Between Transparency and Security: Six Guidelines for Communicating in the Age of Cybercrime

Between Transparency and Security: Six Guidelines for Communicating in the Age of Cybercrime

Entering the term "cybercrime" into Google produces 11 million hits. For "cybersecurity" the number is even as high as 61 million. The figures underscore the relevance of and attention given to internal and external attacks on consumers, companies and institutions, for example.

Cybersecurity a high priority for SIX

The SIX network is accessed more than a billion times a day, and more than 30,000 times a second during peak times. These “events” range from harmlessly sending an e-mail to attempts to log in to the exchange system. Thankfully, there are only a handful of events that genuinely require any action to be taken. This is because a major fault, theft or the manipulation of data can cause significant financial damage to the entire Swiss economy within a short space of time. Not to mention the associated damage to the reputation of SIX.

But there is also a flip side to the coin. The growing demand for cybersecurity measures in Switzerland also offers business opportunities for a financial technology company like SIX. One key development in this respect is the Security Operations Center (SOC), which will be up and running from January 2018 and which SIX will also be offering to third parties.

The challenge for SIX in terms of communications lies precisely in this tension between system security and the exploitation of market opportunities. We always need to strike the ideal balance between trust, security and transparency. 

From Communications 1.0 to…

Times are slowly changing. In the past we applied the familiar triad by default whenever potential cybersecurity loopholes emerged: 

  1. Keep quiet 
  2. Talk down 
  3. Cover up

Translated into the terminology of communications, this means: “No comment”, “de-escalate” and “damage limitation”. There was certainly justification for this way of operating, because we were genuinely worried about appearing on the radar of cybercriminals.

The world of communications has changed drastically in recent years, however. Old-school corporate communications and its natural counterpart – the traditional media – no longer rule when it comes to interpreting events. Many more instruments have joined the orchestra, and it is playing faster. Not only does the press spokesperson communicate on behalf of a company, but each and every employee is also a spokesperson or even an ambassador for SIX on Facebook, Twitter and LinkedIn. Confidential matters are rarely kept secret for long, and leaks lead to constant commotion and scandal.

... Communications 2.0

In the communications environment just described, system outages and cyberattacks become public knowledge more often. The new General Data Protection Regulation (GDPR) will also enter into force throughout Europe in May 2018. This requires companies to notify the relevant regulatory authorities without delay in the event of any “breach of the protection of personal data”. What this means for communications is that many more security events will be made public in the future.

For both of these reasons, we are constantly rethinking our communications strategy and deciding on a much more situational basis than before. It goes without saying that there are still reasonable grounds for conservative communications in certain cases. But we want to communicate more actively whenever possible in order to remain credible. Improved cybersecurity also requires more information about cybercrimes. This is the only way that systems around the world can be improved, and employees and customers can be made aware of the new dangers.

When appropriate, we will therefore seek to base Communications 2.0 with respect to cybercrime on a new triad: 

  1. Acknowledge the problem 
  2. Explain the situation 
  3. Build trust 

The corresponding communications messages are “communicate actively”, “communicate transparently” and “build up our reputation”. 

Specifically, SIX has defined six communications principles for the field of cybersecurity:

  1. Security and competence
    Instead of fueling uncertainty with our communications, we provide information promptly. SIX exudes security and competence as a result.
  2. Raising awareness and training
    We are constantly training our employees on how to handle information and data securely. This is particularly true for social media, where we encourage our employees to share and like. 
  3. Flexible and adaptable
    We question our communications and adapt it if necessary. The communications mix is constantly being expanded in order to reach a large number of people and organizations quickly.
  4. Active and transparent
    When things get serious, we provide information as actively and comprehensively as is appropriate. This is the only way for SIX to retain control over the public debate on the topic.   
  5. Leading and market-oriented
    We want to be leaders when it comes to the issue of cybersecurity. That is why SIX is managing this topic from a number of different perspectives. We communicate openly and honestly, and do not cover up potential risks. With respect to customers, SIX focuses on the security, reliability and stability of infrastructure and services.  
  6. Training and preparation
    We are constantly practicing cybercrime scenarios in order to provide information quickly and actively, and to build trust in the event of an incident.

SIX must keep its infrastructure secure, stable and reliable. The potential damage to the company’s reputation from a major security event is enormous. Optimizing communication prevents this kind of harm to our image. Ideally, it could even neutralize or put a positive spin on it. Let’s be clear about one thing: We cannot communicate the damage and the risk away. But we can use our communications principles to positively influence the impact on our reputation.