Insights from the American Bankers Association (ABA)
Risk 2021 Conference:
How Banks Must Adapt Their Risk and Crisis Communication Strategies
Undoubtedly, the Covid-19 pandemic has accelerated and complicated risk and crisis communications for all organizations in profound ways. For companies in the banking industry, these shifts have been even more pronounced. The rapid digital transformation in the sector that began in the last decade has been accelerated by the pandemic, and has brought increased reputational risk to banks who are forced to confront evolving data security and privacy concerns at a much more frequent pace.
This is a critical moment for financial institutions. It’s time for an incident response plan refresh that centers on crisis communications preparedness and training.
Banks should adapt their risk and crisis communications strategies to match the urgency of the moment. They can do so today by considering the following principles.
- Dust off and streamline an actionable plan.
Gone are the days of the 100-page incident response plan. In order to be action oriented and reflective of workforces dispersed by Covid-19, effective incident response plans must focus heavily on scenario planning. This means contemplating – in advance – decision-making criteria and communications approaches around specific risks areas and threats. Critical areas of focus include the evolving nature of ransomware and its various escalations and permutations (i.e., data exfiltration, public data leak, etc.); third-party/vendor breaches; and insider threats.
- Double down on internal communications.
Covid-19 has led to rising expectations from internal stakeholders in terms of how and when financial institutions communicate about critical issues. Employees are increasingly calling on corporate leadership to not just provide “performative” messaging around critical issues – from cybersecurity through the most pressing areas of social upheaval – but, importantly, to demonstrate a bias toward action around key issues. Employees are often the face of banking organizations to the public; earning their trust will be critical to limiting risk with your customers and other external stakeholders.
- Prepare to project transparency.
Externally, financial institutions face increased pressure to communicate more proactively, more quickly and more transparently. Every bank will need to make its own reputational calculus around proactive public communications, balancing the risks and rewards based on the scope of the incident. In this decision making process, banks should consider maintaining their own brand values and culture of communications to maximize authenticity.
- Adopt a multi-layered security approach to mitigate threats.
Given the rise of insider threats – whether due to a malicious insider or accidental employee error – it’s important for financial institutions to adopt a multi-layered approach to security: not only addressing information security, but also how to mitigate risk around personnel security and physical security. As such, incident response planning should not only reside within the IT function alone; to be effective, cybersecurity risk mitigation must also incorporate perspectives from legal, HR, facilities and communications/marketing.
Jamie Singer is an Executive Vice President and Director of Data Security, Privacy and Crisis Communications at Resolute Strategic Services. At the ABA Risk 2021 Virtual Conference on March 23, 2021, Jamie joined Emily Lowe, New England Leader, FINEX, Cyber and E&O at Willis Towers Watson, in a session titled, “Risk and Crisis Communication in a Post COVID-19 World.”