According to IBM’s Cost of a Data Breach report, the healthcare industry has maintained its position as the foremost sector in data breach costs, with the average cost of a data breach in this industry being around $11 million in 2023. Finance comes second, with an average cost of $6 million per data breach as of 2023.
Amidst a 15% escalation in the global cost of breaches over the past three years and the increasing centrality of data governance in ESG goals, companies need to place a premium on refining communication strategies that allow them to minimize backlash in the aftermath of a cyber-attack, safeguard their reputation, and preserve consumer trust.
Cybersecurity poses a profound risk to one of a company’s most valuable assets—its reputation. These incidents attract heightened negative media attention, emphasizing the imperative for steadfast cybersecurity measures to safeguard not only financial interests but also the broader credibility and standing of the organization.
In 2023, the estimated lost business costs, covering aspects such as business disruptions, revenue losses due to system downtime, expenses related to lost customers and efforts to acquire new ones, as well as the impact on reputation and goodwill, amounted to $1.30 million.
Our analysis of news coverage in 2023 underscores that negative media coverage of poor security measures can lead to doubts about an organization’s ability to safeguard sensitive information, potentially resulting in customer churn and eroding credibility. The repercussions extend to influencing customer decisions, partnership opportunities, and market sentiment.
Based on Signal AI data regarding news coverage of cybersecurity incidents in 2023, the major players leading the discussion include companies in the tech and financial sectors. Yet, with the rising prominence of biotech companies managing increasingly sensitive information, such as genetic and biological data, and leading the chart of companies for whom data breaches come at a higher cost, they are now making their presence felt in these crucial conversations.
In October 2023, genetic testing company 23andMe reported falling victim to a cybersecurity attack when the information of several users surfaced on a well-known hacker forum in October. Despite occurring towards the end of the year, this data breach propelled 23andMe to the forefront of companies most frequently mentioned in relation to cybersecurity. From October through the year-end, the company witnessed a threefold increase in the number of news articles compared to the preceding three months, with the proportion of negative coverage surging from 22% to approximately 68%
The incident continued to capture press attention as details of the breach unfolded, drowning positive news coverage of the company’s ventures in novel biotech programs, new partnerships, and financial results during the last three months of 2023.
Beyond affecting a company’s reputation, the negative coverage that follows a cybersecurity incident can be contagious to other companies in the same sector, as they are mentioned alongside the targeted company. For instance, despite receiving predominantly positive coverage during the last three months of 2023, Ancestry.com found itself mentioned alongside 23andMe in 13% of the news articles.
The way companies handle PR & Communications strategies following cybersecurity incidents can either minimize or amplify the impacts of the breach on their reputation.
Across all industries, innovation and performance remain the key battlegrounds. However, during the cost-of-living crisis, financial matters, including companies’ long-term outlook, market targeting, and the establishment of partnerships and R&D, become especially sensitive key pillars of growth. In this context, effective crisis communication is crucial, turning the way companies secure and protect their client’s data into a potential landmine in all major industries.
In both the healthcare and financial sectors, crisis communication following a cyber attack reveals a pattern of resorting to generic and defensive statements as companies attempt to avoid the backlash, which ends up alienating customers and further eroding trust.
Initially, the Securities and Exchange Commission were informed that the data breach had impacted only 14,000 customers. However, as time elapsed, the true scale of the attack became apparent, with more recent estimates suggesting that nearly 7 million customers were affected. The steady release of new information regarding the breach intensified the difficulties in crisis communication, as it maintained media attention through a continuous stream of updates.
The timing of communications holds particular significance, especially in the aftermath of a data breach or cybersecurity incident. The costs associated with detection and escalation, encompassing services such as assessment, audit, crisis management, and communication with executives and boards, constitute the most substantial category of expenses in such situations. Over recent years, there has been a noteworthy year-to-year growth in these costs, indicative of a shift towards more prolonged and intricate breach investigations.
But it is not only about timing: not taking accountability following a cyber-security attack amplifies negative coverage as companies are perceived as trying to evade negative consequences.
News coverage of the company escalated even further in late November when the company introduced changes to its terms and conditions, emphasizing the arbitration clause and restricting customers’ ability to file class action lawsuits. This occurred as the number of customers concerned about the extent of the data breach continued to grow, and resulted in a new wave of negative coverage.
Litigation arising from data misuse often triggers a Streisand effect, intensifying the news scrutiny surrounding companies and underscoring their responsibility to protect clients’ personal information in the aftermath of a data breach. However, media scrutiny also unveils the dual nature of cybersecurity, where a focus on how companies safeguard their clients’ private information can serve as a significant driver of positive coverage, highlighting the importance of proactive measures in shaping a positive narrative around cybersecurity efforts.
What should communication strategies prioritize when it comes to protecting their reputations following a cyber-attack?
In today’s digital age, cybersecurity is crucial for the ‘G’ in ESG. Companies should prioritize creating a strong cybersecurity and communication strategy, making it a top priority in their interactions with customers.
Burying details about how customers’ data will be handled and protected within the confines of fine print is no longer a sufficient response to their valid concerns. Using an uninviting stream of legal jargon sporadically punctuated with vague assurances—rather than clear and simple language that goes beyond addressing customers’ worries about the use of personal information—creates a treacherous sea to navigate in the event of a cyber-attack. This approach portrays companies as prioritizing their image over their customers’ safety and trust.
Similarly, blindly playing into media chatter following a cyber-security incident might neither be practical nor necessary. As details regarding the breach evolve throughout the increasingly prolonged investigation process, companies might be perceived, at best, as not being on top of the situation and, at worst, as being insincere. Neither option is likely to assist them in (re-)building consumer trust or protecting their reputation.
At the end of the day, a good reputation is slow to build and quick to lose. Companies, especially those who are entrusted by customers to store and handle their most personal and sensitive data, need a robust plan with media analytics solutions at its core, providing real-time insights into stakeholder sentiment, media traction, and messaging effectiveness. In the fortunate absence of a data breach, keeping an eye on how their messaging and commitment to ESG goals is being discussed in the media and perceived by their customers is a tried-and-true tactic to protect companies’ reputations, and a proactive way to minimize the reputation blow following a cyber attack.