Risk management and communication in cyber crises
The threat posed to global companies by cyberattacks has steadily increased in recent years. Experts predict that the economic damage will amount to around 10.5 billion euros worldwide by 2025.[1] The German economy suffers an annual loss of around 203 billion euros from data theft, espionage and sabotage alone[2] - almost a fourfold increase compared to 2016/2017 (55 billion euros)[3] .
The reasons are obvious: Global society is increasingly leveraging the exponentially growing possibilities of digitalization in more, and more interconnected and sensitive areas of application. Research and development, healthcare, administration, politics, global supply chains and production networks are attractive targets for cybercrime due to their increasing wealth of data.
The risk landscape exacerbates exponentially in the current environment
Industrial espionage, geopolitics, financial incentive – the motives for attacks are as varied as the attacks themselves. Today, cyber crises are among the biggest operational risks for companies and organisations, and companies are aware of the threat from the internet: in the Allianz Risk Barometer 2022, cyberattacks are now in first place, having only been among the top three risks in the previous year. So awareness is increasing, but experience shows that the dynamic growth of cyber risk in particular is not consistently reflected in the risk management of many companies. While the damage potential of cyber risks is already growing exponentially out of itself, the disruptions in the macroeconomic environment are adding further acceleration, as the coronavirus pandemic, Ukraine war and energy crisis are changing the risk landscape at breathtaking speed. The availability and affordability of raw materials and energy, supply chain risks and exponentially higher vulnerability of networks due to remote access are just a few examples. As is so often the case, the risks are also interdependent and can quickly converge into a perfect storm. These dynamics must be appropriately taken into account in corporate risk management.
Integrated approach to risk management and communication
A cyberattack not only causes costs for restoring the affected systems, but also additional high resource expenditure for crisis management as well as indirect costs such as the loss of trust of a broad mass of end customers in the B2C business, keyword transmission of health data, private financial transactions or use of online administration services, or contractual penalties in a highly integrated B2B business. In all of these situations, however, it is the company's reputation that is at stake, and this reputation has a price tag attached to it: valuation and share price, order volumes or competition for partners and talent, to name but few. Fast, consistent and helpful communication towards all target audiences is therefore a business priority and must be integrated with the overall risk management. The good news is: it can be prepared in advance.
Successful crisis management is a function of good preparation
In any corporate crisis, it is the task of corporate communications to organise a synchronised flow of information and a dialogue with the company's various internal and external target groups. The particular challenge with cyber crises is that when the attack becomes visible, e.g. at the moment of encryption in case of ransom attacks, the extent of the damage is unclear in the vast majority of cases. Dwell times – the period between the attacker's intrusion and the actual encryption – of several weeks are not uncommon and enable spying, theft, manipulation or even the preparation of data encryption. Forensics, on the other hand, usually require several weeks to gain a complete overview. Corporate communications must therefore moderate and coordinate a longer period of uncertainty than in almost any other crisis.
The (understandable) initial impulse is often to provide information as comprehensively and transparently as possible. However, experience shows that new facts almost always emerge in the course of forensics, leading to costly corrections if too much is published too early.
In a cyber crisis, the crisis team's communication must be able to balance push and pause. Initial acknowledgement and brief information about the incident must be issued to most important target groups quickly – authorities, employees, customers, investors and partners. Above all, this information must offer assistance (personal contacts, support hotline and email address), be comprehensible and appropriately empathetic in view of the impact of the incident on the target groups. The tone of the communication always conveys corporate attitude. Accordingly, communication materials such as holding statements, talking points or top-level FAQs must be well prepared.
Fundamental business decisions for the most likely attack scenarios should also be part of crisis preparation. Here, the corporate communications and risk management teams often need to interlock their prep work even more closely in order to prepare efficiently for given scenarios. Regular training and simulations are also part of integrated risk management. They may be time-consuming upfront. But in the event of an emergency, collaborative and well-trained teams are this one step faster when it comes to company-wide, coordinated, efficient crisis management and the protection of business continuity, corporate reputation and overall value of the company.
But companies and their communications teams are not out there on their own: Industry round tables, national or global initiatives such as the BSI's Alliance for Cyber Security or the Charter of Trust offer valuable exchange and helpful networking among experts and peers when it comes to tackling risk management and crisis communications in the face of a global soar of cyber risks.
To continue the conversation:
Suntka von Halen
Co-Lead Cybersecurity Germany
E-mail: [email protected]