Cybersecurity Planning

What role should public relations play?

by Megan Fort

CUES’ Credit Union Management’s online-only “PR Insight” column runs the first Thursday of every month. Cybersecurity Planning

The prevalence of widespread, nonrelated data breaches in the last year continues to spawn conversations about proper cybersecurity technology defenses, risk mitigation tactics and compliance mandates. For credit unions, these events have brought additional attention to the proactive protection of members’ information as well as to their own preparedness to react and respond. In August, the National Credit Union Administration suggested 10 cybersecurity areas for credit unions to keep in mind when it comes to examinations. Under the final recommendation, Incident Response and Crisis Management, was the mention of public relations.

Hopefully very few, if any, credit unions today are without a crisis management plan. However, truly comprehensive plans span incidences beyond natural disasters, such as cybersecurity breaches, and also zero in on the credit union’s response protocol, which should comply with NCUA’s Rules and Regulations Part 748 Appendix B.

A recent study sponsored by IBM reveals the average cost of a data breach is $3.5 million, a more than 15 percent increase over the year prior. This number does not take into account the impact on intangibles, such as the effect on the credit union’s reputation or depletion of loyal members, which do eventually hinder the credit union’s performance longer term.

As part of updating CU response policies and risk assessments, NCUA recommends that credit unions also check their insurance coverage “to ensure they have adequate protection in place to reimburse them for costs associated with such things as business interruptions, legal fees and public relations initiatives to protect or rebuild the credit union’s reputation.” This language implies that a credit union can be subject to regulatory scrutiny for not properly preparing, documenting and – if necessary– executing an effective and clear communication response following an incidence such as a breach. In most cases, an efficient response means minimal cost and optimal containment of damages.

Here are some basic steps credit unions can consider when creating their own PR plan for incidence response:

1. When a widespread retail breach occurs, gather the information available to first consider if it possibly reaches any members and develop an accurate understanding of the situation.

2. Organize the predefined crisis communication team to discuss the situation, credit union’s position and all the necessary responses. Also identify a single spokesperson to deliver any external statements on behalf of the organization. The primary goal is protecting the institution’s reputational integrity.

3. Draft FAQs to be the foundation for external and internal communication, and give them to spokespersons to help answer all questions that may be asked by employees, members, vendor partners or the media – as the questions and responses could vary between groups.

4. Decide on various communication tactics to be pushed at different times over the course of the event, each with the goal to either offer additional information or call to action. Deliver the news first, to all appropriate publics, and then issue updates as available:

  • Detail who will receive notice of major interruptions and how they will be communicated.
  • Develop a letter to members using the information included in the FAQ document and issue it within 24 hours. Genuinely express concern and communicate what the credit union is doing (or plans to do) as resolution.
  • Create a microsite or, in the least, a banner on the website to provide additional information with a time stamp of when it was issued.
  • Address inbound inquiries.

5. Be prepared to communicate to the media. Some crises may require issuing statements to the media, the method of communication varying based on the type of crisis (scale) and the scope of media interested in the crisis. Other crises are internal issues and, therefore, may not involve the media.

6. Assign one person to adjust the schedule of and monitor inbound communication on social media, blogs and other outlets. For instance, contradictory messages on the credit union’s website or an inbound Tweet inquiring about the issue should not be ignored or answered haphazardly.

After any crisis, it is important to debrief with the crisis management team and evaluate the plan for any necessary modifications and additions. Have this step noted in the plan itself, to represent an awareness that such a plan is meant to be a living document. Document the assessment process each time it occurs as well as the plans for future adjustments.

Just as routine updates to risk assessments and information security policies rank high on examiners’ checklists, so do credit unions’ response plans for communicating about a crisis and minimizing its reputational detriment. Do not limit public relations planning to promotions and brand awareness, but recognize it as a powerful force to mitigate negative publicity, member dissatisfaction and unnecessary costs in the event of a crisis.

Megan Fort is a senior account agent at William Mills Agency, the nation’s largest independent public relations firm focusing exclusively on the financial services and technology industries. The agency can be followed on Twitter, Facebook, LinkedIn, or its blog.