Within the first 24 hours of a serious cyber incident, the most demanding work is rarely the technical containment. It is the communications response. Ransomware, data breaches, and prolonged service outages no longer stay inside the IT function for long. Within hours — sometimes minutes — they become reputational events that reach customers, regulators, employees, and the press. The organisations that recover well are those that recognised this shift in advance and prepared accordingly.
Despite the rising frequency of cyber incidents across every sector, communications preparedness lags behind technical preparedness in most organisations. Detection, isolation, and recovery protocols are now mature in most large enterprises. The communications playbook that should run in parallel often is not.
From IT problem to communications crisis
A cyber incident becomes a communications crisis the moment any of three things happens: customers experience disruption, sensitive data may have been exposed, or the incident becomes externally visible. In practice, one of these is usually true within hours of detection.
Once that threshold is crossed, the organisation is no longer responding to a technical event. It is managing a public narrative. The decisions made in the first few hours — what to say, when, to whom, in what tone — will shape regulator response, customer retention, share price, and long-term brand trust.
The GLOMACS Crisis Management Masterclass prepares senior leaders and communications teams to manage crises across the pre-crisis, crisis, and post-crisis stages — with practical frameworks, real-world case studies, and structured simulations. On successful completion, delegates receive a GLOMACS Certificate and CPE credits via the National Registry of CPE Sponsors. glomacs.com/training-course/crisis-management-masterclass
Why most organisations are under-prepared
Three structural weaknesses appear consistently. The first is organisational separation: incident response sits in IT and security, while communications sits elsewhere, with no shared playbook and no rehearsed handover. The second is over-reliance on legal language: cyber communications, in their fear of admission, often read as evasive at exactly the moment audiences need clarity. The third is template fatigue: pre-prepared statements that have not been refreshed in years and bear little resemblance to current threat realities.3
The communications playbook for cyber incidents
A workable cyber communications response has four essential components.
- A pre-agreed activation protocol that brings IT, security, legal, communications, and senior leadership into the same room within 30 minutes of incident classification.
- Statement templates for the most likely scenarios — ransomware, data exposure, service outage, supply chain compromise — ready to be adapted in minutes.
- Clear regulatory notification protocols. Most jurisdictions now have strict reporting timelines, and missing them creates a second crisis on top of the first.
- A trained spokesperson with rehearsed key messages for the most probable journalist questions.
Communicating with regulators and customers
Cyber crises typically require parallel communications tracks: regulators, affected customers, employees, business partners, and the public. Each requires different timing, different content, and different tone. Treating them as a single audience leads to either over-disclosure that creates legal exposure or under-disclosure that damages trust.
Regulator communications should be fact-led, dated, and aligned with statutory obligations. Customer communications should be empathetic, practical, and action-oriented — telling people what happened, what it means for them, and what the organisation is doing. Public communications should establish the narrative the organisation wants others to follow, not react to one already written.
The recovery and trust-rebuild phase
The communications work does not end when systems are restored. The most reputation-damaging cyber incidents are those where the organisation appears to have moved on faster than its customers have. Visible, sustained communication about what was learned, what has changed, and what protections are now in place is essential to rebuilding trust.
This rebuild phase typically runs for six to eighteen months. Organisations that approach it as an ongoing programme rather than a one-time announcement tend to recover brand equity significantly faster than peers who treat the post-incident phase as the end of the matter.
Don't Wait for a Crisis to Test Your Readiness.
Equip yourself with internationally recognised crisis communication skills through the GLOMACS Crisis Management Masterclass — featuring real-world simulations, expert facilitators, and a globally accredited certificate on completion.
