Call it a case of schadenfreude on the part of those who have suffered from the often confounding actions and long reach of folks such as the US SEC, credit ‘agency’ Equifax, big bank Wells Fargo, and while we’re at it, lets not forget United Airlines; each of of which have completely maligned their reputations by failing to follow best practices when faced with a P.R. Crisis.
The two most recent headline episodes profile the latest organizations that decided to cover-up major computer hacking events, and instead, executive management felt it best to put a long-delay on issuing public disclosures of hacking attacks against their systems. This week, the US Securities & Exchange Commission (SEC) confounded a broad universe of Congress, as well as hundreds of public company executives, when it disclosed its Edgar System [Electronic Data Gathering, Analysis and Retrieval System]-the depository for corporate filings–many of which are intended to be confidential) was hacked in 2016 and that incident, according to its announcement issued late Wednesday night, purportedly triggered insider trading abuses by the hackers (or the end recipients of that confidential intel) as recently as this past August. Who knew??
According to both current and former SEC executives, very few members of SEC senior management were informed of the incident, and some only discovered the news courtesy of news media outlets (you know, those ‘fake news’ folks). The SEC didn’t exactly put out a press release on the matter, instead SEC Commissioner Jay Clayton published a ‘cybersecurity notification’ late Wednesday night that made subliminal reference to the incident. For P.R. Crisis Management experts, that approach to government agency disclosure simply failed to meet the any acceptable litmus test.
Last week’s disclosure by Equifax that the personal credit files of nearly 150 million US citizens had been lifted months ago by hackers, along with the Wells Fargo fiasco (in which executive management first covered up for months and then continuously downplayed the extent of phony account creations in which millions of dollars in fees were charged unknowingly to customers) speaks volumes to the never-ending “lapses in judgement” exhibited by folks who seemingly have more than just a ‘fiduciary obligation’ to disclose critical events that can cause severe damage to constituents.
First and foremost, senior management of any entity, whether a public company or a government agency who conspire to cover-up and fail to disclose material events that negatively impact customers, shareholders or constituents, and in turn, prevent those victims from taking steps to protect themselves should be fired immediately. More vigilant experts would argue those folks should be prosecuted.
So what is an organization supposed to do in advance of a massive cyber attack in which confidential records are stolen, or in advance of a food poisoning throughout your chain of restaurants (think Chipotle), or in advance of claims of sexual harassment lodged against your globally-recognized CEO (think Uber, among others)??
Well, aside from the obvious–which is to confront a known crisis head-on and take immediate steps to disclose the event and identify the process that will be implemented to repair the damage (an approach that any right-minded 12 year old whose moral and ethical compass is properly configured would take), organizations that are susceptible to any number of events that would logically require triage from the corporation communications or Public Relations department should train in advance by actually simulating a P.R. Crisis event that can be responded to. This is no different than what firefighters, military, law enforcement and other critical response teams do, before a crisis happens!
Per NYT column, “Who’d Create a P.R. Crisis in Advance?”, there are plenty of thought-leading companies and other organizations that embrace the notion of advance planning and detailed processes to diminish a fatal hit to reputation. These focused folks enlist third-party firms to provide a slew of training exercises, using near live-fire incidents that will enable in-house PR and IR teams to hope for the best, but be prepared for the worst. Whether the likes of federal government agencies such as the SEC, trusted agencies such as Equifax, or financial service companies such as Wells Fargo will ever ‘get the memo’ remains to be seen, but maybe they’ll read this blog post and read the story below…
Corporate crises unfold at lightning speed in the digital age. Companies suddenly find themselves on the defensive thanks to criticism, often on Twitter, from President Trump. Products like Tiki torches and New Balance shoes unwittingly become associated with white supremacists. United Airlines deals with a public outcry after a video showing a passenger being violently dragged off a flight goes viral, and Equifax is criticized for its handling of a security breach that compromised the personal information of potentially 143 million Americans.
As social media makes these moments ricochet around the web like never before, companies are realizing they don’t have the luxury of calmly sitting back, assessing the situation and then deciding on a solution. They need to be ready before it happens.
The full NYT story by