As a CFO, you are a top strategic partner to the board and the CEO. You are a de facto risk manager and communications specialist with a focus on the bottom line. Finance executives have an evolving role, and are more than ever concerned with new reputational risks — especially those related to IT security and data breaches, topics that are critical, emerging, and can be heavily complex and nuanced.
In particular, customer responses after a data breach can have unexpected, adverse consequences to an organization, a risk that has played out publicly numerous times.
Preparation — well before an incident occurs — can make all the difference in a later outcome. The governance of your cybersecurity program, the adherence to well-trod frameworks, and the creation of actionable, trackable metrics are key components of preparing for a breach or other public information security incident.
But what about your personal preparation? How can you be ready, in your own role as a risk manager and communicator, to talk simply about a data breach with investors, employees, your board, and your customers?
The quick exercise below can help. The goal will be to strip away the complexity around information security and keep your focus on the “bottom line” for the organization. Out of this exercise you can create a one-page reference point that can serve as your basis for a host of conversations around cybersecurity, before, during, or after a breach occurs.
What Do You Know?
If you feel your understanding of cybersecurity or data protection is not strong, start with an area where you surely are strong: your customer base.
Who among your customers would be most affected by a data breach? How do they consume information from you today — by mail, email, newsletters, through call centers, through social media? What are their primary concerns — are they individuals afraid of losing money or of their credit being affected, or are they institutions that are more concerned with reputational and regulatory risks?
If you provide services to a broad base of individual customers, your audience may be very diverse and consume a wide range of media, from print publications to Twitter and Facebook.
If you work in a business-to-business capacity providing third-party services to companies, you may also have a network of relationship managers who can contact important clients in a variety of ways. If you provide investor services, broker-dealer services, or pension management, your audience may have especially nuanced needs and require high-touch outreach. Finally, depending on your role, you may also consider your internal employees, the board of directors, or the CEO to be your “customers.”
Once you have sketched out a brief customer profile, you can also begin to understand the top concerns of those customers. Consider some of the communications vehicles that could be used in a cybersecurity event, and how you would reach out to and reassure these important individuals.
Finding the Communications Stakeholders
Now that you have a strong understanding of your audience, it is important to understand what kind of cybersecurity messaging already exists in your organization.
Make contact with your cybersecurity or information risk lead, in-house legal counsel, internal or external communications specialist, and any other client-facing communications specialist you may work with on a regular basis (investor relations, media relations, customer relations, compliance, etc.).
Ask these individuals how they view their respective roles in communicating about a data breach. Be mindful that depending on your organizational structure, there may be multiple plans and multiple templates. Or, if your company is not particularly mature in this space — if it is new to having an information security program, for instance — they may not have any communications in place. Further, regardless of the maturity of your organization, there may not be a strong understanding of who would take the lead in such a response, or of everyone’s roles and responsibilities.
If communications do not exist, ask your information security and communications leads to work together on creating a one-page “what if” response that could be used as a basis for any adverse information security event. If communications do exist, make note of who provides oversight and review of the existing documents, and ensure they reflect your understanding of the client concerns your business would face. Review any drafts and ensure a wide range of stakeholders and senior leaders have seen them, as you see fit.
What Is the CFO’s Role?
Now that you have clearly established your customers’ worldview on data breaches and gained a better understanding of how your company is prepared to talk about a cybersecurity incident, turn the focus back to your own readiness.
In the event of a breach, given all you know now, how would you personally be asked to respond? Could you speak competently to your management team, those in the executive layer, and members of the board about any concerns they may have?
Questions around cybersecurity insurance, anticipated consequences to financial filings, estimated costs of remediation (by providing credit monitoring for victims, for example), and concerns of reputational risk all may be on the table. You know the audience best — write out their anticipated questions, and how you would answer them. If there are gaps in your understanding, fill them with the help of the cybersecurity, IT risk, legal, and communications stakeholders you have already consulted.
With their help and these new insights, you now have the ability to create a baseline set of talking points that can help you articulate your customers’ needs and your company’s capabilities and readiness if and when the time comes.
A Critical Dialogue
An exercise like this one is by no means meant as a fix to programmatic difficulties or a lack of reporting in the information security space. But it does open up a critical dialogue. On the one hand, your conversations will allow your stakeholders to quickly take stock of how you view the reputational risk of a data breach, versus how they view that risk. The conversations will also highlight some of the roles technology and non-technology leaders will play when a data breach occurs. And, it is important to remember that a communications response, as outlined in this exercise, is just a single part of wider preparatory activities that go hand in hand with creating a robust information security program.
Cybersecurity as a practice has been around for decades. Just as your IT security professional may not be able to tell you the morning LIBOR rate, you will not be expected to explain the technical details of a data breach. But what will be expected of you increasingly is the ability to have a more sophisticated dialogue about how cybersecurity matters affect your clients and your firm, what is changing, and how your company governs and manages the cyber risk. This is one important step to reaching that sophistication.
Kate Fazzini is a principal with the Information Security and Cyberrisk Management practice at Promontory Financial Group in New York.
Data Breach Communications Checklist
Below is a brief synopsis of some simple steps you can take to better insure your own preparedness in the event of a data breach or other cybersecurity event.
- Customers: Take stock of your customers and the 6Ws of communicating with them about cybersecurity:
- Who are they?
- What kind of data do they store with you?
- Why would they care if that data was lost?
- When would they want — or need — to know about an information security matter?
- Where do they consume information from or about you?
- How can you best reach them?
- Colleagues: Gain a greater understanding of roles and responsibilities for communicating about cybersecurity generally.
- Know the top stakeholders in any communication effort involving cybersecurity — internal or external.
- Talk to them about what kinds of communications or talking points already exist on the topic.
- Ensure they are mindful of the need to have templates in place for communicating with clients about these specific issues. If communications exist, read them to be sure you can understand them and that they reflect your view of the customers and reputational risks you face.
- CFO: As a CFO, brainstorm any high-level questions you anticipate after a data breach or other cybersecurity incident.
- Write down the questions you think your CEO or board would ask (or have asked) about cybersecurity, and take note of any gaps in your knowledge.
- Fill the gaps.
- Repeat.