Cyber Attack Response Plan: Media Communications & Alert Strategy

Introduction

It's 11 PM on a Tuesday. Your security team discovers a breach affecting customer payment data. By 8 AM, three journalists have called the main switchboard, customers are posting on social media, and nobody on the executive team can agree on who is authorized to speak.

This scenario plays out repeatedly — not because organizations lack incident response plans, but because they've invested very little in the communications governance layer. Forrester's 2025 B2B Brand and Communications Survey found that while 77% of large organizations had documented crisis communication plans, only 39% conducted annual crisis simulations. Among smaller firms, that drops to 23%.

The gap isn't documentation. It's tested governance.

This article covers the communications and alert strategy layer of a cyber attack response plan. It addresses who communicates, what they say, when they escalate, and how to avoid the messaging mistakes that turn a contained incident into a reputational and regulatory crisis. It's written for boards, executive teams, General Counsel, and risk leaders — not for IT staff managing containment.

TLDR

  • Designate a single Communications Lead with authority to approve all messaging before an incident — not during one
  • Build a tiered alert strategy with written severity thresholds so the right level of leadership engages at the right moment
  • Draft holding statements and stakeholder templates in advance; pressure produces errors
  • Know your regulatory deadlines: SEC 4-business-day rule, HIPAA 60-day window, and state breach laws (typically 30–60 days)
  • Run a communications debrief within two weeks of every incident, including near-misses

Why Communications Governance Breaks Down When a Cyber Attack Hits

Under pressure, communication defaults to whoever is loudest or most available — not whoever has the right authority. The result: inconsistent messages across channels, contradictions between what IT says and what the CEO says, and statements that create legal exposure before breach counsel has reviewed a single word.

Two failure modes appear repeatedly:

  • Over-communication — sharing unconfirmed details that later require correction, compounding reputational damage with each walkback. Capita's 2023 response illustrates this precisely: the company went from "no evidence" of data compromise in April, to warning pension data was "likely taken" in May, to confirming exfiltration by August — each reversal widening the credibility gap.
  • Under-communication — vague "technical issue" language that pushes stakeholders to assume the worst and drives media toward third-party sources. When Change Healthcare was breached, the Blackcat/ALPHV ransomware group claimed 8 terabytes stolen before UnitedHealth had shaped its own public narrative.

Over-communication versus under-communication cyber incident failure modes comparison infographic

The root cause in both cases is a governance problem, not a messaging skill problem. The fix is structural: clear roles, pre-approved escalation paths, and documented decision rights established before an attack — not improvised during one.

Defining Roles and Decision Rights Before an Incident

The Communications Lead

Every organization needs a single, named individual with authority to approve all internal and external statements during an incident. This person doesn't need to be the most technically knowledgeable in the room. They need to understand the organization's risk posture, legal obligations, and stakeholder relationships.

At larger organizations, this is typically a VP of Communications or General Counsel. At smaller ones, it may be the CEO. The title matters less than the clarity of authority.

The Core Incident Communications Team

Role Responsibility
Communications Lead Final approval on all internal and external statements
Legal/Breach Counsel Regulatory and liability guidance before anything goes out
CISO/Technical Lead Facts about what happened and current containment status
Executive Sponsor Board liaison; manages upward communication
PR/Customer-Facing Lead Media and public-channel execution

Every role must have a documented backup — incidents don't wait for people to be available.

Decision Rights in Practice

Before an incident, document who can approve what type of statement to which audience. A workable example:

  • The technical team communicates internally about containment steps
  • Only the Communications Lead approves statements to customers or media
  • Only the CEO or board chair speaks to regulators or institutional investors

This prevents unauthorized disclosures. The goal is simple: nobody guesses in the heat of the moment. A documented RACI that specifies communications responsibilities and decision boundaries means authority is unambiguous when pressure hits.

The Board's Specific Role

Boards should not be in the communications chain during active containment. Their job is governance oversight, not operational execution. What that means in practice:

  • Receive structured, scheduled briefings — not ad hoc updates
  • Each briefing should answer five questions in order: what changed, what it means, what management is doing, what the board needs to decide, and what happens if action slips
  • Pre-agree on an update cadence before an incident occurs (typically twice daily in the first 48 hours)

NACD guidance confirms that boards should review incident response plans annually and establish clear thresholds for when board briefings are triggered — based on financial, legal, or reputational impact.

These escalation thresholds and decision rights need to be established — and tested — before any incident occurs. An untested plan gives organizations false confidence when it counts most.

Building an Alert Strategy: Tiered Escalation from IT to the Board

An alert strategy is a pre-established set of escalation triggers that determine which level of leadership engages, at what severity threshold, and through which channel. Where the IR plan defines what gets done, the alert strategy defines who gets told — and when.

