Reputation at risk: What data reveals about the new cybersecurity reality

Bryan DeAngelis:

Welcome to this week’s episode of What’s at Stake I’m your host, Bryan DeAngelis, a partner here at the Washington office of Penta, and I’m joined today by two of Penta’s senior partners based out on the West Coast — Dan LaRusso and TJ Kelly.

Both Dan and TJ joined Penta earlier this year and have brought valuable experience to our senior client counsel and agency leadership as we continue to build out our West Coast operations.

In light of October being Cybersecurity Awareness Month, we’re here today to discuss Penta’s latest white paper, Cyber Risk Is a Stakeholder Risk. That paper draws on insights from Penta’s AI-powered media intelligence and stakeholder sentiment modeling, which assesses over 4.8 million global mentions from, in this case, January 2024 to August 2025.

By combining this data with issue- and audience-specific sentiment, the research really dug into how cyber threats reverberate across industries and stakeholder groups. The paper also identified some key trends to watch in the cyber landscape and outlined critical steps that communications, policy, and public-affairs leaders should take to strengthen their preparedness for what will inevitably be the next cyber event.

So here to help us break all of that down are Dan and TJ. Dan, TJ, welcome to the podcast.

Dan LaRusso:
Thanks for having us.

TJ Kelly:
Thanks, Bryan.

Bryan:
I’m excited. This is your first episode — the first of probably many — so we’ll jump right into it. Dan, you took the pen on a lot of this white paper, so maybe I can start with you just to lay out the big picture.

As I said in the intro, the white paper really focused on cyber risk as a stakeholder risk. Walk us through what that means and why this has become such a reputational issue for companies and leaders today.

Dan:
Yeah, I’m happy to dive in, Bryan. I think if I even reflect on why I jumped into this, one of the reasons I came to Penta was the excitement I had for the intelligence and the data we can bring forward.

I saw some of the research we’d done over the years on cybersecurity, and it was one of those moments of, “Wow — if we really dug into this, could we actually study, over a year, what industries are affected? What’s the frequency of that effect? How does that come through the media?”

We also wanted to see how different organizations responded — how some accelerated and moved on from those risks, while others fought their way through them. These can be complicated things for brands to navigate.

At its simplest, these incidents are more common than ever. Exactly as you said, I saw over the weekend that the National Cybersecurity Center in the UK released data showing that from August of this year to the 12 months prior, about 200 national-security and significant incidents had happened.

Bryan:
Wow.

Dan:
The year before, that number was 89. So you’re seeing a big jump in frequency, and they’re also seeing a 50 percent rise in the largest, most risky of those issues. Regardless of how large your organization is or what industry you’re in, you don’t have to look far — it’s going to happen at some point.

So how do you get prepared? How do you work across all these different stakeholders? We looked at everything from F5’s issue last week to the JLR issue in the UK where they basically had to stop production of all their manufacturing.

If you think about what that means for stakeholders: not only are their customers affected in the most obvious way, but their entire supply chain had to pause. That required the government to step in — the government offered, I think, a $1.5 billion bond. Then you have shareholders involved, policymakers involved, and of course employees who want to know what’s happening. Some of them can’t even come to work. What does that mean for them? Where did this happen? How did it happen?

A lot of things really came to the surface for us, and it was fascinating to see how different organizations responded and worked through it.

Bryan:
Before I go to TJ to break down some of the industries we looked at, that increase in frequency creates this situation where it seems to happen all the time — so we almost grow numb to it — but at the same time, the frequency shows how much more sophisticated these actors are behind the attacks and how much damage they can cause. Did you uncover anything along those lines as you dug into this?

Dan:
Yeah, I think that’s exactly right. You, TJ, and I have done crisis comms and comms planning for a long time. Often those plans get drafted and maybe put aside because you’re constantly dusting them off and refreshing them.

What we’re seeing now is that brands that are ready for these incidents — those that think ahead and predict what’s coming — are best suited to respond. The ones that have built resiliency within their organization tend to have executives ready at a moment’s notice. They’re the fastest to communicate and the most consistent in their messaging.

It’s hard to stay ahead of it — it could be a full-time job — but there are ways to manage it. In the white paper, we talk about setting up not only listening and monitoring systems but also predictive tools that help you see what’s around the corner. You can make those systems more automated and ongoing so they don’t drain capacity every time something happens.

Bryan:
Yeah, I want to come back to that “full-time job” idea as we dig into what companies can do.

Bryan:
TJ, let me pull you into this. We looked into six major industries: automotive, retail and telecom, tech, healthcare, and finance. All of them touch consumers in both very intimate and different ways.

What were the sectors, if any, that really stood out to you — either for the scale of the challenges they face or the way some of them have responded to these attacks?

TJ:
Yeah, I think it’s so interesting — and why Dan and I were so excited to dive into this — actually looking deeply into these sectors and having the ability to do that. It brings so much more to the discussion and to how folks can ultimately prepare for this.

At a top line, there’s a clear cross-industry pattern in the data: the closer you are to a consumer connection, the greater and deeper the reputational damage.

