Return to site

Managing Fallout? How to survive a Hack.

· cybercriminal,cybersecurity,reputation risk

Final post in a 3 part cyber breach simulation from the 2nd ASEAN Regulatory Summit. #advicethatsticks #TRREGSUMMITS @rlexperts @ey @jaydeconsulting @leesasoulodre @trtworld

See also part 1 - Data Breach? How to Survive a hack and part 2 - Ransom? How to survive a hack.


This is the final post in the 3 part series, that covers the highlights from the Cyber breach simulation delivered in Singapore on the 1st September 2016 at the Thomson Reuters 2nd ASEAN Regulatory Summit.

As Chief Reputation Risk Officer and Managing Partner, RL Expert Group, I had the opportunity to collaborate with Ernst & Young Lead Partner Cybersecurity Asia Pacific, Paul O'Rourke, Counter-espionage Expert and Managing Director of Jayde ConsultingJulian Claxton, and Thomson Reuters Senior Editor, Patrick Fok.

The event triggered robust debate among the audience of senior governance, risk and compliance practitioners, and leaders from across the region. Given that this breach scenario is relatively common today, we thought it useful to share the simulation and challenge your thinking.

What would you do? The case so far...

Context: You are the Chief Risk Officer at ABC Bank. You discover that someone has hacked into your servers. The perpetrators have stolen your customer information and financial records and published them online.

Your investigations showed that your primary servers were attacked by ransomware software and the attackers were demanding 1 million USD to unlock your servers. As a result of the hack, ABC Bank switched to their redundant servers offsite which have lower security. This meant that a phishing email was able to leak through the firewalls, which an unsuspecting member of staff pushed into the organization and was the root cause of the data leak. 50,000 customer financial records have been leaked to the public.

Part 3. You decided to tell the authorities, and chose not to pay the ransom. The story has now leaked to the public, and people are demanding you tell them how this happened and why.

How do you manage the fallout? 

  1. Identity management & access controls
  2. Strong external PR campaign
  3. Engage the regulators and authorities
  4. Immediate upgrade of BCP and DRP infrastructure
  5. Internal reinforcement of risk culture

The results:

  • 15.3% of the audience would focus on identity management and access controls.
  • 23.7% would focus on a strong external PR campaign
  • 34.5% would engage the regulators and authorities.
  • 12.4% would focus on an immediate upgrade of BCP and DRP infrastructure and
  • 14.1% would focus on internal reinforcement of the risk culture.

We discussed that in this step it is more likely that you would deploy all of the above simultaneously. The governance, risk and compliance audience's vote for a strong external PR campaign and regulator/authority engagement was of no surprise, particularly given the significant penalties and fines related to a data breach and/or ransom. 

Companies must also remember that it’s a balancing act. When the reality of the "inside out" operations is bad and the "outside in" perception is good – they must instrument the necessary changes in order to alter both the operational and/or strategic reality - AND collaborate with the communications and crisis management teams to limit stakeholder issues. When the reality of the businesses operations are good and perception is bad "marketing and communications" is required to capitalize on the good reality and overcome poor stakeholder perceptions.

Stakeholders will be looking here for inconsistencies between what was said during the crisis and now after the crisis. They will expect answers on compensation and seek evidence on what has changed since the incident.

In this phase, they will be looking for :

  1. Proof that the incident is over,
  2. To identify a person who will accept responsibility on behalf of the company (ideally CEO), and
  3. Company assurances that it will not be allowed to happen again.

During this period it is important to provide as many facts and information about what the organisation has learned and achieved as possible. Continuing to demonstrate empathy and concern towards the victims, as well as demonstrating the company's competency in managing the issue, are both critical to effectively managing any residual outrage, as the company now works to rebuild relationships and trust.

Beware if you do not have an individual at this stage who will accept accountability. Internal / external whistleblowers may come forward.

Key Takeouts from Leesa Soulodre, Chief Reputation Risk Officer, and Managing Partner, RL Expert Group:

  1. What to Communicate? The facts. In any major breach event, a company’s stakeholders need the facts in order to be able to adequately assess the situation. They want to know:
  • What has happened
  • What and who has been affected? Where?
  • When did it happen?
  • Who is involved?
  • What caused the breach?
  • What has been done to ensure it does not happen again?

2. What to do? Take Accountability. Often breaches are linked to other parties in your value chain who may have some level of contractual responsibility. However, there is significant research and market performance evidence that demonstrates that by laying blame at your 3rd parties or partners, this only serves to harm everyone involved and often can only delay the effective 1) execution of recovery and 2) stakeholder engagement.

A company is better to accept accountability, take ownership of all activities for effective execution and pursue the appropriate recourse/ compensation with third parties and partners at a later date. The faster the company is to apologize, to show empathy to its victims and to be seen to be addressing the issues so that it can never happen again, the more likely it is to preserve its reputational equity and retain its social license to operate.

3. What to assess? Expand enterprise risk management to include reputation risks and include a risk assessment process that includes factoring outrage and velocity. Modify your formula for risk assessment. Today given the interconnected of risks and a 24 x 7 x 365 news cycle: Risk = hazard + outrage + velocity x probability  (Soulodre, 2014). In this context "outrage" can be assessed by using a proxy of the volume and velocity of negative expressed stakeholder sentiment (internal + external) measured by both weighted volume + variety.


If you enjoyed this series, we will continue the discussion on cyber crime and data privacy at the Pan-Asian Regulatory Summit that is taking place on the 8th & 9th of November, 2016 at the Grand Hyatt in Hong Kong. For the full agenda and details on how to register, please visit the website.


I appreciate that you are reading my post. Here, and on LinkedIn, I write about board related issues - corporate strategy, human capital, reputation risk, technology and innovation, corporate governance and risk management trends.

If you learned something from reading this post, please click the thumbs up icon above and let me know. If you would like to read my regular posts then please click 'Follow' (at the top of the page). If we have met, do send me a LinkedIN invite. And, of course, feel free to also connect via Twitter.

If you are interested in more effective reputation risk management, improving corporate governance, using the Reputation Institute's RepTrak model to benchmark your company's reputation, or developing your digital, communications, responsible investment or sustainability strategies, do connect with us at RL Expert Group.

All Posts

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!