The Cyber Crisis Communications Playbook for Internal and External Audiences

The breach is live. Your IR team is scrambling. And your CEO just got a call from a reporter asking for comment.

Most organizations have an incident response plan. Almost none have a communications plan, and the two aren't the same thing. Your IR plan tells your team how to contain the incident. Your communications plan tells everyone else what's happening, what you're doing about it, and what they need to do. Without both, you're managing a technical crisis while also managing a communications crisis simultaneously, under fire, through systems you may no longer control.

This guide gives you a dual-track cyber crisis communications framework: what to say, to whom, in what order, through what channel. Build it during peacetime. You won't have time to build it when you need it.

Why Crisis Communications Is a Distinct Discipline

Incident response and crisis communications share the same trigger but operate under different rules. Your IR team is focused on containment, eradication, and recovery. Your communications function is focused on maintaining trust while meeting regulatory obligations and controlling the organizational narrative. Conflating the two creates gaps in both.

Silence is a message. So is a vague all-staff email sent from a system the attackers may be reading. Regulatory timelines don't pause while you get organized. GDPR gives you 72 hours. The SEC's material incident disclosure rule gives publicly traded companies four business days. HIPAA mandates notification to the Department of Health and Human Services without unreasonable delay. These deadlines run from the moment you become aware of an incident, not from when your technical team declares containment.

The cost of poor communications compounds beyond regulatory fines. Customer churn, board loss of confidence, legal exposure, and media narratives that outlast the technical incident all trace back to comms failures. Cyber insurance carriers are increasingly requiring documented communications procedures as a condition of coverage. Carriers who find no evidence of a comms plan at renewal are making note of that gap.

Communications failure during a cyber incident is an operational failure, not a public relations problem. It belongs in your incident response framework with the same weight as your containment checklist.

The Dual-Track Model

Two tracks run in parallel, not sequentially. The internal track covers your IR team, employees, executives, and board. The external track covers customers, regulators, media, and partners. Each track serves different audiences with different messages, on different timelines, through separate approval chains.

The most common structural failure is treating these tracks as sequential rather than parallel. Organizations wait until internal communications are resolved before addressing external audiences. Regulatory deadlines get missed. The media narrative fills the vacuum. The organizing principle is this: the internal track leads the external track, but not by much. Hours matter at the start of an incident.

One requirement cuts across both tracks: all communications must route through an out-of-band channel. If your primary email infrastructure is compromised, and in a credential-based attack it very likely is, then any communication plan built on that infrastructure is also compromised. The SSO risk is real: one stolen password can give attackers access to everything including the collaboration tools your team plans to use for coordination. Your communications infrastructure needs to exist completely outside your primary environment. That's the core principle behind a virtual bunker: a secure, separate space your team can reach even when primary systems are down.

Pre-assign roles during peacetime. Designate who owns internal communications, who owns external, and who is the single voice of authority. These assignments should be documented, trained on, and tested before an incident occurs.

Track 1: Internal Communications

The IR Team

The first notification goes to your technical response team immediately, through a dedicated secure channel that sits outside your primary network. Not email. Not Slack on the corporate tenant. An out-of-band messaging environment that attackers can't follow you into.

That first message should be clinical and precise. Include the incident classification, the known scope, immediate actions required, and who holds the incident commander role. Avoid speculation in that initial alert. State what's confirmed, acknowledge what isn't, and commit to a cadence. Status updates should go out on defined intervals: every 30 minutes in the first hours, every hour as the situation stabilizes. No one on the team should have to ask what's happening.

Your IR playbooks should be accessible from secure storage, not from a SharePoint that may be offline or compromised. Pre-built playbooks stored out-of-band mean your team can pull up the correct workflow even when primary systems are unavailable. What a well-structured playbook contains differs from the improvised checklists most teams actually use, and the time to audit that difference is before an incident.

Executive Leadership

Executives should hear from you within the first hour, before they hear about the incident from someone else. Use an out-of-band channel like a secure application or a direct phone call, not corporate email. The message needs to be short: what happened (brief, factual), the best current scope estimate, what's being done, and what you need from them in terms of decisions, resources, or legal engagement.

