Cybersecurity is a much-discussed topic and for good reason. Hackers continue to adapt and deploy more sophisticated attempts to breach cybersecurity protections while growing more brazen with their targets.
With cyberattacks a too-frequent headline, it’s no surprise that, for the sixth consecutive year, cybersecurity was cited as the most pressing concern by respondents in the “Investment Management Compliance Testing Survey,” conducted by the Investment Adviser Association and ACA Compliance Group.
Among the RIA compliance professionals who were surveyed, 83% identified cybersecurity as the “hottest” topic related to compliance, and 70% responded that their firms strengthened compliance testing for cybersecurity over the past year.
In 2019 alone, targets as diverse as a U.S. Customs and Border Protection surveillance contractor (Perceptics), the Georgia state municipal courts’ administrative office, a large U.S. healthcare debt collector (American Medical Collection Agency), and a Norwegian aluminum manufacturer (Norsk Hydro) were all victims of cyberattacks, which seriously compromised their data and operations.
Dot Every ‘I’ and Cross Every ‘T’
However, not all cybersecurity breaches are the handiwork of nefarious external parties. Failure to monitor and test company websites for potential security glitches can also expose sensitive data and communications.
This past May, a prominent real estate title insurance firm, First American Financial, announced that 885 million records dating to 2003 were accessible on its website without a password. The company announced it had secured the records, which included Social Security numbers, bank account information, and other personal data, after security expert and blogger Brian Krebs alerted the company to a glitch. All Mr. Krebs needed to do to access the documents was to alter a few digits at the end of the First American website URL.
At the time of the announcement, no one knew if cybercriminals had accessed any of the 885 million compromised records. Nevertheless, First American owes a great deal to Mr. Krebs for alerting them to this massive cybersecurity threat.
No Cybersecurity Enhancement Can Restore a Damaged Reputation
What happened to First American reinforces the importance of maintaining a robust cybersecurity program that stays one step ahead of evolving threats and regulations. Regardless of the industry where they operate, or whether they are public or private institutions, all organizations should hold quarterly or monthly seminars to ensure all employees understand internal cybersecurity protocols, and the role they individually play in keeping data safe. Regularly scheduled drills are also key to protecting companies from cybercriminals, and mitigating fallout from any exposure.
From the perspective of public relations and marketing, a cybersecurity breach can cause serious, and sometimes permanent, damage to a company’s brand. Following Equifax’s September 2017 announcement that its computer systems were hacked, and that the personal data of approximately 143 million Americans was potentially compromised, the credit bureau’s Buzz score (a brand-perception benchmark measured by YouGov) dropped 33 points in 10 days.
Up to that point, only Volkswagen had suffered a larger Buzz score decline, losing 49 points within 10 days of the emissions-cheating scandal becoming public in September 2015. The huge number of Americans possibly affected by Equifax’s cybersecurity breach, and the sensitivity of the personal data potentially compromised, likely contributed to the scale of the credit bureau’s Buzz score decrease.
The hit to Equifax’s reputation caused the company’s stock to lose $4 billion in market value within a week of the announcement. Last month, the company agreed to pay up to $700 million as part of a settlement with the Federal Trade Commission.
Create a Crisis Plan to Prepare for Potential Reputational Damage
A stain on a company’s reputation can linger long after monetary damages have been paid, and its stock price has recovered. Former U.S. Secretary of Labor Raymond Donovan famously asked in 1987, after he was acquitted of corruption charges, “[To] which office do I go to get my reputation back?”
Every company should have a crisis communications plan in place, but one strategy to (hopefully) avoid having to put it into practice is to invest time and resources into maintaining secure digital systems and robust cybersecurity policies.
Click the link for tips on how to prepare a crisis communications plan: