Cyberattacks are bad, but know what's worse? A cyberattack that is then punctuated by an incomplete crisis management strategy and an ever-changing message.

Melissa Ventrone, a partner at Clark Hill PLC focusing on data privacy and cybersecurity, pointed to Target, Equifax and Facebook as examples of crisis management strategies that exacerbated preexisting problems. As she explained, “Once we say something, we have to expect, whether it's internal or external, that it's going to be public.”

Ventrone moderated the “Crisis Management 101: Reputational Risk & How to Develop an Action Plan for Immediate Response” panel at SuperConference 2019, where she and the assembled in-house counsel ran through six keys to developing a proper crisis management strategy. The in-house panel included Linda Dubnow, senior director and assistant general counsel at TransUnion; Stephanie Seay Kelly, general counsel and chief compliance officer at Chicago State University; and Kristopher Keys, deputy general counsel and chief compliance and ethics officer at Exelon.

|

Key 1: Preparedness

It may seem simple to say that counsel should be prepared for a crisis, but it's a step that cannot be taken lightly. As Dubnow noted, “Taking the time and making the investment in developing a well thought out and issue response program … can help you develop structure and consistent responses, and to deliver them with expedient efficiency.”

Kelly broke down preparedness into two buckets: preparing for the foreseen crises, then developing a skeleton to apply to the unexpected. She noted that as Chicago State is a public campus, active shooters and public health concerns are obvious risks. But if there is a situation that happens such as, say, the deadly Unite the Right rally near University of Virginia, the school needs to prepare not only for the event itself but offshoot rallies and events as well.

How should organizations identify who should be involved in preparation? Keys said it's “testing, testing, testing. Literally.” Exelon's GridX program pulls in stakeholders like government officials and utilities to go over a national disaster program. Then, regional utilities all need to test their own plans on a local level. Finally, there are also functional area contingency plans, with legal, IT and other areas engaging in their own prep and training.

|

Key 2: First Response

Once an event occurs, it's time to respond. Dubnow noted that for “every issue you identify, you should craft, at least in draft, your plan.” This means different plans for different crises—a weather incident, for example, has different engagement, notifications, and more from a cybersecurity incident.

“You're not going to have a lot of facts, but at the very beginning of an investigation you can develop a plan based on the severity of the incident, the supporting facts,” and mitigate issues, she explained.

Kelly added that there's often the tendency when a crisis emerges to run out and say something. “But it's really important that the first thing you say, it's going to be hung around your neck like an albatross, especially if it's incomplete or wrong.” She explained that the first reach out doesn't have to be much but should be factual, concise and quotable. “It should show that you are taking action, that it is being addressed and handled, and we are going to let you know.”

|

Key 3: Keep Communicating

The first reach out isn't the only communication in a crisis; far from it. Dubnow explained that identifying stakeholders should have been part of the preparation, but often “inevitably something new will come into the mix.” She gave the example of a cyber incident that originates in a country outside the organization's normal purview, meaning that communications with a foreign, unfamiliar government are now necessary.

Kelly added to prioritize the intended audience based on the crisis. A weather emergency for her means contacting students, for instance, while a crisis in the middle of appropriations hearings means a call to government relations. “Undoubtedly, when there's a vacuum of information, people start to panic and they start to speculate,” she explained. “You need to flood the zone.”

Social media is also an important part of Kelly's world, as she said she needs to very carefully craft social media policies, especially considering First Amendment issues as a public institution. “We're not just doing old fogey emails the way that probably most of us in this room communicate,” she added. “You have to get on Twitter and other platforms as well.”

|

Key 4: Resolution Strategy

How do you know when you're done? Kelly noted the importance of establishing milestones or goalposts during a crisis. “Each time you get to that milestone, you evaluate where you are and what you're communicating to folks.” She added that of course the legal department would love to finish quickly, “but the truth of the matter is, you're always going to have concerned constituents who want to know what's going on. … I think you're done when folks stop asking.”

Keys added that in a public company, part of any resolution strategy should be after-action review and reporting to the board. As the board has a fiduciary duty to shareholders to report on the goings on inside the company, keeping them updated of critical events and how they are resolved is simply good business. “I can't imagine a scenario where we notify the board of a crisis… and we don't circle back with that analysis,” he explained.

|

Key 5: Legal Considerations

As noted before, a quick and accurate first response helps. But what a company doesn't want to do is admit liability. As Ventrone noted, “Once you push it out outside that control group, once public, always public.”

She explained that nuance is crucial when trying to defend a client down the road, while still showing sincerity in responding to an incident. “There's a balancing act,” Ventrone said. “You want to help the client and company protect their brand, but you don't want to open them up to liability down the line.”

So where is that line? According to the panel, it's a case-by-case basis, and sometimes can come down to a gut check. Especially when searching for a quick response, Kelly said, “You have to be guided by doing the right thing and communicating in a way that mitigates the larger risk to the organization, and hope you can carry that through in private litigation.”

|

Key 6: Fixing What Goes Wrong

Finally, it's important to fix mistakes after event response is completed. One of the more common mistakes Keys sees is siloed plans, with legal not taking input from others. “When they are created by a single discipline in an organization, there's not the cross-functional collaboration. That's necessary to make it effective,” he explained.

Dubnow added that a major issue she sees is not continuing to enhance and improve a crisis plan based on one's own experiences or experiences in the industry or others. While some roll out training once and never again, “your employee base turns over time, and you need to continually emphasize [to] your employee base how to report an issue, how to communicate a concern.”

Keys agreed, adding that learning from other's mistakes has real value. “I hate to say it,” he said, “but take advantage of others' pain and develop scenarios based on what happened to them.”