The Brief 

Cyber-attacks are many and varied. They can be happening right now, with data being exfiltrated for weeks or even months before being noticed or before a ransom note is found, or they can happen suddenly with an immediate and devastating impact on businesses and customers. 

Whichever the case, communications are vital. In recent months, Wright Communications was asked to support several businesses and not-for-profit organisations that were hit by cyber-criminals with distributed denial-of-service, file encryption or data breaches. 

The Wright Approach 

Our initial response involves comprehending the extent of the attack, its impact on the organization, and the array of stakeholders affected. As communication advisors, our instinct typically leans towards engaging with affected customers or stakeholders. However, this may not always be necessary, and in rare instances, may even be undesired by the client. 

Nevertheless, any loss or exposure of personal information falls under the purview of the Privacy Act 2020. Consequently, breaches must be reported to the Office of the Privacy Commissioner within 72 hours and communicated to affected individuals as promptly as possible. Depending on the severity of the cyber-attack, our communication with stakeholders can vary in depth. For instance, if there's evidence of data exfiltration, we undertake a comprehensive approach, drafting emails, letters, media releases, FAQs, and more. 

In cases where no data has been compromised, communication may be more straightforward, such as through email or media releases. Additionally, we provide guidance to customers on preventive measures to safeguard their data against criminal exploitation. 

Recently, we've been enlisted by two prominent companies in New Zealand to assist them with their information security planning. One of these companies, a national brand primarily focused on data management, already had an info-security plan in place but required a tailored communication strategy to complement it. Considering its extensive membership base of approximately 2.4 million, this proactive step was deemed prudent. 

In the other instance, a high-profile Auckland-based company sought both a communication plan and a proactive testing process. They wanted to ensure their executive team and subsequently their Board of Directors were well-prepared to implement the plan effectively. 

The Outcome 

Often, despite the wide range of stakeholders – from customers and employees through to funding agencies, investors, and suppliers – there has been little public impact from the cyber-attack. Most impacted businesses survive the short-term disruption, communicate frequently and openly with their valued stakeholders and rebuild their IT systems. Most cyber-attacks are not covered by the media – possibly because there are so many of them. 

For large organisations with multiple stakeholder groups, thousands of customers and organisationally-dependent digital systems, we strongly recommend developing an info-security communications plan and rehearsing that plan at least annually with the Executive Team supported by the heads of IT/Digital Services, Communications, Legal and Operations.