5 minutes
Make sure your credit union is prepared to respond if the unthinkable happens.
Chances are, you or someone you know has had personal information compromised due to relentless cyberattacks across various industries in the U.S. Last year alone, we saw major companies like Blue Cross Blue Shield, Verizon and even the U.S. Securities and Exchange Commission fall victim to data breaches. In fact, according to Gemalto’s Breach Level Index, more data records were lost or stolen in the first half of 2017 than throughout all of 2016, and this frequency will likely continue to escalate into 2018.
So, what can you do if your credit union experiences a data breach?
How your organization responds will impact if and how quickly your reputation recovers after the incident. The guidelines below will help ensure your credit union is prepared to minimize any PR nightmare that ensues if the unthinkable does happen.
Do you have an incident response plan in place?
First and foremost, your credit union should have an incident response plan in place before a cyberattack occurs. Proactivity is vital in crisis communications, and your credit union’s executive team should be familiar with the plan. When a data breach is discovered, you and your team will not have time to develop a response plan from scratch. Many of the CU’s executives will be busy responding to the breach on the operational and technical side, which makes having your communication plan in place—and reviewed frequently—important.
It is important that your plan accommodates digital media outlets and your members’ content consumption preferences. Because stories can go viral in a matter of minutes, response windows have shrunk, but you must create a statement that goes beyond the content of a news release; your team will likely need to craft statements for social media and your website, too. Be mindful of the timing and authenticity of the message. Remaining authentic to your brand while showing empathy to those affected by the breach will go a long way in the eyes of your members and the media.
Who will be your spokesperson?
Secondly, be sure your credit union has a designated spokesperson to address the breach. This might be your chief marketing officer or your chief information security officer. When determining who will be the face of the response, choose someone who has strong communication skills or prior experience interacting with media. This person should also hold a position of authority within the credit union. Once this spokesperson is identified, he or she should be trained on what information to disclose and the messaging to use.
Also, keep in mind that the severity of the data breach may unfold over several weeks or even months. Therefore, you may have to disclose information before all the details are known. It is important that your team is on the same page about releasing facts as they become available. As news of the incident goes public, it is also crucial that you inform your community on the actions your credit union is taking to make sure the breach doesn’t happen again and how you plan to help members impacted by the breach.
Are you expecting the unexpected?
Rehearsing your incident response plan is key; however, there are some scenarios that are difficult to plan for. For example, a local news reporter may arrive on-site with a camera—will your branch manager know how to handle that? It is important to prepare for a variety of scenarios, because it is impossible to predict what may follow after a breach. As such, do not keep employees in the dark about a breach—they are affiliated with your credit union and must be prepared to help with damage control as needed. You never know if a journalist will reach out directly to an employee, so make sure they know how to respond. Handing out bullet points to help them confidently answer media requests may be helpful. Employees will likely also have friends or family ask about the issue; they can help your credit union mitigate reputational damage if you provide them with the necessary tools.
How have you helped your members protect themselves?
Most importantly, be transparent with your members and help them after the breach. Some members may not how to protect themselves after their personal or financial information has been exposed, so providing actionable security tips via an email, blog post or social media can help build back their trust. Also, encourage members to review their financial statements and online transaction activity. If they see any unauthorized activity on their account, have them call the number on their cards or stop by the local branch so your staff can quickly resolve the issue. By minimizing the impact a data breach has on your members, your credit union will be working toward regaining their confidence and trust.
Lastly, if your credit union has an external public relations team, be sure to involve them as soon as possible—they will be able to guide your team through the crisis and help mitigate reputational damage.
Although a data breach is a crisis that your credit union hopefully never encounters, ensuring your team has a solid response plan in place if an incident occurs can reduce the risk of a second crisis: the public fallout that comes after a slow or weak response. It is possible to survive a data breach with your reputation intact, but whether or not that happens hinges on a timely, authentic and helpful response from your credit union.
Mallory Griffin is an account representative at William Mills Agency, the nation's largest independent public relations firm focusing exclusively on the financial services and technology industries. The agency can be followed on Twitter, Facebook, LinkedIn, or its blog.
CUES’ Credit Union Management’s online-only “PR Insight” column runs the first Thursday of every month.
