Wells Fargo banking systems went down last week, cutting off most banking services for an entire business day.
And the way the company failed to communicate with its customers is a lesson for every organization about communication as part of your incident response and business continuity plan.
Regardless of whether you are planning for a cyberattack, an upgrade gone awry, or some sort of physical disaster that causes a loss of service, communication is a must.
Wells Fargo systems down: embarrassing for customers
You can be sure that no matter how you communicate, your customers will share their stories on social media.
Wells Fargo customers were tweeting about being unable to pay bills, delayed mortgage closings, direct deposit no-shows, and a slew of embarrassing situations like this:
Social media users asks about business continuity plan
During an outage, you can also expect customers to second guess you and ask about your planning, especially if systems stay down as long as Wells Fargo's banking systems did.
We uncovered a number of customers, some who said they worked in IT, asking about this:
Wells Fargo communication response: how it failed
Check out the timeline of Wells Fargo's external communications during the banking system outage. The company posted just three updates on its website in 24 hours:
- 1:30 a.m. PST: Reports of problems start coming in from around the U.S., but no web update posted.
- 9:54 a.m. PST: "We’re experiencing system issues due to a power shutdown at one of our facilities, initiated after smoke was detected following routine maintenance. We’re working to restore services as soon as possible. We apologize for the inconvenience."
- 11:44 p.m. PST: "We apologize to our customers. Online and mobile banking, ATMs and most other services are now available."
If you do the math here, that's more than 10 hours between updates (with a few extra "we are working on it" social media posts), and no emails or alerts directly to customers.
That's when we came across this Twitter conversation that could be right on:
And that is a great angle to consider for your incident response communication plan, isn't it?
"... so there's no way for any type of communication beyond text. Is it right? No. But people demanding text alerts from a system that is just downright not working and doesn't have a backup is comical to me."
If your systems are down or under attack, how will you communicate? Is there a backup method in your disaster recovery plan?
Audiences you need to communicate with in a business disaster
This whole thing also reminded our team of a 2018 SecureWorld web conference: 3 Key Components of Your Incident Response Plan.
One of the keys, shared by attorney Katherine Britton, emphasized the importance of considering how and when you will communicate about the incident with all of your stakeholders. She put it like this:
With so much to consider, it's no surprise cybersecurity leaders at SecureWorld conferences are often discussing incident response. Join them at a 2019 conference near you.
And help get your communications team rolled into your incident response team, if you haven't already.