As we have witnessed in recent years, a cyber-security incident that causes wide economic and commercial disruption or even operational incidents, can generate intense media attention and potential damage to a company’s reputation. Often organisations and their senior management struggle with the adequate response to a cyber-breach while in the public domain. The shipping industry is not any different to other areas of business when it comes to the challenges of media management once IT systems are completely down; corporate freeze takes over and most of the active communications comes to a grinding halt.
As with any other crisis media response issue preparation is key if media engagement during a cyber-security incident is to be managed in a way that it limits reputational damage and increases the confidence of external stakeholders.
Next to the crucial operational aspects of the cyber security plan we believe every shipping company’s Emergency Response Plan today should have a separate paragraph which includes aspects of communication following a potential attack on the IT infrastructure of the organisation.
Not only should such a contingency plan cover a notification list of stakeholders to inform – i.e. staff, clients, charterers, P&I Club, Flag State, Police to name a few – but equally important is to consider when and how to alert key relations and the press to a situation.
Bearing in mind that normal communication systems are often not accessible during a cyber-breach, it is important to establish alternative communication channels enabling the company to share updates with the outside world. Notably when Maersk was affected by the Petya virus and had to shut down its entire IT system the only means of communications was through their Twitter account which proved a vital channel to share updates with customers and the media.
As reporting on cyber security moves fast, and questions from clients and other stakeholders in the early stages will be pertinent and pressurised, the timing of any company statements and the tone of messaging is essential. Where the initial reflex of ship owners and managers is to keep cards close to their chest the reality today is that any delay in informing stakeholders may have a counter effect on the confidence of clients and consequently on the reputation of the company.
Finally, it is essential that there is a company specific question and answer document as well as a first holding statement available in the event of a cyber-security incident, covering the main issues of the IT breach and establishing the means of restoring operations to normal. Failure to do so means that any shipping line considering their next steps once their systems have been targeted may find the challenges of protecting reputation and commercial interests too complex.