Filed Under:Markets, Commercial Lines

Cyber-breach communications plans: What insurance professionals (and clients) need to know

Every company should have a plan in place to deal with a cyber attack or data breach, and crisis communications are an important component of the plan. (Photo: Shutterstock)
Every company should have a plan in place to deal with a cyber attack or data breach, and crisis communications are an important component of the plan. (Photo: Shutterstock)

Insurance professionals should be concerned about the growing phenomenon of cyber-security breaches and the impact on the businesses they represent as well as the impact on their own data.

Cyber security is an escalating concern facing companies throughout the world due to increased network failures, breaches in security and outside attacks. Regardless of the cause, businesses that maintain databases housing private customer information must review risk strategies to mitigate breaches and prepare for the very real possibility that a breach ultimately will occur.

Preparations should include three distinct areas: improved technology security, financial protection and mitigation and rebuilding trust through effective communications.

Improved technology security

In a January 2016 survey conducted by VansonBourne, an independent technology market research provider that surveyed 500 CIO respondents from the U.S., the UK, France and Germany, cyber security investments for 2016 exceeded $83 million. Still, nearly 87 percent of CIOs believe their cyber security attempts are failing to protect business interests. What is the cause? Today’s technology has increasing dependence on the use of mobile devices and storage solutions such as cloud-based software, with security measures based on keys and certificates. Through these keys and certificates, hackers gain access.

Related: 10 ways small businesses can fight cyber crime

Financial protection

Although there are a variety of technical solutions businesses can employ to protect against a cyber threat, there are still other risk strategies that should be considered should a breach occur. Businesses throughout the world are mitigating financial loss through cyber insurance. Each policy differs in scope and coverage; however, generally first-party liabilities cover costs associated with the actual breach (forensic investigation, profit/loss and legal advice). Third-party liabilities commonly cover damages caused by the breach (legal defense, public relations initiatives and regulatory response). Even though public relations services may be covered in various formats based on the protection plan after a breach has occurred, it’s never too early for businesses to proactively formulate communications strategies in preparation of a breach.

Rebuilding trust

With improved security measures and mitigated financial impact comes the need for reputation management and the ability to rebuild trust damaged through a breach. Preparing communication plans and messaging in advance, whether through internal means or in partnership with a firm will position organizations to effectively weather the storm while minimizing overall damage to the brand.

To begin your crisis communications planning, begin with these four tips:

1. Bring the team together

Begin your communications plan through the identification of a crisis team. Identify who should be at the table when a breach occurs. The crisis team should include executive representation from the CEO’s office, legal, information technology, human resources, finance, operations and communications. Bringing these decision-makers together before, during and after the crisis will create a cohesive approach to the crisis along with consistent messaging for both internal and external stakeholders. Consider including your risk manager and insurance agent or broker.

2. Brainstorm

Every quality crisis communications plan is organized, comprehensive and specific to your organization. While planning, think through and identify the specific crisis your organization could face. If you’re in healthcare, consider the various HIPPA scenarios that you could experience. If you’re in the legal field, how could client privilege be compromised? As the team works through their potential concerns, they establish the protocols necessary to mitigate the process.

3. Assign tasks

Every staff member has a role to play in an emergency, whether it’s an active role in the ongoing crisis or in supporting the post-crisis efforts. Determine the tasks that you’ll be required to do regardless of the challenges you face. Business operations (payroll, for instance) must continue with as little disruption as possible. Also, employees play a significant role in your communications, whether you want them to or not. Keeping them engaged and informed is a positive step toward a consistent message. Be sure to clearly identify who will do what prior to a crisis and ensure that employees know their roles and how to execute these responsibilities well in advance of an emergency.

4. Plan your communications

This includes not only what you’ll say, but also developing stakeholder lists and the message types they should receive, their priority in receipt of messaging and how to respond to inquiries. As an example, your board of directors may receive more detailed information about the crisis than your general employees. Clearly establishing message protocols ensures that each stakeholder level receives the right information regarding the crisis.

Communications during and after a crisis can be overwhelming, especially with the advent of social media and a 24/7 news cycle that competitively feeds on the need for new and updated information. But organizations can manage their communications through detailed and careful planning, pro-active communications during an actual crisis and quickly rebuilding brand equity through positive public relations before, during and after the event.

Post-event evaluation

Whether your crisis is short or has long-term impact, a post-event evaluation of the overall crisis that includes a review of corrective actions and your formal and informal communications throughout the incident is a must in quality improvement. The crisis team should take an unbiased look at every step, including those that led to the crisis and an honest identification of what was done well and what could be improved.

Planning is essential to crisis management. To mitigate damage, specifically from a cyber breach, companies should prepare for a crisis now. Begin with an evaluation of your technology security plan and protocols. For some companies, hiring hackers to attempt a breach has been considered beneficial to understanding weaknesses in the system. For others, implementing stricter security software keys and certifications is their best course of action.

Understanding that a breach is likely to happen, safeguarding against financial loss is also a positive step more and more businesses are implementing. And, a proactive approach to designing communication strategies will reduce lost customer trust and protect brand reputation. Regardless of what level you decide is acceptable, determine today to review your security, protection and crisis communications processes long before the need arises.

Michelle Irwin is a vice president for Poston Communications and brings more than 15 years of executive, inside experience managing crisis communications in the public sector. Contact her at or 404-875-3400.

Related: 6 categories of questions you’ll be asked when applying for cyber coverage







Featured Video

Most Recent Videos

Video Library ››

Top Story

America's 10 most dangerous cities for cyclists

Despite the relative safety of American cities for cyclists, 70% of fatal bike accidents still occur in urban areas.

Top Story

Crime doesn't pay for the newest members of the Hall of Shame

There is no honor among these scammers for the millions in fraud they perpetrated.

More Resources


eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.