Preparing for the Inevitable: Crisis Communications Planning for Cybersecurity Threats

By: Chris Cline

According to a recent report by the Identity Theft Resource Center, through the first three quarters of 2023, there have been 2,116 reported data compromises, setting a new annual record with three months yet to go. Just this week, mortgage servicing giant, Mr. Cooper made headlines because it was a target of a cyberattack on Oct. 31 impacting millions of borrowers. According to an SEC filing, MGM suffered a cyberattack that cost them an estimated $100 million in September.  

These attacks aren’t exclusive to major companies or large business operations. The National Association of Insurance Commissioners (NAIC) issued a report earlier this summer that said 50-75% of ransomware attacks are directed at small businesses.  

Small businesses are primary targets, as they typically spend less on security, making it easier to hack into the systems,” according to the NAIC.  

Accenture’s 2023 cybercrime study reveals that 43% of cyberattacks are on small businesses. Of these, only 14% are prepared for a cyberattack. On average small businesses spend between $826 – $653,587 on cybersecurity attacks.  

After an organization suffers a cyberattack, one of the first things they usually do is start looking for and hire a public relations firm that is skilled in crisis communications, especially adept in dealing with cyber-related attacks. However, it’s too late at that point to hire a public relations agency to craft and manage communications to effectively represent your brand.  

The onboarding process for a public relations agency to understand your company or your brand takes time. After a cyberattack occurs, there isn’t time for this critical process to take place as you are squarely in reactionary mode. If the goal for your public relations agency is to craft communications that are in line with both understanding your brand and responding to the crisis in a way that ensures your long-term sustainability, we have to understand your business, know who your target audience is, and what other third-parties you may have to report the cyberattack to.  

Business Continuity Plans today should include having a public relations agency on retainer that is skilled in handling crisis communications related to cyberattacks. The onboarding process should occur well in advance of an incident so messaging maps, spokespeople, and media training can be done proactively rather than reactively. By doing this in advance, you can control the narrative when your business falls victim to a cyberattack.  

Key Takeaways: 

  • It’s not a question of if your business will fall victim to a cyberattack, it’s a question of when.  
  • Public perception is your brand. Protecting it during times of crisis is critical to your long-term sustainability. 
  • Not every public relations agency is experienced in dealing with crisis communications related to incidents involving cybersecurity.  
  • Hiring a public relations agency after you have suffered a cyberattack is too late.  
  • Start working with a public relations agency now to develop a communications plan for when a cyberattack does occur. Think of it like an insurance policy.  
  • Hold tabletop exercises simulating a cyberattack and involve your public relations agency so everyone is on the same page when it does occur.  

When you fail to plan, you plan to fail. The question is can you afford to take that risk with the reputation of your business? KCD PR President, Kevin Dinino, is the outreach chair of the San Diego Cyber Center of Excellence and the host of the “Cyber Insiders” podcast, you can listen to new episodes here: For more information, please check out this article on How Communicators Can Navigate through Cybersecurity Crises.

Our newsletter delivers Wonders & Blunders

Sign up for our weekly newsletter for the latest news, trends and financial advice in the fintech world.

"*" indicates required fields

woman holding cell phone with newsletter

Ready for results?
Let's connect.

Want to work with KCD PR? Receive a 15-minute no obligation consulting session.