When you communicate with external parties, you need to carefully consider what you are communicating, to whom and why. It may well be that informing customers, for example, leads to positive customer appreciation, but it is also possible that customers experience this as negative. The right tone, timing and form are of great importance. The list below shows a number of categories of people, organisations, and agencies that you can (or sometimes must) inform. This is not an complete list, but it provides a guide to get you started. Of course, it is up to each company to consider whether there are others they need to inform or whether they do not need to inform parties mentioned here. This can differ per incident.
Make a list of important contacts
Tip: A printed list of important contacts with names and phone numbers kept in a safe can be a lifeline for communication after a ransomware attack.
You inform your staff members about the consequences of an incident and what you expect from them during the recovery. For example: collecting information. Personnel can help to inform customers and suppliers. The staff members themselves can also be victims of the incident. For example, if personal data about them has been leaked. Inform them about this.
You inform customers about the consequences of the incident that affect the service they expect from you. This includes delays in the delivery of orders, payment of invoices, appointments and sending quotations. You also inform customers about indirect consequences for them. For example, if personal data of customers has been leaked. Find out when you have to report a data breach and to whom.
You inform suppliers about the consequences of the incident that affect the relationship with them. For example, if you expect that they will temporarily not deliver your orders. But also if orders, contracts or quotations may have been made public. Personal data from the suppliers may be leaked and must be reported to the Dutch Data Protection Authority (in Dutch). It may also be mandatory that you report to the sector supervisor, for example the Netherlands Authority for the Financial Markets or De Nederlandse Bank. In addition, it is possible that a government service prescribes that you must make a report. A digital service provider will also have to report to the CSIRT DSP under certain conditions.
Contractual parties and other partners or stakeholders
Contractual parties such as customers and suppliers, with whom you have entered into contractual obligations, can or must be informed. For example, you can have agreed with customers or suppliers that they will be informed in the event of a calamity, so that they can take appropriate measures. In addition to these contractual parties, you can also consider partners in the chain. Many companies use each other's services and sometimes each other's systems. Sharing this information can prevent future incidents.
Police and justice department
Always report a cyber attack to the police. To find out who is behind an attack and to ultimately be able to recover damage and to ensure that the perpetrator is punished. There is currently no clear picture of the scale of cybercrime in the Netherlands. It is not always possible to find out who attacked your company. However, your report does contribute to the initiatives taken by the police to find out who is behind such attacks. A concrete example is the fight against ransomware.
Insurer or bank
The phenomenon of cyber insurance is not yet widespread in the Netherlands, according to the Association of Insurers. It may be wise for you as an entrepreneur to consult with your insurer or advisor about the incident. Discuss which measures you should take or which compensation you can receive. This also applies to your bank. It may be necessary to request new cards, change access to internet banking or be extra alert to unusual transactions.
Consultants (third parties)
Informing third parties such as external advisors can also be wise. Such as a bookkeeper, accountant, legal advisor, or lawyer, who may be able to contribute ideas in limiting the damage.
Finally, it can be valuable to inform partnerships in which you participate. For example, the specific cybersecurity partnerships (in Dutch) in the Netherlands, or networks such as entrepreneurs or industry associations. By exchanging information, you can help other entrepreneurs and contribute to a resilient Dutch business climate.
It is important to record beforehand which people and organisations are important to inform if an incident occurs. It is smart to make an overview of this. The basic principles for secure digital business also apply here.