Cyber & IT Supervisory Forum - November 2023

Messaging to external par Ɵ es must be:

 Consistent to the extent possible;  Re fl ec Ɵ ve of an appropriate level of disclosure, Ɵ ming, and detail; and  Delivered with the interests of the organiza Ɵ on in mind.

Obviously, media and customer communica Ɵ ons are of par Ɵ cular importance due to the lack of control once informa Ɵ on is provided publicly. Management must consider that that media communica Ɵ ons will “paint an o ffi cial picture” of the event to the public and must be developed with this in mind. In addi Ɵ on, regulatory no Ɵ fi ca Ɵ ons are also extremely important, as no Ɵ fi ca Ɵ on requirements vary from state to state, may have unique Ɵ ming requirements, and may involve disclosures to mul Ɵ ple par Ɵ es (i.e., a Ʃ orneys general, state banking or regulatory agencies, consumer a ff airs agencies, etc.). An en Ɵ ty should be familiar with repor Ɵ ng requirements in their areas of opera Ɵ on in light of the various requirements applicable to states where the en Ɵ ty is licensed. Similar detail and Ɵ ming requirements for no Ɵ fi ca Ɵ ons to impacted customers must also be considered as they may vary from state to state. 2.) In your opinion, should the organiza Ɵ on wait to respond un Ɵ l the media makes formal inquiries? a. Should the organiza Ɵ on proac Ɵ vely issue a press release, or engage in other public outreach such as social media pos Ɵ ngs? b. Who might be responsible for deciding and ini Ɵ a Ɵ ng these e ff orts? There is no de fi ni Ɵ ve answer to this ques Ɵ on, as external communica Ɵ ons needs will largely be dictated by the organiza Ɵ on’s unique situa Ɵ ons. While we discussed the importance of internal informa Ɵ on control earlier, this ques Ɵ on relates to how the company addresses the public’s percep Ɵ on of the organiza Ɵ on during and a Ō er the incident.. There are several aspects of this to consider. First, an organiza Ɵ on would be well ‐ served to try to limit social media pos Ɵ ngs from employees regarding the incident. While an organiza Ɵ on cannot realis Ɵ cally control what its employees post on personal social media accounts, there should ideally be some wri Ʃ en policy guidelines to stress the importance of keeping the organiza Ɵ on’s “internal business” out of the public spotlight. This also Ɵ es back in to the “need to know” principles we addressed in our discussion of internal communica Ɵ ons with employees. External messaging might be something typically done through communica Ɵ ons, public rela Ɵ ons, or even a legal department within the organiza Ɵ on. Any messaging made through the media must be consistent with messaging being provided to impacted customers. It would also be wise to keep regulatory authori Ɵ es and any other invested third ‐ par Ɵ es abreast of any messaging that is disseminated to the public, regardless of the outlet used. Some Ɵ mes word of an incident can become public through a social media post made by an a ff ected customer. And when this happens, the informa Ɵ on is usually specula Ɵ ve and

18