As cyber incidents become an increasingly prominent part of the news agenda and hostile actors increase the sophistication of their approach – as illustrated by the recent ransomware attack on the Royal Mail, companies from all sectors are bracing themselves for the inevitable intrusion into their network. How should businesses prepare for a cyberattack and what can they do to manage the impact on their reputation?
On 3 March 2023, FGS Global’s UK Crisis Communications Practice hosted a panel discussion with experts from law, cyber resilience, and insurance to explore the evolving threat landscape and the key points that companies should have front of mind when assessing their cyber preparedness.
You can watch the webinar here and find our top takeaways below.
1. Dealing with a ransomware attack is a leadership and people issue
LockBit’s ransomware attack on Royal Mail is a further reminder of why cybersecurity is one of the most pressing and urgent challenges facing Boards.
Dealing with a major cyber incident can be a serious test of a company’s resilience and culture. It is one of the few types of crises that can both threaten business continuity while at the same time damaging an organisation’s reputation with key audiences including its customers and colleagues. That combination can exert huge pressure on even the most experienced leadership group and place intense scrutiny on teams across the business including operations, IT, legal, HR and communications.
In these highly pressurised situations, companies should keep one principle front of mind: a cyber incident is about people. A company must put the people that matter most – whether they be customers, employees, investors or partners – at the heart of its communications approach, with strong and effective leadership absolutely fundamental to an effective response.
2. Have a policy on ransoms
Ransomware is not a new phenomenon but a recent spate of increasingly sophisticated and aggressive attacks on high-profile businesses has thrust the issue firmly into the spotlight. So too has the evolving sanctions regime in many jurisdictions, including the UK: last month the UK and US governments sanctioned seven Russian cyber criminals in what is the first wave of new coordinated action against international cyber-crime.
As a result, sanctions risk must now be a critical consideration for companies suffering a ransomware attack if they are to avoid potential civil and criminal enforcement action. In leaked negotiations between Royal Mail and LockBit, it was revealed that Royal Mail had been very clear that it was not going to pay the ‘absurd’ amount demanded by the attackers.
Ideally Boards will establish a clear policy on ransoms as part of their crisis and risk planning. It should never be the case that companies are developing corporate policy in the midst of the maelstrom of a crisis, especially on an issue as critical as this. Given the frequency of ransomware attacks and the implications of paying a ransom, Boards must get ahead of the issue, define their position and mark their line in the sand. Doing so not only saves companies valuable time in a crisis but can also help inform a company’s strategy and approach from the outset.
As part of their planning, companies must also be mindful of how hostile actors are evolving their approach and how they communicate privately in negotiations and publicly –– as evidenced by LockBit publishing what it claimed to be the full transcript of its negotiations with Royal Mail.
3. Availability and quality of backups determines speed of recovery – and arguably negotiating stance
A company’s IT infrastructure and capability is of course critical to effectively managing a cyber-attack, as are incident management and business continuity plans. How quickly an organisation regains access to its data and restores its systems is largely determined by the availability and quality of its backups, but it’s the company’s public response and the way it communicates that will shape opinions.
If backups aren’t available or have been encrypted, an organisation can face a very drawn-out process to complete a full rebuild of its data and systems, often lasting weeks or possibly months. Such a situation can also fundamentally change the nature of how a company manages the crisis and, if necessary, deals with the hostile actor.
4. Make sure you are covered
Much has been published in the media in recent weeks about cyber insurance and whether cyber might ultimately become an uninsurable risk.
What happens in the future remains to be seen but for now, at least, we understand there to be a wide range of policies in the market that cover ransomware, even if some sub-limits have been introduced.
Insurance should be paired with robust cyber hygiene and education to promote overall cyber resilience. The cover available depends on the level of risk a company presents: a company with poor controls and procedures will find it much harder to get sufficient cover than one with strong and tested cyber infrastructure and clear cyber preparedness plans.
Importantly, insurance is there to help companies recover in instances when security fails and goes far beyond the payment of ransoms in doing so, with the provision of expertise and indemnity coverage for business interruption and third-party costs as well.
5. The key to effective communications is preparation
Informed, coherent and timely communications are the frontline of a proportionate and effective response to any breach and, done well, can be a real competitive advantage. However, this requires informed and decisive leadership and institutional preparedness. Companies need to establish a highly integrated cross-functional team and have a joined-up response protocol including a cyber communications plan with clear roadmap for what, how and when, they will communicate with key stakeholders – employees, customers, regulators, investors, partners in the event of an incident. We see great value in developing a comprehensive cyber communications plan to ensure you are well placed to provide a timely response if an incident occurs. Put simply that means a cyber communications playbook (including overarching messaging about how the company treats its proprietary data, FAQs, an incident response plan, checklists of actions to manage a live crisis, social media strategy, call handling guidelines, and more). Alongside this, a thorough understanding of regulatory compliance – possibly involving multiple jurisdictions – is critical.
Once these protocols are agreed – practice. Organisations should conduct regular cyber simulation exercises so they can understand how incidents can evolve, increase their familiarity with their plans and procedures and practice working as part of an integrated cross-functional response team.
With thanks to our host, Jenny Davey (Partner and Co-lead, UK Crisis Practice, FGS Global), and panelists, Simon Shooter (Partner and Head of the Cyber team at Bird & Bird LLP), Jamie Smith (Head of Cyber Security at S-RM), Tom Egglestone (International Claims Leader, UK & Europe, Resilience) and Charles O’Brien (Partner and Co-lead, UK Crisis Practice, FGS Global).