You work for Buzz Bank, and you’re in a crisis. That was the start of a simulation in a webinar today.
It was by a digital publishing and crisis communications platform, Yudu, by director Jim Preen and CEO Richard Stephenson. The scenario; you are one of the crisis management team of Buzz, based in London, an online-only, ‘challenger’ bank with 1400 employees and revenue of £300m. Due to Covid-19 almost all staff are working from home.
The crisis simulation began with word from IT that malware is in its systems. The bank’s platform as used by retail and business customers is only working intermittently. IT is trying to discover the extent of the cyber-attack; it may take some time to find if the attack is still going on. Customers are reporting problems with their internet banking.
Some big trades are not going through and dealing desks cannot access to check their clients’ positions; they too want to know what is going on. Staff are speculating, and the first business journalists are calling. Buzz is already getting some uncomplimentary social media comments.
A footballer and a Love Island contestant are among the celebrities affected by the breach. The webinar imagined that the footballer tweeted to his followers that he couldn’t see his account details: “Tried five times today, nothing. Wanna know my money is safe. What’s the deal!???”
The webinar went through what might be the options for the bank, as such a data breach developed, and as customers and the media wanted to know what was going on; and meanwhile speculation was on social media.
A theme of the webinar as stressed by Richard and Jim was that policies should be set out ahead of time. For example; was there a social media policy part of the contract of employment? Did the bank have a policy about whether or how to pay a ransom, if one was demanded by the hackers (assuming that the hackers could prove that they had stolen customer data). If the bank agreed to pay a ransom, in a cryptocurrency, did it know how to buy it?!
Had the CEO and other members of the C-suite been trained in fronting a press conference and in handling the press, given that it was essential (as Richard set out) to talk to the press – for one thing, because otherwise journalists would only seek commentary from others. “But you have to be very careful about how you communicate and that takes a lot of training,” he said.
As that and the rest of the webinar showed, response to a cyber breach is about tactical and strategic response, corporate communications, IT and other functions – more than pure business continuity, although BC should be activated at the earliest stage.
