When the Data Breach Hits

By Laura Barnett

Unfortunately, it’s not a matter of “if,” but rather “when” a bank will be the target of a computer hack or cyber-attack.

There is a good chance that the first news of the data breach will come from credit card companies reporting that customers are complaining en masse about unauthorized or cancelled charges. That “drip-drip-drip” of complaints may soon turn into a flood, so get ready.

Given the speed of business, communication and news these days, you won’t have time to formulate a plan to respond after the crisis begins to unfold. The time to prepare is now, so that when the dominos start falling, you are well equipped to maintain as much control as possible.

Constant media deadlines and multiple social media platforms (Facebook, Twitter, etc.) intensify the need for a well-planned strategy that is easy to execute.

There are technical, legal and operational issues. Although bank executives may feel they have quite enough to contend within those areas alone, don’t forget that communication, both internal and external, is needed across the entire enterprise.

And, you will undoubtedly have to communicate with key audiences before you have all the facts. Typically, you will not have any of the key facts confirmed when you get word through third parties or social media that an issue is underway.

Getting prepared

Fortunately there are several questions you can prepare responses for ahead of time. Notice that we didn’t suggest that you answer every question. However, you do need credible responses that convey your message and what you’re doing to return services to normal as soon as possible.

Also remember that you will need to tailor different messages to different audiences—reporters, customers and the general public. Hopefully, the reporter or customer will call customer service, but they may also be trading rumors on social media. Be prepared to respond to inquiries on a variety of media platforms simultaneously.

Here is a list of questions reporters will likely ask:

  • I have heard that your bank has been hacked. Can you confirm or deny this?
  • How many customers have been affected?
  • What information did the hackers get? Social Security numbers?
  • What other kinds of customer data?
  • What have you told customers?
  • Who’s to blame?
  • Are you going to change your IT/security providers?
  • When did you detect the problem?
  • Did you have any warning signs?
  • How long were you exposed before discovering it?
  • Why did you wait to announce it?
  • What are you trying to cover up?
  • What kind of liability do you have?
  • Will you pay for credit counseling for customers?
  • Has this happened before?
  • Have you notified your regulators?
  • Are you confident you have identified and blocked all the intrusions?
  • Do you have insurance to cover this?
  • Are you going to apologize?
  • What if you do not find out who’s responsible?
  • Is this a criminal event, hackers displaying their abilities or terrorism or sabotage?
  • Can you guarantee this will never happen again?

You may receive questions of a highly technical nature, not just the boiler-plate questions seen above. It is imperative that you have access to a colleague with technical expertise who can advise the spokesperson accordingly:

  • Does your IT department regularly send fake emails to employees to see if they open unauthorized emails, a primary way that hackers gain access? (The technique is controversial as an invasion of privacy and because so many scam emails look so realistic, lots of employees inevitably get caught.)
  • Experts say that hackers are increasingly gaining access to financial institutions through third-party vendors or smaller financial institutions that may not have adequate security measures. What have you done to audit the security provisions of the enterprises you do business with? Can you guarantee they all have the proper security in place?
  • Critics say that Security Event Management systems (SEMS) are ineffective architecture with a high false positive ratio. Are you using SEMS?
  • Did you have Intrusions Detection Systems (IDS) implemented?
  • What about sandboxing as a preventive technique?

The next step after brainstorming the potential questions you may face is formulating your responses. Getting your arms around the questions will give you insight into your preparedness.

Merrie Spaeth, president of Spaeth Communications, Inc., cites her proprietary influence model she encourages banks to reference to make sure they’re asking the right questions, including: Who is the audience? What are the channels you have to reach them? Who is the spokesperson? Are you prepared to react?

Your crisis strategy should be practiced regularly and part of your overall communications policy, which should be reviewed and enhanced as needed.

Are you prepared for the inevitable?

Laura Barnett is vice president of Spaeth Communications Inc., Dallas. The company is a strategic consulting, training and crisis communication firm.