The cybersecurity breaches this month of Equifax and Deloitte—both firms that tout the value of their data and security acumen—show that no company is immune to hacking.
But there is one thing that smart companies can do, both before and during a breach, and that is to develop and deploy an appropriate narrative when a security disaster strikes. That narrative needs to hew to the facts, take into account the known unknowns, and appeal not to shareholders or the press but to customers and regulators. Done right, these statements can differentiate between a recoverable data breach and a cybersecurity-related corporate disaster.
What makes this so difficult for companies and CEOs is that the right response often goes against all they’ve learned about positioning the company. Let’s dissect those impulses.
- Shareholder value is intact. A company sees shareholders as its most important constituency and wants to reassure them. Actually, you have no idea the impact on shareholder value, because you have no idea the full extent of the breach, how the market will receive it, and how customers and regulators will react. Incorporating this concept into any narrative is ill-advised at best.
- We have this under control. Company leaders do not want to exhibit weakness. However, as part of an initial statement, there is only a remote chance that the situation is under control. It takes time to learn the extent of a breach, both its breath, duration, and ultimate impact. Far better to say you are working with experts, regulators and consumer advocates to understand the extent of what may have been compromised, and that you are pushing forward diligently in this regard.
- We are doing all we can to mitigate the effects. Company executives often have a bias toward action. You may want to do that, but that’s impossible until you discover the scope of the data loss. Regulators are not interested in immediate solutions. They want to know that you are doing all you can to learn about the situation, not the specifics about the Band-Aids or tourniquets. They want to know your long-haul commitment.