By Adam Riddell, Managing Client Director

With this month marking Cyber Security Awareness Month, a lot of organisations have taken it as an opportunity to focus on their cyber risk capabilities and processes – and with good reason.

In today’s risk landscape, no threat has grown as rapidly as that arising from cyber incidents. From data breaches to ransomware attacks, the risks and the potential reputational fallout are very real – and we see that first-hand in Jersey, Guernsey, the IoM, and other IFCs, with the financial services sector being a prime target.

Recent years have seen an escalation in both the frequency and sophistication of cyber events. At a global level, it’s estimated that around 65% of financial services organisations have experienced a cybersecurity breach in the last year, with the average cost of a data breach exceeding $4 million. In addition, around 12% of all phishing attacks in Q4 2024 targeted financial services.

And while firms are strengthening their IT defences and risk management protocols, many are still overlooking a critical element: how they communicate when the worst happens.

That’s important, because the moment a breach or other incident is detected, trust is on the line, whether it’s clients, regulators, employees, partners, or the public. How a firm responds in those first hours and days can make the difference between managed recovery and lasting reputational harm.

There are a number of reasons why having a tried and tested, actionable plan in place that specifically relates to cyber risk is so crucial.

First, cyber threats carry board-level relevance. Regulatory scrutiny means communication failures can carry financial penalties and governance consequences. Further, frameworks such as the UK’s Operational Resilience regime, the EU’s DORA regulation, and the US SEC’s disclosure rules all require firms to demonstrate preparedness — including communication capabilities.

Second, digital ecosystems magnify reputational risk. News of breaches can spread in minutes across social and digital news platforms. Silence or inconsistency can be interpreted as evasion or incompetence. Clients, investors, and employees expect timely, honest updates. A need to “wait for the facts” must be balanced with the need to demonstrate control, otherwise the reputational fallout can be significant.

And finally, cyber events test every layer of an organisation. From internal communications to customer service and media engagement, coordination is essential. A plan built around IT response alone isn’t enough. It must be coordinated, it must be reviewed and it must be actionable.

Wider planning

While the focus this month is on cyber security and resilience, providing an opportunity for firms to review or build crisis comms plans focused specifically on cyber threats, to my mind there is a wider opportunity here – to make this an opportunity to also revisit crisis comms planning more broadly.

I’ve been heartened over the past year to work with a number of firms who have proactively reviewed their crisis comms plans. It’s something that should be done regularly in any case, but as the environment firms operate in continues to evolve at pace, using this as a reason to ensure crisis comms plans – whether that relates to regulatory, employee, natural disaster or other issues – are up to date has got to be a good thing.

So what should a strong crisis communications plan include? Critical elements include:

• Clear governance and roles: define who leads communication, who approves messaging, and how decisions are escalated, including contingencies for when personnel are unavailable.
• Scenario planning: develop communication templates and holding statements for various scenarios.
• Stakeholder mapping: identify all key audiences, from regulators and clients to employees and suppliers.
• Internal coordination: ensure IT, legal, compliance, and PR teams are connected through a single crisis structure. This might also involve integrating disclosure obligations and data privacy rules into a communication plan to avoid regulatory breaches.
• Speed and balance: agree a process that allows for rapid initial acknowledgment while ensuring updates can be fact-checked.
• Media and social strategy: prepare for misinformation, and designate spokespeople trained in crisis response.
• Post-crisis: include next steps for reputation rebuilding and lessons-learned.

The CIPR’s Crisis Communications Network is a good source of information on this, and last year launched a best practice guide to help PR teams navigate the challenges of crisis communication in the age of social media. 

How a firm communicates under pressure, whether stemming from a cybersecurity incident or otherwise, is critical. The immediate impact and the longer-term fallout can be considerable, and in such cases, reputation management is inseparable from operational resilience.

Financial services firms that prepare now and ensure their crisis communications plans are fit for the cyber age, will be better placed not just to survive a breach, but to weather storms more widely. So why not use Cyber Security Awareness Month this year as a prompt to revisit those crisis comms plans in the round…