ARTICLE
4 November 2024

Communications In A Cyber Incident – Guidance

MB
Mayer Brown

Contributor

Mayer Brown logo
Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
Explore Firm Details
The UK National Cyber Security Centre has published guidance on effective communications in a cyber incident. While targeted at organisations generally, rather than explicitly at pension scheme trustees...
United States Technology
Jay Doraisamy,Ondrej Hajda,Oliver Yaros
+1 Authors
 Your Author LinkedIn Connections

The UK National Cyber Security Centre has published guidance on effective communications in a cyber incident. While targeted at organisations generally, rather than explicitly at pension scheme trustees, the guidance contains useful recommendations that trustees may wish to consider incorporating into their cyber incident response plans. Earlier this year, the Pensions Regulator (TPR) published a report setting out the key steps that trustees should take if a cyber security incident occurs in which communications were a key feature (see our legal update for more information).

The guidance outlines the importance of effective communication to staff, stakeholders, customers and the media in a cyber incident and outlines three core principles.

1. Prepare a communications strategy in advance.

Although it is not possible to predict the timing and nature of a cyber incident, preparing a communications strategy can lessen the harmful impact of an incident. The strategy should cover:

  • Roles, responsibilities and communication protocols.
  • How external outreach will be managed.
  • Use of alternative communications where usual communication channels are not available.
  • Testing and review of the strategy.

2. Communicate clearly with different parties, and tailor messaging where necessary

Communications should address the specific concerns and needs of each group with whom it is necessary to communicate, while also ensuring that the core points are consistent across the communications. Organisations should provide clear and accurate information that those groups need to know, while also being careful not to disclose information that may heighten the risk to the organisation or its customers. It is important to avoid saying anything that may have to be retracted later (for example, stating that there is no impact on member payments or that no personal data has been affected if the investigation of the cyber incident is still ongoing).

The guidance sets out recommendations to follow when:

  • Managing the organisation's own communications.
  • Managing external factors such as media coverage and interaction with regulatory bodies.

The guidance also recommends preparing answers and a statement in advance.

3. Manage the aftermath in the medium to long term

Organisations should consider the following when developing messaging and communicating in the medium to long term:

  • Providing regular updates on the progress of incident response efforts.
  • Communicating updates on incident impact assessments.
  • Continuing to engage with key stakeholders throughout the recovery process.
  • Maintaining open communication channels with the media.
  • Sharing insights and lessons learned from the incident response process and actions taken.

Following an incident, organisations should review their communications response and update their communications strategy where necessary.

How Mayer Brown can help

Mayer Brown can assist trustees in all aspects covered by the guidance, including:

  • Preparing a communications strategy. We can draft, or review, your communications strategy, including reviewing and, if necessary, updating the strategy following a cyber incident.
  • Responding to incidents. We can draft, or review, your responses to cyber incidents, including assessing your reporting requirements. In particular, we can draft or review your communications to the Information Commissioner's Office, TPR, other regulators and any affected individuals.
  • Reviewing cyber security arrangements. We can review the structures you have in place, including your cyber security and data protection policies, your incident response plans, and security or data protection arrangements with third party providers.
  • Cyber incident "war games". We can create and/or support you in carrying out a cyber incident "war game" to test the preparedness and resilience of your scheme's cyber incident response plan, including in relation to the aspects covered in the guidance.
  • Training. Cyber security is a fast developing area. Therefore keeping up to date with cyber security developments is important in helping to ensure you have resilient structures in place. We can support you by providing training or knowledge update sessions.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Authors
Photo of Jay Doraisamy
Jay Doraisamy
Photo of Ondrej Hajda
Ondrej Hajda
Photo of Katherine Carter
Katherine Carter
Photo of Oliver Yaros
Oliver Yaros
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More