If you look at healthcare and retail — two sectors that have a really deep connection to consumers and consumers’ data — the data bears it out. Retail had the most negative sentiment based on breaches, with a negative 77. That’s driven directly by data breaches that affect consumers. Those are emotionally charged, they affect a broad subset of people, and that naturally brings more attention and deeper negative sentiment.

In healthcare, sentiment never really recovered after breaches that exposed patient data and disrupted care.

Bryan:
You mentioned the number of breaches — Dan, it was 200 over a previous 89?

TJ:
That’s right. And with the proliferation of AI, we’re only going to see that increase further. In sectors like healthcare, when you have repeated breaches that expose patient data or disrupt care, the data shows that one cyber incident can affect the entire sector.

Each new breach brings back coverage of the previous ones, so the whole sector gets pulled back into the discussion. It drags sentiment down and keeps it there, which means everyone in that space needs to be aware of what’s happening across their industry.

And of course, every time we look at this, technology dominates. Seventy-four percent of all mentions have the tech sector involved in some way. There’s such high exposure in tech — even when the breach happens in another industry like healthcare or retail, tech gets pulled into the “who’s at fault” conversation.

So if you’re in technology, especially in security or data infrastructure, you have to be prepared for that. You’ll likely get pulled into the story whether or not the incident originated with you.

Bryan:
That’s fascinating. Can we dig into retail and healthcare a little bit more? And maybe correct me if I’m wrong — from personal experience, because this hits all of us — retail feels personal in a highly annoying sense, right? That’s where your shopping or financial data gets exposed. But healthcare is personal in an entirely different way — especially if it starts disrupting care. That’s a life-or-death situation. Did you see that in the data?

TJ:
Yeah. If you look at healthcare specifically, one incident — the Change Healthcare data breach — brought the entire sector down across all markets: the U.S., the U.K., India, Australia, Canada, Germany, across the board.

So one incident has a global effect. And when a repeat incident happens, it doubles down on that negative impact. These effects last for a long time — sentiment in healthcare stays depressed for extended periods.

We looked at January 2024 through August 2025. There were small blips of recovery in healthcare, but also steep declines with newer incidents like the McLaren ransomware attack. Each one drags sentiment further down across the sector.

Bryan:
Before we leave that section — where does financial services fit in? It’s top of mind for me. We just did some great work with the Aspen Institute around financial fraud and the attacks we see there. Those can be company-wide or industry-wide, but they also feel very targeted.

We’re all getting those text messages — “Call your bank,” “Your E-ZPass payment failed,” “Your account’s overdue in Wyoming,” — and I’ve never even been to Wyoming. But people fall for those scams. It takes a toll personally, and I imagine it bleeds into reputation issues, too.

TJ:
Yeah, absolutely. First, it’s about consumers. Second, it’s about how easily scams can be masked and coded to look legitimate. In financial services, everything’s about end-user entry points — that’s what increases your risk.

Think about all the banking and credit-card updates you get. Add in crypto — new accounts, new platforms, new communications — and you have more opportunities for bad actors to hide behind.

There are just more exposure points. The tools to detect scams need to improve, and end users need to be better educated about what’s happening. That’s especially true as populations age in markets where people are more susceptible.

Bryan:
Yeah, that’s a big factor.

Dan:
And what’s interesting is the intersection between consumer awareness — people’s understanding of their own security and behaviors — and how that ties to brand reputation.

We also saw this in the data. Take the USAA settlement — it started in 2021 but just closed this year. That created another wave of conversation about risk. Even though it was resolved, it reignited the topic. So these things have long tails — they keep resurfacing.

So again, how you prepare and how you communicate during and after an incident is incredibly complex right now.

Bryan:
It is. Let’s go there next. We tell a lot of our clients this: cybersecurity isn’t just a containment issue. It’s too important not to be a full C-suite, company-wide approach — prevention, preparedness, and response.

You’ve both worked on these issues. What have you learned about how organizations can communicate, internally and externally, more effectively — either before or after a breach?

Dan:
Yeah, I’m happy to start, TJ.

Once it happens, it’s tricky. It’s easy to armchair-quarterback from the outside — “It can’t be that complicated” — but when you’re in the middle of it, it absolutely is.

Organizations work with third-party partners — IT consultants, technology vendors — and just figuring out what happened can take time. You have to trace what broke down, where in the chain it occurred. That process can take days or weeks.

At the simplest level, you have to:

1. Acknowledge what happened.

2. Engage your executives at the right levels — decide who should speak and when.

3. Communicate what you’re doing to correct the problem — and sometimes over-correct, to show decisive action.

4. Stay clear and consistent in your messaging throughout the peaks and valleys of attention.

Cyber events spike in the news, fade, then return when new details emerge. Building that orchestration layer across your organization is key to handling those cycles.

Bryan:
Yeah, and I’ll add — I remember the days when we’d do this just by brainstorming. We’d sit around the room, saying, “Okay, what could happen?” Maybe we’d do it once a year and label things high-risk or low-risk.

Now, with so much data available, you can actually see the likelihood and impact of these scenarios. And we’re starting to revisit that quarterly with clients — looking at where momentum is building around an issue or conversation. Something that looked low-risk in January might be heating up by April.