Executives don't need technical detail during an active incident. They need decision context. Keep your initial briefing to a single page. Designate a single liaison between the IR team and executive leadership. Ad hoc updates from individual technical team members create conflicting information and erode executive confidence. Also prepare your answer to the question they will ask before they ask it: how did this happen?

The Board of Directors

For significant incidents, the board should receive notification within the first few hours. For incidents that qualify as material events under applicable regulatory frameworks, same-day notification is the standard. Board-level communications should focus on business impact, regulatory exposure, reputational risk, and the organization's response posture. Translate everything to financial exposure, legal risk, and operational continuity. Technical framing serves no purpose at this level.

Build your board briefing template during peacetime. The structure already exists in your incident preparedness work. A clean, audit-ready PDF that documents the incident timeline and response actions taken serves both the board communication and the regulatory documentation requirement. Board members talk to investors, outside counsel, and occasionally press. They need clear guidance on what they can and can't say externally.

General Employees

The general employee population should receive notification before they read about the incident on social media or a news site. This matters for two reasons: employees who learn about an incident through external sources before internal channels feel the organization is hiding something, and uninformed employees are an external risk surface. They talk to customers, partners, and press, often without knowing they're saying something that could create liability.

Reach employees through mass notification channels that don't depend on potentially impacted internal systems: SMS, email from a separate environment, voice, and push notifications simultaneously. The ShadowHQ Notify platform runs quad-band notification precisely for this reason. Manual call trees fail when you need them most. The message should be calm, factual, and directive. Tell employees what they should do, what they shouldn't say externally, and where to direct questions. Prepare templates in advance covering active incidents with limited confirmed information, ongoing investigations after initial containment, and resolution with lessons learned.

Track 2: External Communications

Regulators

Regulatory notification timelines aren't flexible. Know your obligations by jurisdiction and by incident type before an incident occurs. Build your initial regulatory notification template as a blank-fill document that your legal team can complete and send under pressure. Initial notifications should be factual and limited. Avoid over-disclosing before you have confirmed facts, but don't delay filing because your investigation is incomplete.

Legal counsel should serve as the approval gate for all regulatory communications. Document every notification: timestamp, recipient, content, and any response received. Regulatory bodies review notification timelines closely in post-incident proceedings, and delays without documented justification are treated as non-compliance. Compliance requirements by framework vary, but the documentation standard is consistent across all of them.

Customers and Affected Parties

Notify affected customers as soon as scope is reasonably understood. Erring toward earlier disclosure is both legally and reputationally safer than waiting for perfect information. Reach customers through direct channels wherever possible: email, in-application notifications, or postal mail for high-risk situations. A press release alone doesn't constitute adequate notification under most regulatory frameworks.

Your customer notification should cover the incident itself, what data was involved, the actions you've taken, what customers should do next, and where to direct questions. Provide a dedicated response resource that's actually staffed: a microsite, a dedicated email address, or a phone line. Automated responses to security incident inquiries signal that customer impact isn't a priority.

Tone matters here. Be direct and honest, without corporate softening. "Unauthorized access to our systems" communicates clearly. Vague euphemisms erode the trust you're trying to preserve. Don't open with "we take your security seriously." Every organization says that, and customers have learned to read it as deflection. Financial services and healthcare organizations have particular notification obligations; the US bank case study and healthcare facility case study illustrate how organizations in regulated sectors have structured their response.

Media

Designate one spokesperson before an incident occurs. That should be the CEO or a pre-designated communications lead, not the CISO or a technical team member who gets pulled into a reporter's call. Prepare a holding statement during peacetime: a factual, neutral paragraph that can be released within minutes of a confirmed incident. The formula is straightforward. Acknowledge the incident, confirm you're investigating, state that you'll provide updates as facts are confirmed, and point to a contact resource.

Don't speculate on cause, attribution, or scope until confirmed. Don't say "no comment." It reads as evasion rather than appropriate caution. The correct posture is: "We identified an incident on [date] and are actively investigating. We will share more information as we confirm the facts." The first two hours of media coverage shape the narrative that follows. Own the story in that window, or someone else will construct it from incomplete information.

