Mon, Jul 9, 2018

Minimizing Reputational Damage After a Cyber Breach: Case Study

This post is the fifth in a six-part series based on an interview with Jason Smolanoff, Senior Managing Director, Global Cyber Risk Practice Leader, and Andrew Beckett, Managing Director and EMEA Leader for Kroll’s Cyber Risk practice. The 30-minute interview was conducted by Legal Week’s Dominic Carman.

Reputational damage is one of the worst outcomes for an organization after a severe cyber incident; worrisome examples abound in the media. Are GCs aware of the potential cliff-edge that may be in front of them or what to do about it?

When a breach occurs, one of the primary goals is to mitigate reputational harm, and Jason shares a real-life example to demonstrate a few options.

Several years ago, Jason relates, a multinational organization was attacked by a nation state. The attack was uncovered around August of that year, and the organization had an SEC filing coming up in September. The company chose not to disclose the breach until it could determine the full extent of the cyber attack.

First, Buying Some Time

If a company cooperates with U.S. law enforcement, it will allow for a stay of any kind of mandatory disclosure that a company would normally have. In this case, the company crafted a law enforcement referral letter and law enforcement agreed to cooperate. That effectively stayed the company’s disclosure obligations for a reasonable time as determined by its general counsel.

Then, Full Forensics Investigation and Internal/External Communications

Once the investigation was done and the company knew what happened, it was able to properly communicate with its employees and clients. It did the SEC filing in December, which was then followed by the mandatory public disclosure of the breach. As it happened, it was an election year and the disclosure was published the morning of a presidential debate.

The story was still out there, the public could see it, but it wasn’t the biggest news that day. The reputational damage that may have ensued was contained to some extent.

Read the full Q&A transcript

Dominic: Loss of reputation is probably the worst thing that could happen to a company ultimately, even if they don't perceive it to be such. But there are many well-known examples in history. And they can be lost instantly through certain things happening and not least, a major cyber breach. How aware do you think GCs are of that potential cliff-edge that may be in front of them?

Andrew: I think that brand damage is something that is increasingly in the forefront of a GC's mind when they're thinking about cyber and cyber incidents. Although the research that we conducted with Legal Week recently has shown that again, there are large regional differences in that. And part of that, I think, is historic. Most of the well-reported breaches, and particularly those on a very large scale, have happened in the traditional Western markets. And that's where the examples are of brand damage, share price damage that GCs and boards worry about so much. In Latin America and Sub-Saharan Africa, they've not had those examples. And so the case is the press coverage of such incidents are far fewer. And therefore, the GCs don't appear to have them on their radar to the same extent.

Jason: And to that point, there are definitely strategies that companies can use and that we've worked with companies to implement, to help to minimize their reputational risk with respect to breaches. And I can give you an example. A few years ago, we did a very large incident response for a multinational company who was attacked by a nation state. The attack was uncovered about August of a particular year. And this company had an SEC filing coming up in September. They weren't ready to actually make that disclosure yet because we didn't really know exactly the full extent of what had happened. So to minimize that, if you cooperate with law enforcement, at least in the United States, it will allow for a stay of any kind of mandatory disclosure that a company would normally have.

Dominic: Buy you time.

Jason: Exactly. So, what we did was we carefully figured out where we were. We crafted a law enforcement referral. Law enforcement agreed to cooperate. That effectively stayed their disclosure obligations for a reasonable time. And I know there's a lot of GCs out there who can define reasonable in a variety of ways. And then ultimately, once the investigation was done and they knew what happened, they were able to properly message to their employees. They messaged to their clients. File their SEC filing in December that came afterwards. And then the public disclosure that they were required to do, it just so happened to be an election year in the United States. So, they made the public disclosure in the paper the morning of a presidential debate.

Dominic: Burying bad news. 

Jason: Burying bad news. So, you know, it was still out there. It still happened. You could still see it. But the reputational damage that may have ensued had been mitigated to some extent.

 

Additional Resources:

 

 


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.