Timing is everything.
Taken together, two seemingly-unrelated things that hit my inbox this morning – CorVel’s quarterly results and the daily alert from Harvard Business Review – provide perspective on how to handle a crisis.
Readers of MCM will recall that I reported last week that CorVel suffered some sort of internet/connectivity problem that arose on Sunday, July 21. It apparently took down much of the company’s customer-facing connections. Subsequently I reported the issue may have been a ransomware attack involving the Ryuk worm. Others followed:
From adjuster.com’s Lonce Lamont’s piece on July 27 (last Friday):
[an anonymous informant stated that] “CorVel management said the Ryuk virus was caught before it was active. It was found during system upgrades. But this management story has not made sense, because in that case of the virus being caught before going active, the IT technicians should have just been able to remove it. However, the CorVel professionals seem to be completely replacing servers, so that indicates they were locked out.”
While I have heard from several internal and external sources, despite several attempts to contact CorVel I have not heard directly from the company. Further, CorVel has not, with the exception of today’s earnings release, released a public statement. I have heard from several CorVel customers that Corvel’s CEO and other personnel contacted customers directly to discuss the issue. Kudos to Corvel for doing this promptly. As of Friday, these customers were told things should be back up today.
Here’s what CorVel said in today’s earnings release:
After the end of the quarter, the Company discovered a security incident which impacted online systems and forced the Company to take those affected systems offline for a period of time. The Company discovered the threat in the early stages of the security incident which allowed for immediate initiation of their incident response plan and aided in the containment and eradication of the threat. Systems were largely offline for the week of July 22nd and at the time of this release [Tue July 30, 2019 6:15 AM] the Company’s systems are incrementally coming back online.
[Side note – sources indicate as of last night scheduling and billing for some ancillary services were back on line; certain bill review functions were not. Suffice it to say that each customer will have been affected differently.]
Which brings me to the HBR piece authored by former Defense Secretary Ash Carter entitled “Managing High Stakes Situations; 5 Lessons from the Pentagon”.
The top Lesson from Secretary Carter was this:
Say something: Feed the beast with whatever you know for sure. The “beast” is the natural demand by news media and others for more facts when there is an appearance of danger or wrong. Leaders facing a crisis need to speak and act quickly even when they don’t know all the facts — it’s part of the job. If you stay silent, you leave a void that may be filled by statements from people who may be well-meaning but ill-informed, or, worse, from rivals or adversaries.
Carter went on to say:
While you must say something, stick to the facts you can verify, however scanty they may be. Don’t speculate or offer guesses that may turn out to be incorrect later… list the key questions you are investigating — What happened? Who was involved? What causes can be identified? What policies and practices apply to the situation? — and provide any specific, accurate answers that are available at the time.
Here’s where I believe CorVel could have done better.
It is highly likely CorVel leadership knew the cause of the problem very soon after it occurred. If the multiple reports about ransomware are correct, the company should have said so.
Be more clear and transparent about the problem and steps being taken to address it. Replacing servers can be a much bigger task than removing a virus from software/databases/applications; acknowledging this up front would have given CorVel some breathing room if it took a bit longer than expected to get everything back up and running.
Make a public statement. Without one, you lose control of the message and likely can’t get it back. Credibility is critical and once damaged is very difficult to regain. This is especially important in our industry: insurance people are genetically risk-averse and highly risk-conscious. “Skeptical” is too tame a word, “Cynical” is probably more accurate.
If and when I hear from Corvel I will update this post.
What does this mean for you?
From Carter:
The pitfalls are to stonewall, deflect, hedge, or use weasel words. But in war, hairsplitting won’t fly. Nor will it in cases when your brand or business is at stake. By speaking plainly and acting directly, you should be able to emerge with your reputation — and that of your organization — intact, and maybe even improved.