Skip to main content

Since I published my book in 2018, the global cybersecurity market has evolved into a $173 billion industry that is expected to grow to $270 billion by 2026.

Companies have devoted teams of people towards protecting their data. That includes legal professionals, cybersecurity experts and ransomware negotiators. But the criminals have also upped their game, becoming more sophisticated with their attacks and negotiation tactics, while also increasing the price of their ransoms into the millions. The COVID-19 pandemic has only accelerated this trend, as many organizations have become more vulnerable during their hasty transition to working remotely.

After taking into account the immediate financial impact of a cyber-attack, the short and long-term impact on your brand and its reputation can make or break your organization. Beyond securing your systems against a data breach, you need to be prepared for how you will respond and communicate to all your key constituents if and when one should occur.

Immediately After a Breach Occurs

As soon as an organization is made aware of a breach and has assembled its response team (typically a collection of IT staff, cybersecurity experts, crisis communicators and outside legal counsel), the first 48-hours are typically dedicated to learning and fact finding. As the IT and cybersecurity members conduct their forensic analysis, it becomes incumbent on the legal and communications professionals to start crafting relevant documents that will help illuminate the path forward. That typically includes the following:

    • Operating narrative
    • Three key messages with the desired net impact
    • Q&A document
    • Holding statement


The operating narrative is an internal document that answers the who, what, when, where and how questions of the situation. It helps to align the team around the facts of the case and will evolve as more details begin to emerge. The three key messages act as the guiding light for all actions moving forward, with the net impact establishing how we wish to be perceived by key constituents. The Q&A document and holding statement are prepared for if and when the news will go public.

If and when is typically the most hotly debated question amongst the team. Often, the inclination will be to withhold information regarding the breach for as long as possible until all details are known. But as we’ve seen with cases like Equifax, the longer you wait, the more distrust will grow as employees and customers are kept in the dark. It is better to acknowledge the breach and fill the information vacuum with as much information as you can legally. As a side note for many organizations operating nationally and internationally, many states and countries have laws that require public disclosure of a data breach within 30 days or less of discovery if personally identifiable information (PII) is involved.

Internally, it is imperative that you brief your stakeholder groups as soon as possible, especially those that interact directly with customers. Arm them with the key messages to ensure discipline and consistency, and reinforce how seriously your organization is treating this threat. You should also establish a triage for incoming inquiries that will be elevated to different levels of leadership based on urgency or level of importance.

After the Dust Settles

As time passes, your response team should be conducting meetings on a daily basis to stay informed on forensics, negotiations and reaction to various pieces of communications that have been circulated. Externally, it may start to feel like people have forgiven or even forgotten the breach. Resist the temptation to turn off all communications at this point – you must follow through on the dialogue that you began. Keep your key constituents up to date on new information you have learned during forensics, how you will remediate the ongoing situation with individuals affected, and what further steps you will be implementing in the future.

As more information starts to become public, be prepared for negative chatter in the press and on social media. As with incoming inquires, form a triage system for social media and news posts to ensure that they reach a certain threshold of engagement before issuing a response. Make sure that your company’s social media policy is up-to-date and that your employees are aware of what they can and cannot say online.

Understand that some customers will not flock back to you after this trust has been breached. While you should consider incentivizing loyalty, many will see sales and other financial-incentives as gimmicky or insensitive. Treat this is an opportunity to be creative, and show “great will,” not just goodwill. Take a hard look at why people have confidence in your brand, and through that you will find ways that you can exceed expectations.

Lastly, keep in mind that your actions and follow-through will be the driving force into seeing positive results after this kind of crisis. You can say all you want about being prepared to protect your customers going forward, but part of “great will” is executing on your word and being proactive.

Post Mortem

As your data breach episode comes to a conclusion, often with an incident response summary from a third-party vendor that conducted the forensic analysis, always remember that full closure requires a detailed timeline of events and a plan to make the world a better place. With that in mind, even as you navigate the depths of the crisis, make sure to record all key milestones and events that can be shared at a later date. Make no mistake, clients and employees will want a full accounting.

You should also be thinking about how you might go about helping others to avoid your fate. Chances are that many of the clients you reach out will express sympathy because they too have gone through a similar incident. Use that to your advantage. That could be establishing an open source network where victims of cyberattack can share their experiences and techniques. Or hosting an industry conference that takes colleagues through your timeline of events that leads to a brainstorm of ways to prevent future attacks. The world is quick to accept that companies make mistakes, but you have to show what you’re doing to make sure it never happens again.

As I said in the beginning, the cybersecurity industry is growing at a rapid pace, and attackers will only become more innovative and emboldened as time progresses. If you haven’t been preparing for a cyber-attack, now is the time to prioritize and strategize.