In his role as an executive vice president/managing director in BCW’s New York Public Affairs & Crisis practice, Michael Estevez advises clients on crisis communications, issues management, litigation communications, and cybersecurity. Michael’s cybersecurity and privacy communications experience includes engagements on behalf of corporations, a U.S. defense contractor, an ivy league university, and government entities. He has advised organizations on matters related to cybersecurity crisis communications including media relations, employee communications, customer and stakeholder engagement, and public affairs.
Michael helps clients navigate complex crisis communications situations, enabling them to regain trust, repair stakeholder relationships and return focus to their core organizational mission. Drawing upon his experience in traditional public relations, political communications and digital media, he has extensive experience in helping clients to develop their reputational risk profile, anticipate crisis and risk scenarios, proactively stake out positions on critical issues and respond to crises. Michael has counseled corporate clients on CEO transitions, workplace health and safety issues, international intellectual property litigation, high-profile workplace violence incidents, unionization campaigns, and activist campaigns. His clients have included financial institutions, private equity firms, energy firms, pharmaceutical companies, medical device manufacturers, quick-serve restaurants, and consumer package goods companies.
Before joining BCW, Michael held a succession of positions with a specialization in public affairs and crisis communications. He was most recently with a boutique public affairs firm based in New Jersey, where he was Executive Vice President in charge of the firm’s operations. Prior to this, Michael held successive positions with firms based in New York City, where managed multinational crisis and issues management engagements for organizations including Samsung Electronics, Starbucks, PepsiCo, General Electric, Unilever, Yale University, Western Union and others.
In an email interview with Brian Pereira of CISO MAG Michael talks about strategies for managing cybersecurity reputation risk and communications best practices for handling breaches. He outlines what organizations need to do to be cybersecurity resilient. He also talks about BCW CyberTREE, a crisis communications and reputation management framework.
Cybersecurity threats continue to grow in volume and sophistication. However, managing cybersecurity reputation risk has not kept pace with the evolution of threats. What are you observing?
Nearly every relevant industry has rapidly evolved to meet the challenges of cybersecurity risk. In addition to information technology, insurance and law have most notably adopted industry best practices and standards.
We developed BCW CyberTREE because we saw a need for a crisis communications and reputation management framework that can align with any company’s incident response plan. It’s based on a careful review and analysis of our own cybersecurity crisis engagements with clients, as well as studying a cohort of high-profile cyber events.
The focus is to be an effective communications partner with the full CSIRT, especially forensics, legal and a company’s executive leadership team.
This is important because stakeholder opinions about how well a company managed a cyber event can be critical to resilience and recovery. This can include whether customers choose to continue doing business with you, how investment analysts view your ability to manage risk and whether prospective employees pursue career opportunities with you or a competitor.
What are the mistakes that most breached organizations are making? What are the gaps in communication and how does BCW CyberTREE help?
BCW CyberTREE is based upon three core principles that directly address the main gaps we’ve seen:
First, corporate reputation is essential to cybersecurity resilience. This means perceptions about how well a company responds to an incident can be as important as the technical response itself. It’s not enough to only restore your network’s integrity. You need to maintain – or rebuild – stakeholder trust. A client CEO once told me, ‘My network has no value if I lose all my customers.’
Second, cybersecurity crisis communications is a cross-functional CSIRT responsibility. Communications do its job effectively without cooperation from the CSIRT, and everyone – not only communications – should be focused on maintaining stakeholder trust and confidence throughout the incident.
And third, cybersecurity crisis communications strategy must account for facts and speculation. While the CSIRT is mainly focused on resilience and recovery, the communications team needs to focus on that as well as myriad hypothetical potential scenarios that may emerge.
What are the top 3 or 5 things that a breached organization should immediately do?
The cybersecurity crisis situations that I’ve seen end with the best outcomes have all been guided by a written plan that had been practiced by the full CSIRT using an interactive simulation platform like BCW PressurePoint.
Most plans have similar initial steps: (1) Send an internal alert from legal notifying CSIRT members that a legally privileged investigation is being initiated – this is also a signal to avoid using specific terms like “breach” that can have legal, and ultimately reputational, implications. (2) Call your cyber insurer. (3) Retain outside cybersecurity legal counsel. (4) Retain an independent forensic consultant. (5) Retain cyber crisis communications counsel.
The first things your cyber crisis communications consultant will do are to begin monitoring news and social media for chatter or potential leaks; prepare initial statements for news media in case of any inquiries and adapt them for social media in case of questions or comments; and, in the case of BCW, we will begin assessing the situation based on the 25+ specific considerations that span the four domains of BCW CyberTREE: Threat, Response, Expectations and Engagement and build out a full crisis communications strategy.
Most countries have laws and regulations that make it mandatory to report cybersecurity incidents— especially in regulated industries such as banking and finance. For instance, Canada has PIEPDA. But are there any provisions/clauses for crisis communications?
There are no specific provisions for crisis communications and reputation management. The laws and regulations you mention require certain details in reporting and notifications, and they can provide essential information that’s needed for effective crisis communications. But they don’t take into account the importance of communications to rebuild or maintain trust among customers/clients/patients/ investors/employees and other stakeholders. This is the critical gap BCW CyberTREE was created to fill.
What best practices and strategies do you recommend for handling the crisis communications in the wake of a cybersecurity incident?
The most important best practice is to observe “the trinity of cybersecurity crisis communications”: Forensics, Legal, Communications.
Forensic consultants need time to complete their analysis. Legal provides advice and counsel based on that analysis and communications provides an integrated communications strategy based on the forensics and legal guidance. The communications strategy should include news and social media engagement as well as employee communications, investor relations and communications with key customers and other stakeholders.
Can you elaborate on BCW CyberTREE, your strategic communications model for cybersecurity crisis communications response and planning?
The foundation of BCW CyberTREE is a set of more than 25 strategic considerations that, when fully, create a crisis communications roadmap for managing a cybersecurity incident.
For example, the first consideration is, “Who is the threat actor?” A threat actor can be a nation-state, an organized criminal network, a “lone wolf” (external), or an insider (or, there can be no threat actor).
Nation-states are often clandestine about their activities, whereas some organized networks may use social media to exert pressure on an organization to comply with ransom demands. Organized networks oftentimes have a pattern of behavior, while a “lone wolf” can be entirely unpredictable. So you can see, based on this single decision point, how your communications strategy would have to shift dramatically.
There are currently 28 additional considerations inside of CyberTREE which we will continually update and evolve as the threat landscape evolves.
Brian Pereira is the Principal Editor of CISO MAG. Apart from his editorial responsibilities, he enjoys writing features, interviews and technical articles.