A Three-Tier Escalation Model

Tier 1 — IT/SOC Level

  • Trigger: Anomaly detected, no confirmed breach
  • Who engages: Internal security team
  • Executive notification: None required
  • Example threshold: Suspicious login pattern, failed access attempts on non-critical systems

Tier 2 — CISO/Executive Level

  • Trigger: Confirmed incident with potential data exposure or service disruption
  • Who engages: CISO notifies CEO and Legal within 2 hours of confirmation
  • Example threshold: Confirmed unauthorized access to any system containing customer or regulated data

Tier 3 — Board Level

  • Trigger: Confirmed breach with material impact; regulatory disclosure likely
  • Who engages: CEO briefs board chair within 24 hours
  • Example threshold: Ransomware affecting critical systems, exfiltration of PII, likely SEC or HIPAA reporting obligation

Three-tier cyber incident escalation model from IT to board level infographic

Thresholds for each tier must be defined in writing and approved before an incident. NIST SP 800-61 Rev. 3 states directly that incidents should be prioritized based on asset criticality, functional impact, and data impact — not first-come, first-served handling.

Out-of-Band Communication

If the organization's primary communication systems — email, Slack, internal portals — are compromised or inaccessible during an incident, the alert strategy must include backup channels. CISA's StopRansomware Guide advises out-of-band communications as a core resilience control.

Practical options:

  • Pre-established phone trees with personal mobile numbers
  • Encrypted messaging apps on personal devices (Signal, for example)
  • A secondary secure environment outside the primary network

Ransomware attacks frequently encrypt or disable internal communication platforms as part of the attack sequence. An escalation plan that routes through compromised infrastructure will fail precisely when it matters most.

What Not to Escalate

A well-designed escalation model also defines what does not reach the board. Over-alerting on routine events destroys signal quality — when boards can't distinguish minor noise from material risk, they stop trusting the alerts that matter. The threshold should filter for decisions, not information dumps.

Communicating to Regulators, Customers, and Media

Regulatory Disclosure Timelines

Engage breach counsel before any regulatory communication goes out. The table below covers the primary US frameworks — but jurisdiction determines which deadlines actually apply to your organization, not your headquarters location.

| Regime | Deadline | Trigger | |--------|----------|---------|
| SEC (public companies) | 4 business days | After determining materiality | | HIPAA — individuals | 60 calendar days | After discovery of breach of unsecured PHI | | HIPAA — HHS (500+ affected) | 60 calendar days | After discovery | | FTC Safeguards Rule | 30 days | After discovery (500+ consumers affected) | | PCI — Visa | 3 calendar days | After suspected or confirmed unauthorized access | | PCI — Mastercard | 24 hours | After becoming aware of Account Data Compromise | | Florida / Maine | 30 days | After awareness/determination | | Delaware / Connecticut | 60 days | After determination |

US cyber breach regulatory disclosure deadlines comparison chart by regime and timeline

State laws vary significantly. Do not assume a single timeline applies across all jurisdictions — which laws apply depends on where affected individuals reside, not where the company is headquartered.

Customers and Affected Individuals

Notify affected stakeholders before any media statement goes out. A customer notification should include:

  • What happened (factual, plain English)
  • What data was affected and what was not
  • What the organization is doing to contain and remediate
  • What the customer should do next: change passwords, monitor for fraud, activate any provided credit monitoring

Watch for a channel mismatch: breach notifications sent from unfamiliar email addresses or new domains can look like phishing attempts. A 2022 USENIX study found that some participants questioned whether sample breach notifications were phishing or bank scams. Use established, recognized communication channels your customers already trust.

Media Communications

Three situations, three approaches:

  1. Incident not yet public — No proactive press release required, but a holding statement should be ready to deploy within minutes of a media inquiry
  2. Media asking before stakeholders are notified — Use a short, factual placeholder: "We are aware of a security incident and are conducting an investigation. We will provide an update as soon as we have confirmed information." Do not confirm specifics.
  3. Incident widely known — Issue a clear, factual statement that acknowledges the incident, describes what is being done, and confirms that stakeholders are being contacted

Part of Tyson Martin's pre-incident governance work is helping organizations build these tiered response templates and the decision rules that govern what can be said publicly — so the communications framework exists before anyone needs it.

Internal Staff Communications

Employees need three things during an incident:

  • What happened, at a level appropriate to their role
  • How to respond if a customer or journalist asks them directly (a short, approved script)
  • Whether their own data may be at risk

Leaving employees uninformed creates a secondary misinformation channel. Staff who aren't briefed will fill the gap themselves — often in ways that contradict the official statement or confirm details the organization hasn't yet disclosed.

