More than most companies, banks rely on the trust and confidence of the public. The 81-year-old deposit insurance program has made Depression-era bank runs, where frightened depositors once lined the street waiting to withdraw their money, a relic of the past. But there’s a new risk that the deposit insurance system can’t protect against—the theft of sensitive customer information by cyber crooks—and banks of all sizes need to have a crisis management plan at the ready in case they get hacked.
Recently, I participated in Bank Director’s 2014 Bank Audit & Risk Committees Conference in Chicago, where there were several presentations on cyber security, and one message came through loud and clear: All banks are at risk, including even small and medium-sized ones. In fact, smaller institutions might be in even greater danger than much larger ones because the bad guys—and I’m talking about hackers in Eastern Europe and Russia—figure that they’re an easier mark.
Any community bank CEO or director who thinks their institution is too small to worry about cyber crime is living in an altered reality.
There were also a couple of presentations on crisis management, which goes together with cyber crime like ham and eggs. Not only is your bank at risk of getting hacked, but you need to have a crisis management plan that can be put into effect quickly in case it does. This is important! If your data systems are broken into and sensitive customer information gets into the wrong hands, your customers will feel differently about the bank unless something is done quickly and done well.
The issue here is public trust and confidence.
It’s important to know in advance what to do—and what not to do when a crisis explodes (and often that’s how crises announce themselves to the world, with a big boom) because you probably won’t have a lot of time to react.
In her presentation on crisis management, Rhonda Barnat, a managing director at the New York-based communications firm The Abernathy MacGregor Group, cautioned against the urge to over-disclose information such as how many customers were impacted by the breach, or how the breached occurred, because this factual information will end up becoming the story. Barnat also said banks should be careful how they use social media during a crisis—for example, they shouldn’t necessarily respond to a negative video on YouTube with a rebuttal video. Instead, the bank’s primary focus should be on taking care of the affected customers. In other words, the best way to rebuild trust and confidence is to fix the problem and make customers whole, not wage a public relations campaign. Do the right thing and word will get around soon enough.
Barnat says there are 10 common mistakes that companies make when managing a crisis, including getting out in front of the story, which often just leads to confusion because facts have a way of changing.
Maureen Morrissey Brown, who is the senior vice president and public relations director at Huntington Bancshares, also gave a presentation on crisis management. Brown said it’s important to have a plan in place so that if a data breach does occur the bank can hit the ground running. This plan should do the following:
- Create a crisis management team that can quickly go to work if the bank is hacked and customer information is stolen. This team would normally include the CEO, legal counsel, the bank’s compliance officer, senior public relations officer and an outside public relations firm.
- Take some time to identify possible scenarios – a data break is one such scenario obviously, but others might be an acquisition gone bad, an earnings restatement if it’s a public company or old-fashioned fraud by an insider.
- Create what Brown refers to as “holding statements,” which are statements that you will release to the public if any of those scenarios occur. These might have to be modified depending on the circumstances, but at least you’ll have something to work with.
- Appoint a spokesman to deal with the media and give that person training on how to respond publicly in crisis situations.
- Assign roles and responsibilities to team members so that everyone knows who does what.
Brown had this last bit of advice: Design the plan to be comprehensive but allow for unforeseen situations, update the plan frequently, always be on the lookout for developing challenges, and monitor the reactions of competitors, peers, customers and suppliers.
Brown ended her presentation with a recent comment that Warren Buffet made to CNBC about General Motor’s poor handling of the controversy involving faulty ignition switches, which have been blamed in 13 deaths.
“Get it right. Get it fast. Get it out. And get it over.”