Crisis Communications: What to Tell Customers, Staff, and Regulators After a Cyber Incident.

Two Donegal businesses experienced similar ransomware incidents in the same quarter. The first communicated proactively — notifying affected clients within 48 hours, being honest about what had happened, explaining the steps taken, and providing a direct contact for questions. They received sympathy, practical support, and kept all but one of their clients.

The second said nothing publicly, hoping the incident would remain private. Three clients found out through their own IT provider's monitoring. Two left immediately. A third called to say they had heard "rumours" and asked directly whether the business had experienced a breach. The managing director denied it. The client left when the truth later emerged.

The communications strategy matters. Not as much as the technical response, but more than most business owners realise.

The Principles of Crisis Communications

Speed matters more than completeness. Clients who hear about an incident affecting their data from a third party before hearing from you will draw the obvious conclusion — that you knew and chose not to tell them. A brief, honest early communication is better than a comprehensive communication that arrives too late.

Honesty matters more than reputation protection. The instinct during a crisis is to minimise, to hedge, to avoid confirming anything that might create liability. This instinct is understandable and usually counterproductive. Clients who are told the truth promptly tend to be more forgiving than clients who feel they were deceived.

Specific is better than vague. "We experienced a cybersecurity incident" tells the recipient nothing. "We experienced a ransomware attack on [date] that affected [which systems]. We have [contained/are containing] the incident and [restored/are restoring] normal operations" tells them something they can act on.

Actions speak louder than words. The most credible crisis communication is one that describes specific steps taken, not just regrets expressed. "We have reset all potentially affected passwords, engaged forensic investigators, notified the relevant regulators, and implemented [specific controls]" is far more reassuring than "we take cybersecurity very seriously."

Does your business have pre-drafted communication templates for your most likely incident scenarios? Drafting under pressure during an incident produces worse communications than drafting in advance. Book a free 20-minute strategy call — crisis communications planning is included in our incident response programme.

The Communication Audiences and Their Needs

Staff need to hear quickly and factually what has happened, what it means for their work, and what they should and should not do. The risk of not communicating with staff is that they fill the vacuum with speculation, share that speculation with clients, or inadvertently disclose information externally before the business is ready. A brief all-staff message within the first two hours — "we are dealing with a technical security incident, please follow these specific instructions, we will update you at [time]" — is better than silence.

Clients whose data may have been affected have both a practical and a legal entitlement to notification. Under GDPR, where a personal data breach is likely to result in risk to individuals, those individuals must be informed without undue delay [^1]. For business clients who shared commercially sensitive information with you, there is a professional obligation alongside the legal one. The notification should describe what information may have been involved, what the business is doing about it, and who to contact with questions.

Regulators have formal notification requirements. Under GDPR, a personal data breach likely to result in risk must be reported to the Data Protection Commission within 72 hours of the business becoming aware of it. Under NIS2, a significant incident must be reported to the NCSC Ireland within 24 hours. These notifications are legal obligations with deadlines that are running from the moment of awareness, regardless of whether communications are otherwise ready [^2].

Media should receive a brief, accurate holding statement if they contact you. "We are managing a security incident and are working to restore normal operations. We will provide further information when it is available." Do not speculate, do not blame, do not downplay. If the incident involves personal data, confirm that you are working with the Data Protection Commission.

What Legal Review Is Needed

Every external communication about a significant incident should be reviewed by your legal adviser before it is sent. This is not about limiting transparency — it is about ensuring that the communication does not create new legal exposure through imprecise language, premature admission of specific liability, or inadvertent breach of ongoing investigation confidentiality.

Your cyber insurer will also typically want to review external communications before they are sent. Many cyber insurance policies provide crisis communications support as a policy benefit — a communications specialist who helps draft and review communications in the immediate aftermath of an incident.

Building the legal review into your incident response plan — as a named step with a named legal contact — means it happens automatically rather than being skipped under pressure.

Pre-Drafted Templates

The most effective crisis communications preparation is to draft templates for your most likely scenarios before an incident occurs. A template for a ransomware/system outage incident. A template for a personal data breach. A template for a payment fraud attempt.

Each template should have three versions: a staff notification, a client notification, and a media holding statement. Each should be reviewed by your legal adviser in advance. When an incident occurs, the template is adapted to the specific facts — which is far faster and better quality than drafting from scratch under pressure.

What Next

1. Draft a crisis communications template for your most likely incident scenario this month. One page: staff notification, client notification, media holding statement. Ask your legal adviser to review it.

2. Identify your communications lead for incidents. Who is responsible for managing all external communications? Who approves them before they go out? Name these people in your incident response plan.

3. Confirm the regulatory notification contacts and timelines. Data Protection Commission: 72 hours for personal data breaches. NCSC Ireland: 24 hours for NIS2 significant incidents. Write these deadlines into your incident response plan alongside the contact details.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• How to Prepare for a Cyber Incident: Who Does What in the First 24 Hours
• Legal and Regulatory Obligations After a Data Breach for a Small to Medium Business
• Training Managers to Handle Cyber Incidents Calmly and Communicate Clearly

[^1]: Data Protection Commission Ireland — Data Breach Notification [^2]: NCSC Ireland — Incident Reporting [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.