With cyberattacks growing in complexity and size, the last thing a financial institution needs is to be its own enemy.
Yet, in my capacity helping large banks deal with information security risk, I have observed financial institution leaders make decisions that exposed their organization to greater cyber risk. I have also seen breached institutions make errors that could further harm the company and its brand.
Critical mistakes made following an attack will not only hurt a bank’s reputation in the eyes of its customers, but could also breed disillusionment with employees and impair their trust in an organization’s leaders.
Here are four principles to avoid making an already dangerous threat environment worse.
Silence isn’t golden
Customers, employees and shareholders need to learn about the breach or attack from the chief executive or the company spokesperson first. This isn’t always easy.
As outlined in the Verizon Data Breach Investigations Report, the majority of breaches are discovered by law enforcement. Yet to aid their own efforts, chief information security officers still need to form a crisis committee through the executive team as soon as possible. This team needs not only to detail what steps the bank can take to protect itself, but also to build a plan that details how executives will inform their employees and customers when an attack occurs.
If the bank responds too slowly, with incorrect information or with no solution for the customer, the bank will damage its reputation. JPMorgan Chase, the U.K.-based Tesco Bank and other institutions hit by large breaches that have made headlines in recent months underscore how important it is for companies to respond quickly and professionally — with their customers in mind.
Only communicate the facts
You need to communicate early and transparently, but keep your communications limited to the facts. Avoid guessing how large the attack is. Unfortunately, the damages of a breach are often bigger or wider than initially understood and mitigations and forensics can take longer than scheduled.
How many times have organizations had to restate the number of records stolen in a breach or the type of personal information that was compromised? Dozens. This information, while important in terms of security, is not important to your customers. Therefore, there is no need to provide every specific detail.
To prepare for crisis communication, you can also set preapproved communications that you can tailor during a crisis. In the messages, make sure to communicate to your customers what steps the bank is taking to fix the problem.
Learn from other banks’ example
The financial industry has the largest number and most diverse types of attacks.
Over the past several years, smaller financial institutions have been targeted more often because they typically lack cyberdefenses sophisticated enough to stop the new strains of advanced persistent malware. Larger financial institutions, meanwhile, are seeing more fraud because hackers are stealing personally identifiable information or credentials, as more customers access their accounts through vulnerable mobile devices that criminals can easily hack.
The silver lining is that ideas and solutions for institutions developing a cybersecurity plan are born out of this adversity.
Financial industry leaders are joining forces to create a knowledge base of threats and zero-day exploits to track attack trends like malware strains and indicators of compromise. The Financial Services Information Sharing and Analysis Center, a nonprofit created by banking industry members, shares cyberdefense strategies. Organizations like the FS-ISAC, which was founded in 1999, have gained momentum in membership. The FS-ISAC, for instance, has matured in encouraging smaller financial institutions to participate, including discounts on fees to become a member and other incentives.
The customer comes first — every time
When leaders of organizations emerge through the clouds of smoke from a semicatastrophic breach, they must put customers at ease by addressing their needs. Leaders should share how they will protect customer losses and explain how the company will upgrade its defense.
IT security executives should learn how to discuss these concepts clearly to internal stakeholders and customers about what they can expect and why they should feel protected.