While Australia’s big banks have so far been able to fend off cyber-attacks, they have been caught in third party breaches. The Finite Recruitment breach exposed some Westpac employee data while the Pegasus rewards platform hack exposed some NAB employee data.
We don’t know what company might be targeted next, but what we do know for sure is that there will be a next victim and the (superannuation / property / asset management / banking / insurance & health) industry is high-risk given the amount of sensitive personal data stored. We also know that how businesses communicate during a crisis can make or break them.
Takeouts for financial services leaders
We have managed our fair share of crises at BlueChip Communication, whether here, or at previous employers. Whether lives hang in the balance, or the global financial system is unstable, there is one golden rule of crisis management. That rule, no matter what you communicate, is this: the greater good comes first. Everyone must put the well-being of customers and business continuity ahead of any one individual’s needs and interests.
With that in mind, let’s look at the current situation at Latitude Financial and some of what went right and wrong from a crisis management point of view as the crisis has developed.
Notify customers at the same time as any formal announcements
No one wants to learn about anything that impacts them personally and negatively from the media so make it a priority to get an email notification out to your database with as many or as few details as you can share at that point along with next steps and resources. Customer communication templates should be ready to go in the event of a cyber crisis.
Provide clear actions and support for customers
Equip your clients as best you can to protect themselves. Most people understand that cyber-attacks happen, but what is frustrating is when clear support and advice isn’t provided. This means a reminder of basic cyber security best practices and any specific advice relating to this specific scenario i.e. what they can do if they believe their accounts have been hacked. This should be a template which can be updated and shared with customers on day one.
Provide direct links to support and resources. Rather than asking clients to monitor your website for updates, give them an exact link to a page which has been pre-populated with basic information. This should then be updated with specific information as soon as possible.
Don’t thank customers for their imagined “patience and understanding”. Customers will be cranky (and rightly so given the circumstances) so feigning ignorance of that won’t win you any points. Instead, deliver a sincere apology and then swiftly move on to how you are working to resolve the problem, and what support you are providing in the meantime.
Focus on solutions. It was good to see Latitude come out with the offer to compensate its customers for replacement identification and other documents following their cyber breach.
Stick to your commitments
If you make commitments publicly, keep them all in a timely manner. Latitude has diligently worked through its commitments and shared regular updates via ASX announcements and the media. To bolster this, Latitude could share a timeline as part of the commitment so that its clients have greater certainty of what is happening and when. This saves resources going towards answering questions that a quick look at the website should be able to answer.
The truth always comes out one way or another so it’s important to be honest about the situation with your customers right from the start. The reputational repercussions of a cyber breach compacted by lies from management is far worse than a cyber breach alone as it erodes trust in the entire business versus their cyber security alone.
In an extraordinarily challenging situation, Latitude made the call to close its call centres until it had regained control following the hack to protect customers from further harm.
But this meant that clients looking for assistance could not call anyone and some also received an error message on the contact functionality website (depending on when it was accessed). Remember that your clients are in a crisis with you and even if you need to move heaven and Earth to make it happen – you need to keep the lines of communication open.
Make the hard calls
It took bold leadership to shut down Latitude’s services. It’s a move which does hurt the business, but when weighed up with its potential to save its customers from further hurt.
Turn marketing off
This one doesn’t require further explanation. If you’re in a cyber crisis which is exposing your clients’ data, it’s tone deaf to product-push so turn your marketing off until it’s resolved.
Prepare before the cyber crisis, not during
Latitude has been quite efficient from a communications perspective; however, it is clear from the timings that they weren’t prepared from a process point of view. This is where having clear crisis management training comes into play, each person has a role to play, understands how to operate under pressure and can immediately step into crisis mode.
For teams that aren’t yet at this stage, we created our cyber crisis management training which is worth its weight in gold to the c-suite and management leaders who undertake it.
Carden Calder is the Founder of BlueChip Communication. Carden is a financial services reputation, PR and communication adviser. She helps finance sector Boards, CEOs, leadership teams and CMOs win the stakeholder support they need to be successful, and to build and protect their corporate and personal reputations.