Josh Merkin|Sep 14, 2017

While big retailers continue to be a top target for data thieves, professional services firms are increasingly finding themselves as targets for cyber hackers. This is due to the vast amounts of valuable client data they manage and a reputation for being easier targets because employees at these firms are currently less suspicious and cautious, especially when it comes to phishing scams.

Even though some professional service firms are finally getting the message and investing more in software and consultants to prevent cyber theft, one area where a lot of companies fall short is in developing a cyber theft-specific crisis communications plan.

So far this year, several international and U.S.-based law firms and accounting firms have reported attempted cyberattacks. Recognizing these threats, professional associations within these industries are starting to draft new rules and regulations putting more pressure on firms’ leadership to make sure their data is protected.

For example, in May 2017, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued new guidance for lawyers as it relates to their handling of client data. Even though the ABA does not set final rules over attorneys, this is another clear indication to the industry that data security must be considered a priority.

Without a comprehensive and strategic crisis communications plan, firms will be in reactive mode and making key decisions that could negatively affect their brand reputation. While these plans do require a fair amount of work, with the right roadmap, the task doesn’t have to be too daunting.

One way to go about creating their plan is by borrowing from an old journalism trick and using the 5Ws: who, what, when, where, and why. Here’s how these can be implemented.


This may seem obvious but it’s still surprising how many firms don’t have a crisis communications plan in place, especially for something specific like a data breach.

Often this is because they don’t want to invest the time or financial resources. Other times, it just gets pushed to the bottom of the list of priorities since it isn’t something that has an immediate or direct impact on business profit.

However, if you consider that a well-crafted plan can prevent the devastating loss of clients and revenue, it’s worth making it a priority.


When thinking about the “who,” there are three different things to consider.

The first is who should be involved in creating the communications plan. A firm’s managing partner/director, CEO, etc. may leave that in the hands of a marketing or communications director, but that isn’t necessarily the best course of action. Instead, crisis plans should have input from the firm’s executive management team, as well as the IT department, legal counsel, administrative leadership, HR executives and any communications agency and software vendors (if applicable).

While the plan creation can be led by marketing/PR personnel, it is necessary to get strategic high-level input from senior leadership and department heads to ensure that all scenarios and concerns are covered.

A second “who” to consider is the response team should the firm become a victim of a cyber-attack. If data is compromised, even if an attack is thwarted, immediate decisions with potentially significant and lasting impacts will need to be made.

Also, the actions and activities outlined in the plan will need to be implemented. Therefore, it’s important as part of the planning process to determine who the key decisions-makers are, how will they be assembled when the time comes and who is taking on which specific tasks.

The last “who” is about the audiences or stakeholders the firm will need to communicate with. These will likely include employees, clients, and possibly media, professional associations, law enforcement and even government entities.


The “what” of a crisis communications plan includes basic key messages and categories of information the firm will need to share with its audiences in the event of a data breach.

Even though some information may need to be adjusted in the moment depending upon the specifics of the situation, there is still a lot of boilerplate content that can be assembled in advance. These may include a holding statement for press, internal and external memos, a news release and messaging for the firm’s digital channels and website.

There will also be questions to address such as whether the breach was the result of an employee or software error, how much data was compromised and by whom. It is better to consider these scenarios in advance, another reason it is beneficial to have all the key decision makers involved in the development process.


A crisis plan’s “where” should capture all the channels the firm has available to communicate its messages to its audiences. There are many ways to do this including social media, email, snail mail, e-blasts, phone trees and direct in-person communication.

Depending upon the situation, the firm may decide one of the channels is preferred over another or they may decide to use them all, but as part of the planning process, executives should be thinking about the ways that will make most sense depending upon the scenario and actions needed.


While a cyberattack may leave a lot of uncertainties, the “when” in a crisis plan should identify the point at which the plan will be implemented and the triggers that will activate the response team. For this part, there will likely be a lot of contingencies i.e. when this occurs, then this should happen.

This section should be very detailed and specific because, regardless of how good a plan is, if it’s not rolled out in the right sequence and everyone involved isn’t clear on that process, a situation can be made worse by timing missteps.

We can reasonably expect that professional service firms will continue to be the targets of cyberattack. Therefore, it is incumbent for responsible practitioners to be prepared. While investing in prevention measures like cybersecurity software, professional experts and education is important, it should not be at the price of a detailed tactical and strategic communications plan for a worst-case scenario. The upfront investment of time and resources to create a plan is just plain smart. It offers the potential to protect the firm’s reputation and revenue in the long run.


Receive our rbb blogs straight to your inbox. Subscribe below: