A recent study by UK researchers shows a company’s potential to protect its reputation and business during a cyber crisis depends in part on its ability to effectively address the negative emotions customers and other stakeholders feel as a result of the incident. For them, it’s a violation of trust that an organization can best address by demonstrating empathy and accepting responsibility for fixing the situation.

Cyber crises seem to be everyday occurrences now and have evolved significantly to include major institutional threats such as malware, ransomware, distributed denial of service (DDoS) attacks, spam and phishing, and corporate account takeover (CATO). My first related crisis was a data breach that occurred more than a decade ago, before there was a playbook. A bank had lost personally identifiable information for two million customers of one of its business units. The data was ultimately recovered and not breached, but the company’s response established the fundamentals for responding to today’s cyber incidents, particularly in how to meet the emotional needs of customers and other stakeholders. Here were the keys:

1. Top management led the crisis response. The bank’s CEO headed the crisis team while the COO directed the day-to-day activities of each department, from legal to customer service. Clear lines of authority and responsibility were established for every member of the crisis response team.

2. There was timely disclosure. The bank expeditiously completed a preliminary investigation so it could communicate with facts and describe the steps it had taken and was prepared to take to address the situation.

3. The spokesperson was highly credible—and connected emotionally with customers. The bank chose the business unit CEO as its spokesperson. He was a customer himself and knew how his two million clients felt. As a result, he was straightforward about what the bank knew and how it was working to resolve the situation—and prevent it from occurring again. He credited spokesperson training with helping him step outside his “finance” persona and communicate in a way that resonated with customers with messages that demonstrated that the bank’s leaders understood customers’ concerns. Importantly, he was highly visible throughout the crisis, including through communications directly to customers, employees and other stakeholders, and being accessible to the media.

4. The company provided a solution, even though it was costly to them. The bank began the hard work of restoring a sense of security by offering free credit monitoring to every customer for at least three months—long before free credit monitoring was a reflexive organizational response to data crises. Although the bank’s data was ultimately recovered without ever being breached, the credit monitoring offer gave customers control over their ability to watch for potential impacts. 

5. They never played the “blame game.” Instead, the bank focused on working cooperatively behind the scenes with its vendor to retrieve the data without further incident and resolve the situation.

6. The bank changed how it managed customer data. Even before the situation was successfully resolved, the bank began work on changing its processes and procedures for managing customer data.

Today, Preparation is Critical

While these remain the basics for communicating in a cyber crisis, companies today have to do more. For example, advance scenario planning is crucial, particularly since the types of incidents that are likely to occur are well known and unfold quickly, with potential impacts that can be catastrophic. 

For example, how does your organization actually communicate if the technology systems it relies on are compromised by ransomware? Scenario planning should also include preparing preliminary communication materials, conducting crisis response simulations, and having ready access to operational details, such as the regulatory requirements of each jurisdiction where your company operates.

Advance communication planning and preparation for a cyber crisis means an organization can respond most effectively to protect its business, including by anticipating and addressing the emotional needs of its customers, employees and other stakeholders.