The cyber risk and reputational risk are increasingly inseparable, especially in the business environment. One of the key factors to be considered in this context is when to make the public announcement confirming that the company suffered a significant cyber-attack. The problem requires making a trade-off between risks of a premature and delayed disclosure.
Rushing the communication to the public may produce multiple undesired effects.
First, it creates a that the information may be false, inaccurate, unclear or incomplete. This in turn may require retracting some of the statements, which would likely produce more reputational damage.
Second, an announcement which only confirms the attack is likely to be a net negative for the company. Basically, you would be just confirming that an attack took place but not offering any important information such as; scope, severity and, most importantly, your concrete strategy to deal with the problem.
Third, if the announcement is done without proper internal coordination it may make the situation more chaotic. Once the company publicly confirms the attack the pressure is on. It means that all other relevant internal stakeholders must be up to their task. Announcing an attack while the IT or legal team aren’t ready will create new risks and make the problem worse.
If you wait too long (“to have a 100% certainty”, “to see how market will react”, “to make the crisis pass”) your risk can be significant.
First, there is the regulatory angle. The delay may be considered by the regulator as procrastination, negligence or a violation of the law. This may lead to additional scrutiny, fines or even criminal charges.
Second, letting the media speculate about the attack is a recipe for aggravating the situation by creating a potentially damaging narrative based on assumptions, rumours, and exaggerations. In the absence of official communication from the public perception of the incident will be shaped by third-parties, some with their own malicious agenda.
Third, the reputational fallout also makes the targeted company more vulnerable to intentional “follow-up” attacks. The opportunity may attract various malicious actors who will try to use the situation to their own advantage by e.g. spreading rumours in the social media to aggravate reputational impact on the target, launching new cyber-attacks in hope that may still be vulnerable, pursuing aggressive litigation to exploit potential legal problems created by the original attack.
The decision regarding timing of the disclosure needs to be part of the preparatory work. While the decision whether to be quick or not, will always be case-specific. However, the process of analysing the trade-off between risks of premature vs. delayed disclosure, can be developed, tested and embedded into the response process well in advance.