Partners, Vendors, and Third Parties

Notify downstream partners if they're affected by the incident or if they may have been the source. Review your master service agreements and data processing agreements, as many include breach notification obligations with defined timelines. Limit third-party communications to factual, professional summaries. Partners don't need your full incident timeline. Coordinate with legal before any notification that could create liability exposure, particularly if a vendor was the attack vector. In that scenario, your notification to them becomes a legal document.

Message Architecture

Every crisis communication, regardless of audience, needs four components. Cover what happened, what you currently know, what you're doing about it, and what the recipient should do next. This structure works at every tier of the organization and for every external audience. The only variation is the level of technical detail and the specific actions requested.

Tiered disclosure means stating what's confirmed, acknowledging what isn't yet known, and committing to when you'll provide an update. Avoid phrases that have become trust-eroding through overuse: "we take your security seriously," "isolated incident," and "no evidence of misuse" unless you can demonstrate the last one. Pre-script your messages for three phases: initial alert, ongoing update, and resolution. The approval chain for each message should be pre-defined and documented, not negotiated during the incident.

Internal and external messages must not contradict each other. This is why a comms coordinator role, separate from the IR lead, is necessary. That person is responsible for synchronizing both tracks so that what's said internally aligns with what's going out to customers and regulators. When internal and external tracks tell different stories, the discrepancy becomes the story. Automated playbooks and templates stored securely reduce the risk of version drift under pressure.

Where Communications Plans Break Down

The most common failure is communicating through a potentially compromised infrastructure. Organizations send breach notifications from the same email environment attackers accessed. That isn't a hypothetical risk: in credential-based attacks, which now represent the majority of intrusions, attackers can read everything sent through the compromised tenant. Understanding how SSO compromise propagates through an organization's communications tools changes how you think about where your comms plan needs to live. This is the reason your crisis communications plan needs to sit inside an out-of-band environment, completely separate from the systems an attacker can reach.

Other predictable failures compound quickly. Over-disclosing before facts are confirmed leads to retractions that are more damaging than careful initial disclosure. Under-disclosing until forced by regulatory pressure creates the appearance of concealment. Sending a single message to all audiences instead of tiered communications dilutes relevance for every group. Allowing multiple voices to speak publicly fractures the narrative. The failure mode most likely to create legal exposure is not documenting what was communicated and when. That documentation is what makes your response defensible in regulatory proceedings and litigation

How to Build Your Playbook Given Where You Are

If you're starting from zero, begin with the internal track. Build three templates: IR team notification, executive escalation, and mass employee alert. Build the external track second, but build it before you need it.

If you have an IR plan but no comms plan, the comms plan attaches directly to the IR plan at the same activation trigger. Same incident commander, same initiation event. The comms plan runs in parallel from the moment the incident is declared. Review how to structure that integration in the incident preparedness planning guide.

If you operate in a regulated industry, build the regulatory notification workflow first. Know your deadlines by jurisdiction and pre-draft the initial regulatory notice as a blank-fill template. Financial services, healthcare, and critical infrastructure organizations face the most prescriptive requirements and the least tolerance for delays.

If you've experienced a previous incident, review your post-incident report for communications failures. Most post-incident reviews identify comms breakdowns as a primary driver of extended business impact. Fix those gaps now. If you're building for cyber insurance compliance, document everything: templates, approval chains, tabletop exercise logs, and activation records. Carriers review documented evidence of communications procedures during underwriting and at renewal.

If you're running tabletop exercises, include comms scenarios. Run a tabletop where your primary systems are offline and see what your team actually does for communications. That exercise will produce your real gap list faster than any audit. Take the readiness assessment to see where your current plan stands against an objective standard.

A cyber crisis communications plan isn't something you write during an incident. By then, you're improvising under pressure, through systems that may be unavailable, for audiences you haven't thought through.

The organizations that respond from a position of strength built the playbook during peacetime. ShadowHQ supports both tracks with out-of-band communications, automated playbooks, mass notification, and audit-ready reporting, all inside a virtual bunker your team can reach even when primary systems are down. If you want to see how it works in a live breach scenario, book a 20-minute demo or take the readiness assessment to identify where your current plan has gaps.