Security Incident Stakeholder Communication: What to Say to the Board, Employees, and Customers

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The technical response to a security incident — containment, eradication, recovery — has well-documented playbooks. The communication response is less prescribed, more consequential to long-term outcomes, and often improvised under pressure during the worst possible circumstances.
Poor communication during an incident creates compounding problems: board members who feel uninformed make panicked decisions; employees who don't know what happened fill the gap with speculation that leaks externally; customers who learn about a breach from news media rather than the company lose trust; regulators who receive incomplete notifications impose larger fines. This guide provides the communication framework and specific message templates for each audience, at each phase of an incident.
Phase 1: Initial notification (hours 0-4)
In the first hours of a confirmed incident, communications should be brief, factual about what is known, and clear about what is still being determined. The goal is to put the right people on alert without speculating about scope or attribution.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Phase 2: Employee communication (hours 4-24)
Employees hear rumors and speculation quickly. A controlled internal communication that gives them accurate information and clear instructions is almost always better than silence, which employees fill with their own interpretations.
Principles: be honest about what happened, be specific about what employees should and should not do, and create a clear channel for questions.
Sample internal all-employee communication:
'Subject: Important security notice
We are writing to inform you that we are responding to a cybersecurity incident. Our security and IT teams are actively investigating.
What this means for you:
- [Specific action, if any: reset your password at this link / do not open email attachments until notified / the [system] is temporarily unavailable]
- If you receive unusual requests related to this incident — from anyone asking for credentials, system access, or sensitive information — do not respond. Contact IT security immediately.
- Do not discuss details of this incident with external parties including on social media.
We will provide an update by [time]. Questions: contact [designated point of contact].
[Leadership signature]'
The message should come from executive leadership, not just the security team, to signal that the organization takes this seriously and is in control.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Phase 3: Customer notification (as required by legal timeline)
Customer notification timing is driven by legal obligation (state breach notification laws, GDPR, HIPAA, CCPA) and competitive/reputation considerations. Legal determines the timing; communications determines the content.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Phase 4: Regulatory notification
Regulatory notification timelines are specific and non-negotiable. Missing them creates additional liability on top of the incident itself.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
What not to say at any phase
These communication patterns consistently make security incidents worse from a legal, reputation, and regulatory standpoint.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Security incident communication is a skill that requires preparation before the incident, not improvisation during it. Organizations that have pre-drafted notification templates, pre-identified the legal team contact, pre-established out-of-band communication channels, and pre-rehearsed communication sequences through tabletop exercises consistently communicate more effectively during real incidents than those that plan the communication process in parallel with the technical response.
Frequently asked questions
When should we notify customers about a breach?
Customer notification timing is determined by: (1) applicable law — most US state breach laws require notification within 30-90 days of discovery; GDPR requires authority notification within 72 hours and individual notification without undue delay; HIPAA requires notification within 60 days; (2) legal strategy — premature notification before scope is understood may provide incomplete information; (3) risk to individuals — if data is actively being misused (fraud detected), notification should occur immediately regardless of legal timeline. Work with legal counsel to determine the optimal notification date within the legal compliance window.
Does the SEC 4-day disclosure rule apply to all cybersecurity incidents?
No. The SEC rule applies only to 'material' cybersecurity incidents, and materiality is a legal determination (a reasonable investor would consider the information important to their investment decision). Not every security incident is material. The 4-day clock starts from when the company determines the incident is material — not from when it is discovered. Involve legal counsel and the audit committee in the materiality determination immediately after any significant incident at a public company.
Should we communicate before or after the incident is contained?
Internal communications (board, employees) should begin within hours of confirming an incident — before it is contained. External communications (customers, regulators) timing depends on: legal notification deadlines that may not allow waiting for full containment, the risk of the news leaking externally before you communicate (media, social media by employees), and the risk to affected individuals that may require prompt notification. Waiting for full containment before any communication is rarely defensible for significant incidents.
Sources & references
- SEC Cybersecurity Disclosure Rules - Effective December 2023
- FTC Data Breach Response Guide
- IBM Crisis Communication Best Practices 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