How much do you see that being adopted, or what more can clients do there?

TJ:
It’s tricky, right? We talk about cadence-based preparedness — running scenarios regularly. The tools are so much better now that we’ve even brainstormed adding this to quarterly earnings prep.

When companies are preparing their quarterly calls, why not build this in? Bring the stakeholders together — internally and externally — to review incidents, sector trends, and system risks.

That means IT, security, government relations, communications — all coming together more often, not just running one simulation and calling it done. It should be part of your standard operating procedure.

That regular cadence helps you anticipate new threats and understand what’s coming next. It’s about feeding predictive insights into a unified group and then letting each team prepare within its own scope — but doing it together, every quarter.

Bryan:
I’m kicking myself for not thinking of that before. I’ve said this to chief legal officers and public affairs leaders — treat it like quarterly earnings. Bring the right people in the room and review it four times a year.

If companies gave it that level of scrutiny, they’d be so much more prepared — or at least better equipped to bounce back.

Dan:
Exactly. Think about the direct impact on your stock price — it only takes one incident.

TJ:
Right.

Bryan:
And it only takes one in the industry, as you mentioned. We talk about this a lot at Penta — the “basket of peers.” Tracking what’s happening with competitors or aspirational peers matters.

Whether it’s a cyberattack or a spike in negative press that could lead to one, it can spill over into your reputation or even land at your door next. You’ve got to be ready.

Dan:
Totally. It’s not “if,” it’s “when.”

Bryan:
The paper also talked about cyber risks becoming a geopolitical issue. We see that through a lot of our work — state-sponsored actors and other issues — and it becomes not just a business matter, but a diplomatic one.

What does that mean for corporate communicators and public-affairs teams?

TJ:
As we look at state-linked attacks — groups like Salt Typhoon or APT31 — they’re blurring the lines between corporate security and national security.

We have a unique set of data that helps us determine how these are connected, and it shows why it’s so important for communications, public-affairs, and legal teams to coordinate both in response and in preparedness.

Bryan:
Yeah, and we do see Washington get involved a lot in these kinds of incidents. You’re right — there’s the geopolitical, diplomatic side where a state-sponsored actor or organized crime ring may be operating across borders.

They’re not necessarily going after one company — sometimes it’s an entire industry, or they’re trying to weaken national-security strengths. Clients have to be prepared and have the right people in the room, including legal, to work with government and law-enforcement agencies to understand where these threats are coming from and how to respond.

There’s also a responsibility on government, too. We’ve seen industries push for stronger protections for American companies from external threats.

And of course, there’s the political side. If an attack — even a domestic one — hits too close to home for constituents, say in retail or another consumer-facing industry, you can bet CEOs will be called before Congress to answer tough questions.

So when we think about the team in the room, and understanding what’s going on with peers and the data we’re pulling in, I always insist: government relations has to have a seat there. Legal has to be involved.

Because even with the best plans, it’s easy for these incidents to become political issues.

TJ:
Yeah, that makes sense. The coordinated effort and response — across stakeholders, across functions — is critical to managing the long-term impacts of a cyber incident. Everyone should have a seat at the table.

Bryan:
That’s right. Dan, why don’t I wrap up with a question for you — and maybe a “fun” note for our listeners.

We’re recording this episode for the second time because we got shut down yesterday by the AWS outage. It disrupted not only this podcast but Penta’s business — thankfully only briefly.

But it’s another proof point that these things can come out of nowhere. And it’s only going to get more complicated as we move forward.

So, as we finish up, what are you advising clients to focus on next?

Dan:
Yeah, I think there’s one thing that really jumps out — especially reflecting on the last 24 hours of jumping in and out of this conversation.

This is going to become even more common. It already is. And it’s not something you can treat as a side project in any one department.

From our research, the companies that proactively communicated about cybersecurity — about their plans and readiness — were far better prepared to act, respond, and recover quickly.

So how do you make cybersecurity and preparedness part of your core messaging throughout the year? Don’t put it aside. Build it into how you operate as a team, as a company, and in how you communicate with stakeholders.

The six imperatives outlined in the white paper give organizations frameworks and tools to apply, but one key takeaway for me is: make it sustainable. Integrate it into your ongoing communications programs so it becomes second nature.

That way, you’re building the muscle as you go — your spokespeople get more comfortable talking about it, your stakeholders grow more confident in your preparedness, and you’re positioned to respond faster when something does happen.

Bryan:
Yeah, and that confidence — both internally and externally — goes a long way in shaping the outcome and protecting reputation.

Dan:
Absolutely.

Bryan:
Well, Dan, TJ, thank you both again for joining us on today’s episode — hopefully the first of many with both of you.

I appreciate all the work you’ve done on this white paper, and I want to remind our listeners that you can find Cyber Risk Is a Stakeholder Risk on our website, pentagroup.com.

And as always, remember to like and subscribe wherever you listen to your podcasts. You can follow us on X at @pentagrp, and of course on LinkedIn at Penta Group.

I’m your host, Bryan DeAngelis. Thanks, as always, for listening to What’s at Stake.