Imagine the panic inside the halls of Colonial Pipeline last May. Headquartered in Alpharetta, Georgia, the privately held company is among the nation’s largest pipeline operators. Estimates suggest it provides nearly half of the East Coast's fuel supply—we’re talking gas, diesel, home heating oil, jet fuel and even fuel for the military.
So, when criminal hackers breached the company’s computer network through a VPN account—using a password leaked on the dark web, to do so—all in an effort to hold Colonial Pipeline’s data for ransom, decision-makers in Alpharetta were backed into a corner. Because the ransomware infected a computer system responsible for pipeline management, stakeholders at Colonial Pipeline elected to halt all pipeline operations on May 7 and pay the hackers $4.4 million in bitcoin.
It wasn’t until six days later that the pipeline was restarted. And during the intervening shutdown, all hell broke loose, with long lines of nervous motorists at gas stations—particularly those in the Southeast—hoarding fuel and causing prices to spike and near-term shortages.
Mortifying as they may be, cyberattacks like the one Colonial Pipeline confronted have become a when-not-if proposition for corporates worldwide. Just ask Facebook, which was victim of a data breach earlier this year exposing the personal information—phone numbers, Facebook IDs, full names, locations, birthdates, bios and, in some instances, email addresses—of over 533 million users from 106 countries.
Even more audacious was the hack of Solar Winds, Inc. discovered back in late 2020, perhaps one of the biggest and most troubling cybersecurity breaches ever. What was so extraordinary about that cyberattack was that it compromised the data of thousands of SolarWinds customers, including the U.S. Departments of Justice, State, Treasury, Energy and Commerce, creating yet another public relations fiasco for all involved.
Common among all of these examples, and every other cyber event making headlines, is that they throw corporate management into immediate crisis mode.
Crisis Management 101
Of course, corporate calamities aren’t limited to data breaches. Corporate fraud, shareholder disputes, partnership breakups, restructurings, product recalls, employment issues and controversial COVID-related policies (read: vaccine and indoor masking mandates) are all crises in the making, at least potentially. Consequently, every business must abide by this most basic lesson: advanced crisis management planning, stress testing and strategy are critical for any entity that could find itself staring down the barrel of a public relations nightmare, no matter the scale.
Why Wait?
More often than not, crisis management is set into motion after disaster strikes. But a crisis management team that knows its company’s business, customers, partners, strengths and pain points should be assembled long before it’s time to jump into action. Waiting until a problem is discovered (or worse, made public) is a recipe for elevating that problem into a crisis. Which is why a team of professionals managing a company’s response, at its most vulnerable time, should be in position to act, rather than simply react. Without question, every business would rather play offense than defense, and that’s almost always an option with proper preparation.
To their credit, many companies lean into crisis situations by initiating investigations. But they do so on their heels, all the while absorbing bad press and public outrage pending the completion of internal inquiries. By then, the damage has been done in the form of hits to a business’s reputation, the morale of its workforce and oftentimes—and most painfully—its revenue. While post-crisis investigations often are both effective and necessary, they should be just a part of a more fulsome strategy, not the lone one.
Rather than being unprepared and in a needlessly defensive posture when troubling news breaks, stakeholders should proactively build teams of trusted advisors who learn the ins and outs of their businesses and use that knowledge to build response plans before ending up face-to-face with a developing catastrophe. By employing a more preemptive take on crisis management, businesses can get ahead of potentially devastating narratives and better manage the inevitable collateral damage.
Planning Ahead and Putting Your Best Faces Forward
While board oversight and C-suite intervention is ordinarily sufficient when it comes to relatively benign PR hiccups—say, supply chain disruptions or employee turnover issues—next-level corporate headaches, like cyberattacks, environmental disasters, executive controversy or social media backlash, require pre-planned crisis management, ideally by a unit that includes communications experts, PR specialists and financial advisors. At the helm of this group of experts should be independent outside legal counsel who not only understands the affected company’s business and operations, but also is trusted by internal stakeholders. To be sure, crisis management planning must lean heavily on lawyers because the byproduct of most every corporate train wreck is legal liability that oftentimes spans an organization’s various business units.
Together, these professionals can work to foresee situations and events that could knock a company off its axis and create response and risk mitigation strategies geared toward preserving a business’s good will, reputation and revenue—this while shielding it from legal exposure to the extent possible. And when an actual full-blown crisis comes to pass, the crisis management A-team can spring into action with a ready playbook, having anticipated (at least within the margins) the scope of the challenge at hand.
By addressing crisis management proactively—with a designated lineup of legal, comms, PR and financial pros prepared to act on behalf of a corporation under siege—management is freed up to do what it does best: run the business so it can remain viable—and even thrive—despite any crisis that comes its way.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.
