Accountability. Often breaches are linked to other parties in your value chain who may have some level of contractual responsibility. However, there is significant research and market performance evidence that demonstrates that by laying blame at your 3rd parties or partners, this only serves to harm everyone involved and often can only delay the effective 1) execution of recovery and 2) stakeholder engagement.

A company is better to accept accountability, take ownership of all activities for effective execution and pursue the appropriate recourse/ compensation with third parties and partners at a later date. The faster the company is to apologize, to show empathy to its victims and to be seen to be addressing the issues so that it can never happen again, the more likely it is to preserve its reputational equity and retain its social license to operate.

3. What to assess? Expand enterprise risk management to include reputation risks and include a risk assessment process that includes factoring outrage and velocity. Modify your formula for risk assessment.

Risk = hazard + outrage + velocity x probability. Sandman projects "outrage" as “How upset it’s likely to make people”. This could be assessed by using a proxy of the volume and veracity of the negative expressed stakeholder sentiment (across key stakeholder groups - internal + external) measured by weighted volume and looking at trend data. However, with a 24 x 7 news cycle and the interconnectedness of risks, factoring for velocity is also critical.

----

If you enjoyed this series, we will continue the discussion on cyber crime and data privacy at the Pan-Asian Regulatory Summit that is taking place on the 8th & 9th of November, 2016 at the Grand Hyatt in Hong Kong. For the full agenda and details on how to register, please visit the website.

---

I appreciate that you are reading my post. Here, at LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.

If you learned something from reading this post, please click the thumbs up icon above and let me know. If you would like to read my regular posts then please click 'Follow' (at the top of the page). If we have met, do send me a LinkedIN invite. And, of course, feel free to also connect via Twitter.

If you are interested in more effective reputation risk management, improving corporate governance, using the Reputation Institute's RepTrak model to benchmark your company's reputation, or developing your digital, communications, responsible investment or sustainability strategies, do connect with us at RL Expert Group.

For more on this topic, check out my other recent LinkedIn Influencer posts on the Reputation Risk Management agenda:

• 10 steps for future proofing reputation
• Make sure your boss get's the message
• Most risk managers don't understand reputation risk
• Can you explain in one minute?
• Financials hidden in plain sight - Ask "Why?"
• 5 steps to take if your supply chain is morally corrupt
• Getting boards into reputation risk management
• Carmakers python - a matter of outrage and trust
• Social License to Operate Risks Matter in Mining
• Facts Everyone Should Know about Child Labor
• Reputation Risk in Banking
• Addressing McDonald's $39B Reputation Risk Challenge
• Challenges for CxO's with APAC's top 10 Risks
• Reinventing Risk for an Asian Century
• New weapon of choice for complex global supply chains?
• 5 steps for effective due diligence in Asia

About Leesa Soulodre: 

Managing Partner and Director of RL Expert Group, an international reputation risk management think tank and consulting practice and Asia Associate of the Reputation Institute. An Innovation Advisor to the European Commission and to the University of Illinois Urbana Champaign Advanced Digital Science Centre, Singapore. Board Advisor to Belgian PR Software firm, Prezly, Korean Fashion Analytics firm FashionMatch, and the US Sports Analytics firm, Autoscout.

As a serial en/intrepreneur, Leesa has worked for 20 years on the cutting edge of strategy, communications, technology, cyber security and risk consulting. She has advised more than 400+ multinationals and their start-ups in 19 sectors across Europe, Asia Pacific and the Americas. She has led companies with turnovers from $4M to $14B USD into new markets and has shared the exhilaration of one IPO, numerous exits and the hard knocks of lessons learned.

Connect: Leesa Soulodre, Managing Partner, RL Expert Group.