What to Say — and What to Avoid — in a Cyber Attack Statement

The Structure of an Effective Statement

A strong cyber incident statement covers five elements:

  1. Acknowledge the incident clearly — no euphemisms like "technical disruption" or "service irregularity"
  2. State what is known and explicitly label what is still under investigation
  3. Describe actions being taken to contain and remediate
  4. Tell stakeholders what to do — change passwords, monitor accounts, call a specific number
  5. Provide a contact point for questions

Five-element cyber incident public statement structure checklist infographic

One critical constraint: do not claim "no data was compromised" until the investigation confirms this. The Capita sequence demonstrates what happens when that statement needs to be walked back repeatedly. Each retraction costs more credibility than the original statement gained.

Language Traps to Avoid

  • Minimizing language: "only," "just," "minor," "small number" — these require correction if the scope expands
  • Third-party blame: Do not publicly name employees, vendors, or software providers as responsible during an active investigation
  • Attribution speculation: Do not name attacker groups or speculate on motive
  • Investigation details: Do not confirm information that helps the attacker understand the state of your response
  • Emotional apologies: Apologize for the incident itself, not for "how this may have made you feel"

Tone and Length

A 150–200 word statement from a credible spokesperson — typically the CEO for major incidents — is more effective than a lengthy document full of legal hedging. Statements should be empathetic but not emotional, factual but not evasive.

That framing is backed by research. A study applying Situational Crisis Communication Theory to data breach notifications found that organizations frequently undermined their own credibility by using denial or scapegoating strategies — even when they were the victim.

Accepting accountability, while limiting legally sensitive admissions, builds more durable credibility with investors, customers, and regulators than any carefully worded denial.

Post-Incident: Communications Debrief and Plan Review

Within two weeks of incident resolution, the Communications Lead should conduct a structured debrief covering:

  • Which communications went out on time, and which were delayed — and why
  • Whether any statements had to be corrected or retracted
  • How stakeholders responded across each channel
  • Whether the escalation chain worked as designed
  • What the first update to the board contained and whether it matched what they needed

The debrief produces a written summary with concrete updates to the plan — not a general "lessons learned" document. Changes should target specific elements:

  • Templates that failed or required on-the-fly revision
  • Escalation thresholds that were unclear or bypassed
  • Backup channels that weren't documented or tested
  • Approved messaging that needed legal revision under pressure

Regulatory obligations don't close with containment. The debrief must also map open compliance work. The Communications Lead coordinates with legal to close each item:

  • FTC and HHS: Both expect breach notifications to describe remediation steps
  • State attorneys general: May require follow-up documentation after initial notification
  • SEC (if applicable): Form 8-K filings may require post-incident updates on material developments

As Tyson Martin puts it: "A document is not readiness." The debrief is where that gap closes — turning what was discovered under pressure into a plan that holds up the next time.

Frequently Asked Questions

What should a cyber incident response plan include?

A solid incident response plan covers:

  • Defined roles and responsibilities
  • Tiered escalation procedures
  • Stakeholder notification protocols
  • Regulatory disclosure requirements
  • Pre-approved communication templates
  • Post-incident review process

The communications layer — who approves what, to whom, and when — is consistently the most underbuilt component.

Who should be the spokesperson during a cyber attack?

A designated Communications Lead should control all messaging decisions. For major incidents, the CEO or a senior executive serves as the public face — not the CISO or technical team, who should remain focused on containment. Technical leaders speaking publicly often reveal investigation details that create legal or operational risk.

When should you notify customers of a cyber attack?

Notify customers before any public media statement goes out — once you've confirmed what data was affected and what protective steps they should take. Earlier notification consistently produces better trust outcomes than waiting for regulatory deadlines.

How soon must companies disclose a data breach?

Public companies must file an SEC Form 8-K within 4 business days of determining an incident is material. HIPAA requires notification within 60 calendar days; state laws range from 30 to 60 days depending on jurisdiction. Breach counsel must advise on which rules apply — obligations vary by industry, data type, and where affected individuals reside.

What should you not say to the media during a cyber attack?

Do not confirm specifics before the investigation is complete, claim no data was breached until confirmed, blame third parties publicly, or use minimizing language you may need to walk back. Avoid statements that reveal the current state of your response — attackers read press coverage too.

What is a Communications Lead in incident response?

The Communications Lead is the single named individual with authority to approve all internal and external messaging during an incident. This role ensures consistency, legal alignment, and proper stakeholder sequencing — preventing the fragmented communications that turn a manageable incident into a governance failure.