How can organisations prepare to communicate in a cyber crisis?

Ahead of this year’s Crisis Management Conference, Regester Larkin’s chief executive, Andrew Griffin, looks at how organisations can prepare to communicate in a cyber crisis.

Organisations must be prepared to face any sort of crisis, from major physical incidents to scandals and performance failures. According to our recent crisis management survey, organisations are more confident in their ability to respond to familiar risks, such as industrial accidents and extreme weather events, than they are unfamiliar risks. For most, a cyber attack is unfamiliar territory. Yet cyber risk is a key commercial and reputational vulnerability that has moved quickly up organisations’ risk registers in recent years.

As with all aspects of crisis communication preparedness is key. The unique dynamics of a cyber crisis need some special attention. Here are three tips for organisations getting ‘cyber crisis ready’.

  1. Plan the logistics of communication

All organisations should have a crisis communications plan but few of these plans consider the logistics of this. A cyber crisis might require direct communication with consumers, customers and stakeholders, sometimes with important information about actions they should take. But a cyber attack could debilitate normal communication channels, most of which don’t have the capacity to reach large numbers in short time periods. And, of course, internal systems may have been directly impacted, isolated or disconnected to contain the attack. Thinking through these realities during peace time is an invaluable time saver in a crisis.

  1. Don’t be a victim

Even if an organisation is the ‘victim’ of a cyber attack, it can never play the victim card.

Stakeholders may feel let down: an organisation they trust has failed to protect their interests. They must feel that you understand and regret that they have been impacted by the cyber attack. The watchwords here will be care, concern, containment and control. Containment in particular is hugely important in a cyber crisis. If the organisation cannot put a fence around what has happened, the assumption will be that the situation is out of control and uncontained. The last thing stakeholders want in this situation is for the organisation to play the victim card: they want to see action and hear the right emotion.

  1. Ensure you know the facts

A cyber crisis, again like most crises, is characterised by a lack of information in the early stages. What exactly has happened here? What has been compromised? What information is lost? With a cyber incident, the lack of knowledge is about other people’s information and details. Knowing what the organisation does and doesn’t hold on its customers, employees and consumers is the most important step. The organisation’s spokespeople (many of who will find the whole ‘cyber thing’ very unfamiliar and confusing) will need to be reassuring wherever possible.  Knowledge is key: information should include what data is held on customers, how the data is stored and details of the organisation’s investment in cyber resilience.

We have seen through a series of recent high profile data breaches that cyber attacks can have significant commercial and reputational impacts. Preparedness is the key to successful response.

The Crisis Management Conference will be held on Wednesday 14th September in London. For further details on the programme and how to register, please visit the CMC website.

Buncefield: Ten Years’ On

buncefield fire

 

 

 

 

 

 

 

 

 

 

 

 

This month sees the 10th anniversary of the fire at the Buncefield Oil Terminal near London. The explosion that started the fire was the largest in peacetime Europe, measured 2.4 on the Richter scale and could be heard as far away as The Netherlands. Thankfully, no-one was killed as the incident took place early on a Sunday morning and so the busy industrial estate opposite the site was almost deserted.

The terminal was majority-owned and operated by Total, with Chevron owning a minority stake. I was part of the Chevron in-house team that managed the communications in the immediate aftermath of the incident, and helped to protect the company’s reputation during the official investigation and legal cases that followed.

Widespread media interest

In the first three days after the incident, we had 350 media enquiries and a considerable volume of calls from people and businesses in the local community that had been affected.

Understandably, the local press was mainly interested in the impact on the surrounding community whilst the national press focussed on the M1 being closed and potential supply shortages. The forecourt, commercial fuels and aviation trade press covered the short and long-term supply implications, insurance journalists wanted to know who we were insured with, the legal publications asked us who was providing litigation support, and the business pages and newswires looked at the financial costs of the incident.

We also had media enquiries from around the world where Chevron had other facilities, asking what we were doing to make sure that this didn’t happen in their community.

Recognising that key to managing the incident well would be timely, aligned and accurate responses, within hours of the explosion, the two in-house communications teams at Total and Chevron took a number of joint steps. Firstly, we enlisted staff from a PR agency to provide additional support for the joint venture to deal with the volume of calls. Secondly, we established a short sign-off procedure involving a UK business leader, lawyer and communicator for each company. This meant we were able to deal with enquiries quickly – which would have been difficult if we had needed approval from our US head office eight time zones away. We also appointed a knowledgeable site manager as media spokesperson as we recognised the importance of a having a real person representing the joint venture at the terminal during the incident.

Whilst the lawyers made sure that any official communications were appropriate from a legal perspective, as communications practitioners, we ensured that how the companies responded considered the needs of the people who were asking or were affected i.e. making sure that what we said was reasonable.

Vital role of communications

For example, it took a number of years before the official investigation determined who was responsible for the incident. However, the two companies that owned the terminal made a decision, without admitting liability, to support the local community financially, both in the immediate aftermath of the incident and in the rebuilding process, rather than wait for the investigation to be completed. I think this was the reasonable thing to do.

Providing the information, access and support that the official investigators needed to do their jobs certainly helped to demonstrate that we also wanted to find out what had happened and to try and learn from it. I think this was one of the reasons why the official investigators sent us their findings prior to them being released to the public and this meant that we were able to have our spokesperson, agreed response and updated reactive Q&As in place by the time the media started to call.

I’m proud of the fact that although Chevron and Total were in dispute about responsibility for the incident, the communications teams continued to maintain a good working relationship throughout.

One thing that I learned from Buncefield was the importance of building long-term relationships with key stakeholders at a time when you don’t need them. As Chevron was only a minority shareholder in the facility, we left our joint venture partner to build and manage the site community relations. As such, Chevron didn’t have the relationships with the local community or MP before the incident and it was much harder to build these after the incident took place. The learning is – if you have some responsibility for an asset, time invested in local stakeholder management is always worthwhile and can pay real dividends if something goes wrong.

Daniel Schraibman was a Senior Communications Adviser at Chevron and is now a director of communications, coaching and business consultancy firm, Serekinti