Communications plan and notification

- [Instructor] One of the critical activities in any incident response is communications. It's particularly important to get this right when we have to prepare our senior executives to face interviews with the media. Doctors Knight and Nurse are two British researchers who've developed a practical framework for effective corporate communication in the event of a data breach. It covers the preparation of the communications plan in advance of an incident and execution of the plan as part of the response. The pre-crisis component of the framework covers five objectives as shown. It requires that we establish and prioritize our long-term aims beyond just the response. This might include protecting our stock value, our brand, and our ability to trade. We need to determine security gaps so that we're not caught flatfooted in the event of weaknesses in our system that might have contributed to the incident. Better we know about and explain them than be caught unawares. We need to make sure before we have an incident that we do have the capability to respond to a crisis, both in terms of tools and skills staff. We can gain a lot by making sure our response plans include working with our partners and key organizations in our supply chain. We'll have a more effective response and we'll be prepared to communicate with a unified voice. Last but not least, we need to perform regular rehearsals and testing to make sure the response plans work and that we're experienced in following them. When we experience an incident that has an external impact, we'll need to decide when and how to disclose it. The framework provides for the two situations, firstly, where we are required to disclose it, and secondly, where we choose to disclose it to avoid potential downstream issues of being perceived to be hiding it. Having made the decision to disclose, we then need to address the main points of our disclosure. Can those impacted by the incident mitigate the risk, for example, by changing their credit cards? We need to be able to say what has been lost, its impact, and provide a point of contact for any questions. We'll also be asked and need to have an accurate answer for the size of the breach. We need to be mindful of what interpretation the media may put on this, and ensure we establish our own interpretation of the incident. The way we frame the message will have a significant bearing on how it's interpreted. There are fourth key things we need to do. Accept responsibility for having let data in our care be breached. Avoid trying to make the incident less important than it is because the truth will out eventually. Be aware and make a point of addressing the fact that those impacted, our staff or our customers, may feel quite vulnerable as a result of their data being potentially made public or misused. Finally, it's important that we don't try to blame someone else for the incident. Even if the weakness came from a service or product we're using, it's our responsibility to make sure these are fit for purpose. By this point, we've had an incident and we need to make as good an impact as we can under the circumstances. Being upfront and taking responsibility, we'll go a long way to mitigating the long-term impact. It's likely that for a significant incident, the person who has to face up to the regulators and media will be the chair of the board or the CEO. In addition, there's an increasing focus from regulators on making directors accountable for cyber incidents and data breach in particular. An example of this is the U.S. Securities and Exchange Commission ruling that came into force in December, 2023. This requires public companies to disclose material cybersecurity incidents within four days and disclose on an annual basis material information regarding their cybersecurity risk management, strategy and governance. In addition to disclosing the governance processes, directors will need to be able to evidence that they've in fact provided effective oversight of cybersecurity. There are guidelines that directors can follow in governing cybersecurity. Ensure CIOs provide effective cyber resilience for IT systems. Ensure cyber resilience is a critical project success factor. Cybersecurity is about managing risk and requires separation of duties. So the CISO should report to the chief risk officer, not the CIO. Acknowledge that security is never perfect and ensure CISOs are able to effectively detect and respond to a cyber attack. Finally, ensure IT systems are checked and approved for operation on a regular basis, a process known as accreditation, and ensure our board-level risk and resilience dashboard is maintained.