INCIDENT RESPONSE | COMMUNICATIONS
13 min read

Security Incident Stakeholder Communication: What to Say to the Board, Employees, and Customers

4 days
SEC requirement for material cybersecurity incident disclosure by public companies — effective December 2023
72 hours
GDPR notification window for personal data breaches to supervisory authorities
38%
of breach victims say the company communication made the situation worse — IBM 2025 cost of a data breach consumer survey
2x
customer churn rate in organizations that communicated poorly after a breach compared to those that communicated proactively and clearly

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The technical response to a security incident — containment, eradication, recovery — has well-documented playbooks. The communication response is less prescribed, more consequential to long-term outcomes, and often improvised under pressure during the worst possible circumstances.

Poor communication during an incident creates compounding problems: board members who feel uninformed make panicked decisions; employees who don't know what happened fill the gap with speculation that leaks externally; customers who learn about a breach from news media rather than the company lose trust; regulators who receive incomplete notifications impose larger fines. This guide provides the communication framework and specific message templates for each audience, at each phase of an incident.

Phase 1: Initial notification (hours 0-4)

In the first hours of a confirmed incident, communications should be brief, factual about what is known, and clear about what is still being determined. The goal is to put the right people on alert without speculating about scope or attribution.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Phase 2: Employee communication (hours 4-24)

Employees hear rumors and speculation quickly. A controlled internal communication that gives them accurate information and clear instructions is almost always better than silence, which employees fill with their own interpretations.

Principles: be honest about what happened, be specific about what employees should and should not do, and create a clear channel for questions.

Sample internal all-employee communication:

'Subject: Important security notice

We are writing to inform you that we are responding to a cybersecurity incident. Our security and IT teams are actively investigating.

What this means for you:

  • [Specific action, if any: reset your password at this link / do not open email attachments until notified / the [system] is temporarily unavailable]
  • If you receive unusual requests related to this incident — from anyone asking for credentials, system access, or sensitive information — do not respond. Contact IT security immediately.
  • Do not discuss details of this incident with external parties including on social media.

We will provide an update by [time]. Questions: contact [designated point of contact].

[Leadership signature]'

The message should come from executive leadership, not just the security team, to signal that the organization takes this seriously and is in control.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Phase 3: Customer notification (as required by legal timeline)

Customer notification timing is driven by legal obligation (state breach notification laws, GDPR, HIPAA, CCPA) and competitive/reputation considerations. Legal determines the timing; communications determines the content.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Phase 4: Regulatory notification

Regulatory notification timelines are specific and non-negotiable. Missing them creates additional liability on top of the incident itself.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

What not to say at any phase

These communication patterns consistently make security incidents worse from a legal, reputation, and regulatory standpoint.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Security incident communication is a skill that requires preparation before the incident, not improvisation during it. Organizations that have pre-drafted notification templates, pre-identified the legal team contact, pre-established out-of-band communication channels, and pre-rehearsed communication sequences through tabletop exercises consistently communicate more effectively during real incidents than those that plan the communication process in parallel with the technical response.

Frequently asked questions

When should we notify customers about a breach?

Customer notification timing is determined by: (1) applicable law — most US state breach laws require notification within 30-90 days of discovery; GDPR requires authority notification within 72 hours and individual notification without undue delay; HIPAA requires notification within 60 days; (2) legal strategy — premature notification before scope is understood may provide incomplete information; (3) risk to individuals — if data is actively being misused (fraud detected), notification should occur immediately regardless of legal timeline. Work with legal counsel to determine the optimal notification date within the legal compliance window.

Does the SEC 4-day disclosure rule apply to all cybersecurity incidents?

No. The SEC rule applies only to 'material' cybersecurity incidents, and materiality is a legal determination (a reasonable investor would consider the information important to their investment decision). Not every security incident is material. The 4-day clock starts from when the company determines the incident is material — not from when it is discovered. Involve legal counsel and the audit committee in the materiality determination immediately after any significant incident at a public company.

Should we communicate before or after the incident is contained?

Internal communications (board, employees) should begin within hours of confirming an incident — before it is contained. External communications (customers, regulators) timing depends on: legal notification deadlines that may not allow waiting for full containment, the risk of the news leaking externally before you communicate (media, social media by employees), and the risk to affected individuals that may require prompt notification. Waiting for full containment before any communication is rarely defensible for significant incidents.

Sources & references

  1. SEC Cybersecurity Disclosure Rules - Effective December 2023
  2. FTC Data Breach Response Guide
  3. IBM Crisis Communication Best Practices 2025

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.