In today’s bulletin, Charlie provides some useful information on how organisations should approach their communication to customers after a cyber incident.

The following is guidance on communicating after a cyber incident. The formats for the initial communications are likely to be a press statement and information on the organisation’s website.

1 – Decide how visible you want the cyber incident to be

• If you are a public body, household name, or if you hold lots of sensitive PII information, then it is likely that you will want to go for what can be called a ‘high-profile communications strategy’, where you want as many people to know about the incident and you take steps to draw people’s attention to this. This could include press releases, having an announcement about a data breach in a prominent place on your website, and proactively contacting your customers.
• On the other hand, you may want to pursue a low-profile strategy, where you provide information but customers will only find it if they look for it. Lack of delivery of services can be labelled a technical fault, take systems offline, or just leave the functionality not working. Put information on your website, but it is not easy to find, and inform those who need to know of the incident and don’t go beyond this.
• There are of course hybrids of these strategies, but there is a balance between informing you have had a cyber incident and the reputation issues associated with this. On the other hand, you do not want to be accused of a cover-up as the impact of this is usually worse than the original action.

2 – Communicate within an appropriate timeframe

• “Report early, update later” is good guidance to follow when dealing with a cyber incident.
• It is recommended that you acknowledge having had an incident within 7 days of it being discovered, if the incident is not common knowledge or has not been reported in the media or social media. Any later than this timeframe, you could be accused of working to your own timetable rather than warning those who have been affected by the incident.
• From day one of discovering the cyber incident you must have communications ready in case the incident breaks before you were going to communicate. The statement can be updated day-by-day so that it contains the latest information.
• Glasgow City Council’s approach to their cyber incident communications demonstrates that organisations may choose not to communicate immediately upon discovering an incident in order to implement containment measures first. This strategy allows you to secure your systems before other potential attackers become aware of your vulnerability and attempt to exploit your compromised infrastructure.
• Reporting to the ICO will have to take place before the 7 days, but that doesn’t necessarily mean that the breach has to become public.

3 – Acknowledge the incident and take responsibility for it at a senior level

• The initial communication should come from a named person and preferably the CEO.
• Having the cyber service director or marketing / media manager sign it off sends a message of it being a PR issue and not really being taken seriously within the organisation.
• One organisation had a picture of the person and again this humanises the response and makes it more personal.

4 – Summarise the situation

• Be honest of what you know and what you don’t know. Saying we don’t know something at this time means you have thought about it and feels more honest than just saying nothing.
• All media seem to use ‘we are working with the police and NCSC’, which is fine to show that you have involved the authorities in the response.
• Elevating the cyber hackers by using words such as ‘international criminals’ and ‘sophisticated attack’ should be avoided.
• As many media outlets will usually use the text on the organisation’s website, it is worth thinking about how the organisation will be portrayed if the information is taken verbatim into news articles. If there is any good news or heroic action by staff then include this, as then this can become the focus of the story and is likely to end up as part of the media narrative.
• Revealing investigation details can prejudice outcomes and aid future attackers. Avoid disclosing specific attack vectors, detailed forensic findings, or internal security measures.

5 – Information on a possible data loss

• If there is a chance that data has been exfiltrated, which occurs in about 94% of ransomware cases, be honest about the possibility of this happening. Don’t say you don’t believe any data has gone, only to have to admit later it has.

6 – Explain any potential impact on customers, along with actions those affected should take

• Explain the impact on stakeholders and how the incident will impact them. Which services are being provided and which aren’t? Think about what each stakeholder might want to know about the product and then develop questions and answers which addresses them. You have to think about what the likely customer queries and issues are, and come at this from their view rather than the information you want to give them. Often, what can be obvious to the organisation delivering the service, may not be obvious to the consumer. Mentioning what is working as normal could also be included in the communication.
• Using a traffic light system to explain which systems are affected, which are partially affected, and those not working at all, is a good way of communicating the status and the services you are delivering.
• If required, give information on how those affected by the incident can protect themselves. If possible, use official guidance such as information given by the NCSC, as you don’t want to provide incorrect information.

7 – Include information on the actions you are taking to deal with the situation

• Always say what you are doing. This is a good opportunity to explain the proactive steps you are taking and how hard all staff are working to remedy the situation.
• Try and give a timeline of when you think systems or services will be restored. This can be difficult, but if people know it will be weeks and months, they can take alternative action.

8 – Use a tone that reflects empathy, accountability, and emotional intelligence, and is personal to the recipient

• There is nothing wrong with getting the lawyers to look over the text, but don’t get them to write it, as it will be very obvious to those reading it.
• Apologise if an apology is required as the incident will have a detrimental impact on customers or stakeholders. They trusted you with their data or with delivery of goods and services and now you are unable to deliver what you have promised.
• Like all good communications, ensure that your communication aligns to your brand, values, and stakeholder expectations.
• Communications must use clear, jargon-free language.

9 – Give information on when updates will be given

• You should state you will update the website every 24 hours and give a time for this.
• It should be obvious what the update is, especially if there is a lot of information already on the website.
• If there is no update, state there is no update.

10 – Give directions on where to find further information or how to contact the organisation

• If you are going to provide further information or questions and answers, state where to find them.
• Do consider setting up a help desk, information line, or a dedicated email address where customers can ask any questions. This is especially important if a data breach has occurred.

Conclusion

Initial impressions count when communicating about a cyber incident, and if you don’t get this right, you are starting your incident response on the back foot. The first external communication sets the tone for how stakeholders will perceive your organisation’s handling of the crisis. A poorly crafted initial statement can damage trust that may take years to rebuild, whilst a well-prepared, empathetic communication can strengthen stakeholder confidence. This is why these communication principles should also be practised during exercises, ensuring your team can deliver clear, accurate messages when the stakes are real and avoid fumbled first impressions that compound reputational damage.