Stakeholder Communication During Incident
Direct answer
Wrong incident communication becomes a second incident. Premature press leak creates speculation. Late client communication becomes lawsuit. Regulator not notified in 72h becomes fine. This matrix aligns audience, message, moment and what NOT to say.
Why communication during incident differs
In a cyber incident, each audience has distinct needs and any viral message creates liability. Communicating everything to everyone creates panic and may violate investigation secrecy. Not communicating violates legal obligation (GDPR, LGPD, CCPA). Balance: each audience gets the RIGHT message, at the RIGHT moment, with the APPROPRIATE detail level. Coordination between technical, legal, communications and CEO is mandatory.
Communication matrix by audience
- 1.CEO / Board (0-6h). Fact: 'we suffered an incident, it's being contained, no payment or public communication decision yet'. Focus: estimated impact and decision window. DO NOT speculate on blame or origin.
- 2.Internal legal + cyber insurance (0-12h). Technical detail: variant, affected scope, potentially leaked personal data. Legal privilege. DO NOT communicate without involving legal β they define what can/cannot go out.
- 3.DPO + regulator (within 72h if personal data). Formal notification following regulator template. Includes: nature, affected data, number of subjects, measures adopted. Laws vary by jurisdiction. Fines for non-notification can reach 2-4% of turnover.
- 4.Internal employees (24-48h). Coordinated CEO message. Focus: 'incident in progress, containment ongoing, instructions for employees: what NOT to click, NOT to post on social media'. Avoids internal rumor and employee leaks.
- 5.Affected clients (after technical confirmation). Clear message, no jargon: 'we identified incident that may have affected your X, Y, Z data. Measures: A, B. We recommend: change password in Z days.' Regulations require up to 72h from confirmation. Before that = speculation.
- 6.Press / market (last, coordinated). When? Only when there are confirmed facts and the company controls the narrative. Statement prepared by crisis-specialized agency. Don't comment speculation. Focus on 'measures adopted', not 'blame'.
FAQ
Can I wait to notify the regulator?
Not beyond 72h after awareness. GDPR Art. 33, LGPD Art. 48, similar regulations worldwide. Fines for non-notification can reach 2-4% of turnover. Limited exceptions for documented low-risk cases.
Should I publicly communicate the attack?
Depends. If personal data leaked: yes, to affected subjects. If public company: material fact disclosure per regulation. For private company without affected personal data: public communication is strategic decision, not legal obligation.
How to avoid internal speculation?
Official CEO message within 48h of discovery. Coordinated IT message about do/don't. Specific channel for questions (dedicated email). When there's communication vacuum, speculation fills.
What to say if press calls before we have an answer?
'We are investigating a security incident and taking all technical and legal measures. We will provide an update when we have confirmed facts.' Don't deny, don't detail. Direct to designated spokesperson.
How to measure communication success?
Indicators: (1) Time to regulator notification < 72h. (2) Churn volume among affected clients in next 90 days. (3) Press coverage: % of citations mentioning measures vs % speculating blame. (4) Post-incident NPS among affected.
Need support on incident communication?
Technical support for regulator notification drafting + press positioning.