2024年10月25日

Communications in a cyber incident – guidance

作者:

The UK National Cyber Security Centre has published guidance on effective communications in a cyber incident. While targeted at organisations generally, rather than explicitly at pension scheme trustees, the guidance contains useful recommendations that trustees may wish to consider incorporating into their cyber incident response plans. Earlier this year, the Pensions Regulator (TPR) published a report setting out the key steps that trustees should take if a cyber security incident occurs in which communications were a key feature (see our legal update for more information).

The guidance outlines the importance of effective communication to staff, stakeholders, customers and the media in a cyber incident and outlines three core principles.

1. Prepare a communications strategy in advance.

Although it is not possible to predict the timing and nature of a cyber incident, preparing a communications strategy can lessen the harmful impact of an incident. The strategy should cover:

Roles, responsibilities and communication protocols.
How external outreach will be managed.
Use of alternative communications where usual communication channels are not available.
Testing and review of the strategy.

2. Communicate clearly with different parties, and tailor messaging where necessary

Communications should address the specific concerns and needs of each group with whom it is necessary to communicate, while also ensuring that the core points are consistent across the communications. Organisations should provide clear and accurate information that those groups need to know, while also being careful not to disclose information that may heighten the risk to the organisation or its customers. It is important to avoid saying anything that may have to be retracted later (for example, stating that there is no impact on member payments or that no personal data has been affected if the investigation of the cyber incident is still ongoing).

The guidance sets out recommendations to follow when:

Managing the organisation’s own communications.
Managing external factors such as media coverage and interaction with regulatory bodies.

The guidance also recommends preparing answers and a statement in advance.

3. Manage the aftermath in the medium to long term

Organisations should consider the following when developing messaging and communicating in the medium to long term:

Providing regular updates on the progress of incident response efforts.
Communicating updates on incident impact assessments.
Continuing to engage with key stakeholders throughout the recovery process.
Maintaining open communication channels with the media.
Sharing insights and lessons learned from the incident response process and actions taken.

Following an incident, organisations should review their communications response and update their communications strategy where necessary.

How Mayer Brown can help

Mayer Brown can assist trustees in all aspects covered by the guidance, including:

Preparing a communications strategy. We can draft, or review, your communications strategy, including reviewing and, if necessary, updating the strategy following a cyber incident.
Responding to incidents. We can draft, or review, your responses to cyber incidents, including assessing your reporting requirements. In particular, we can draft or review your communications to the Information Commissioner’s Office, TPR, other regulators and any affected individuals.
Reviewing cyber security arrangements. We can review the structures you have in place, including your cyber security and data protection policies, your incident response plans, and security or data protection arrangements with third party providers.
Cyber incident “war games”. We can create and/or support you in carrying out a cyber incident “war game” to test the preparedness and resilience of your scheme’s cyber incident response plan, including in relation to the aspects covered in the guidance.
Training. Cyber security is a fast developing area. Therefore keeping up to date with cyber security developments is important in helping to ensure you have resilient structures in place. We can support you by providing training or knowledge update sessions.