What your commercial clients forget to do after a cyber breach

Illustration of downward facing arrows rainging down on a businessman who is holding an umbrella

Commercial clients who suffered a cyber data breach may be inclined to quickly pay the ransom and get back on their feet, but brokers should advise their clients not to forget about post-breach communication with their customers and employees. 

If both parties are kept sufficiently in the loop, commercial clients may be able to minimize their reputational harm and can offer amends to those affected—but be advised that any monetary or credit remedy may not be covered by the policy. 

“Poorly considered communication with stakeholders and customers post-incident can really lead to a loss of business and increased liability,” said Katharine Hall, cyber practice leader, Canada at Aon. “You do need an action plan after the breach.” 

All stakeholders—including public regulators, business partners, employees—need to be communicated with in a proper, timely and effective way, even if the cyber investigation is ongoing. 

“You need to strike a balance between what to say, when to say it and to whom,” said Brian Rosenbaum, managing director, claims at Aon. “Silence is never good…but overstating, understating and speculating, are also not good. 

“What you need to do is to try to make reasonable statements based on the known facts that you have today, and then correct or amend as more facts are known,” he said. “But staying back and waiting…is not the right approach.” 

An external communications expert may be ideal for handling PR crises, advised Ed Martingano, vice president of risk management at Oxford Properties Group. 

“You really should engage an expert and, I would advise, an external expert,” he said. “We have a communications department, and they’re very good at messaging our story. But in a crisis, and in something that’s very specific, you want experience, you want knowledge and [someone] to ‘say we’ve done this before we know what we’re doing.’” 

See also  What P&C AI lessons can be applied to medical stop loss

While your commercial clients should make sure they’re quickly communicating with their affected customers, keeping employees in the loop is equally as important. 

“Make sure you tell your employees what’s going on,” said Rosenbaum. “Many organizations forget to do that…they can be your best ambassadors or your worst nightmare.” 

But beware that any information on the breach that you share with employees will likely be spread to the public, added Martingano. 

“Acknowledge that whatever you communicate to the employees is going to be public, despite the fact that you tell them it’s confidential.” he said. “Be prepared for that and know that you’re going to be releasing additional information to the public.” 

Commercial clients should also consider giving a remedy to consumers harmed by the breach to earn their trust back. 

“But bear in mind the remedy that you likely give, whether it’s a credit voucher, rebate or something of that nature, is not covered under cyber insurance,” said Rosenbaum. “Make sure that you understand that before you do it.” 

 

Feature image by iStock.com/Feodora Chiosea