According to a 2024 IBM report, a typical data breach costs its victim an average $4.88 million. What’s not so easily quantifiable is the event’s impact on business partner trust.
Rebuilding trust after a data breach requires transparency and a proactive approach, says Sean Gately, vice president of security solutions at Bluefin, a payment and data security company. “There should be immediate and straightforward communication with all involved stakeholders,” he advises in an online interview. Gately suggests promptly informing business partners about the breach, detailing what occurred, the data involved, and the measures being used to address the situation. “This openness will demonstrate accountability for the breach and a commitment to addressing the problem.”
First Steps
Maintaining and rebuilding partner trust starts as soon as the incident is discovered. Whether it’s employees, customers, suppliers, investors, regulators, or all of the above, start communicating as soon as possible, recommends Nicola Cain, CEO and principal consultant at legal and regulatory compliance consulting firm Handley Gill. “Nothing erodes trust as quicky as affected parties finding out about the incident via traditional or social media, or from their clients, instead of from you,” she says in an email interview.” Next, be as transparent as possible while recognizing that significant further damage can be caused by releasing inaccurate information before it’s confirmed. Cain also advises against underplaying the incident’s extent, since that risks giving affected parties a false sense of security.
Gately agrees that once a breach has been discovered, a rapid informed response is essential. “If there are delays, or information isn’t shared, it can increase damage and break down trust even further,” Cain says. Acting promptly demonstrates responsibility and control, both of which are essential to assuring partners that necessary actions are being taken. “This step also helps prevent additional fallout and ensures you’re meeting any regulatory requirements.”
Personal engagement by senior executives will demonstrate to affected partners that their concerns are being taken seriously, says Tim Rawlins, a senior adviser and director at cybersecurity services firm NCC Group. In an online interview, he notes that security team-to-security team engagement is essential. “It demonstrates that, at a technical level, the compromised organization is committed to helping.” It also shows that your team understands the attack vector, the extent of the compromise, and its ultimate resolution. “Sharing this knowledge and experience can create a rapid reconnection that would otherwise hinder rebuilding the wider relationship.”
Be gentle, Cain advises. Your partners have just had an unwelcome surprise; don’t give them any more shocks. “They need to feel that you’re being as up front with them as you can be, that you’re providing information in a timely manner, and that you’re at least as concerned about them and their interests as you are about your own interests and any potential liability.”
Avoiding Mistakes
One significant mistake enterprise leaders make is underestimating the importance of timely and transparent communication with all involved parties, Gately says. “Withholding information or delaying notification can lead to speculation among partners, since the trust is already weakened when the breach occurs.” To foster lost loyalty, leaders should continue to offer ongoing support to all organizations affected by the breach. “Neglecting to invest in proper security measures post-breach is also a standard error, resulting in repeated incident and signaling to partners a lack of commitment to data protection.”
Rawlins says the biggest mistake he sees are organizations that believe the best approach is to not say nothing. “What partners are looking for is reassurance that the incident is being taken seriously, that their concerns are being addressed, information is being shared, and the situation will be resolved so they can get back to business,” he explains. Assuring resilience and the ability to survive and thrive is essential. “Everyone wants this outcome, and if leaders aren’t supporting it in their partner’s environment, then the attackers win.”
Final Thoughts
After a breach affecting multiple partners, each of whom have their own customers, investors, and regulators to be concerned about, it’s in your interest as well as theirs to work closely to help them comply with their obligations, Cain says. For example, she notes, by providing affected partners with a template notification to send to their relevant regulators or clients. “This has the advantage of saving time in responding to individual enquiries, as well as ensuring consistency, which can assist in the event of a regulatory investigation or litigation.”