When a breach happens, what you say matters as much as what you do.
Every organisation with a mature security posture has an incident response plan. Runbooks for containment. Escalation procedures. Forensic tooling on standby. But when the crisis actually arrives, there is one area that consistently falls apart: communication. The technical team knows what to do. Nobody has decided what to say, who to say it to, or how to say it without making things worse.
This is not a theoretical problem. Study after study confirms that the reputational and financial damage from a security incident is determined less by the breach itself than by how the organisation communicates in its aftermath. A swift, honest, well-structured response can preserve trust. A delayed, evasive, or contradictory response can destroy it, sometimes permanently. Customers forgive being breached. They do not forgive being misled.
This pack provides ready-to-use communication templates for the critical first hours and days of a security incident. It covers internal staff notifications, ongoing status updates, external customer communications, and the core principles that should guide every message you send. The templates are designed to be customised now, while things are calm, so that when the pressure hits, you are not starting from a blank page at 3am with your systems offline and your phone ringing.
Why communication is the real crisis
The technical response to an incident follows a well-understood playbook: detect, contain, eradicate, recover. Communication has no such luxury. It is messy, emotional, and high-stakes from the very first moment.
Consider what happens inside an organisation when a breach is discovered. The IT team goes into response mode. Leadership wants answers. Staff hear rumours. Clients notice services are down. The press gets wind of it. Regulators expect notification. Every one of these audiences needs a different message, at a different level of detail, delivered through a different channel, often within the same hour.
Without prepared templates and a clear communication plan, organisations default to one of two failure modes. The first is silence: saying nothing while lawyers deliberate and PR consultants are briefed, leaving a vacuum that employees, customers, and journalists fill with speculation. The second is improvisation: hastily drafted messages that contradict each other, reveal too much technical detail, admit liability prematurely, or, worst of all, minimise the severity only to be contradicted by later revelations.
The organisations that navigate incidents well share a common trait: they prepared their communication approach before the incident occurred. They had templates. They had designated spokespeople. They had pre-agreed approval workflows. They had practised. When the crisis arrived, they did not have to invent a communication strategy under pressure. They simply executed the one they already had.
That is what this pack gives you. Not perfection, but a foundation. A starting point that is vastly better than a blank screen and a rising sense of panic.
“The breach itself is rarely what destroys trust. It’s the silence that follows, the contradictions, the feeling that the organisation cared more about its reputation than its people. Get the communication right, and you can survive almost anything.”
Maximum time to notify the ICO of a personal data breach under UK GDPR
of UK businesses experienced a cyber breach or attack in the past 12 months
higher reputational cost when communication is delayed beyond the first 24 hours
Internal: Initial staff notification
The first message your people receive sets the tone for everything that follows. It needs to be fast, factual, and calm. Panic spreads faster than malware, and a poorly worded internal alert can cause more disruption than the incident itself. This template gives your leadership a starting point that balances urgency with clarity.
Subject: Urgent: Security incident notification
Team,
We are currently responding to a security incident affecting [describe scope, e.g. our email systems / a specific application / our network infrastructure].
What we know: [Brief factual description, e.g. We detected unusual activity in our systems at [time] today. Our security team is investigating the nature and extent of this activity.]
What we are doing: [e.g. Our IT team is investigating and has engaged external incident response support. We have taken [specific systems] offline as a precaution while we assess the situation.]
What you should do:
• Do not click any suspicious links or open unexpected attachments • Report anything unusual to IT immediately at [contact details] • Do not discuss this incident externally, including on social media • If you are unable to access [affected systems], please use [alternative] in the meantime
We will provide updates as we learn more. The next update is expected by [time]. Please direct any questions to [designated contact person and channel].
[Senior leader name and title]
Internal: Status update template
Silence breeds speculation. Even when there is nothing new to report, your people need to hear from you. Regular, structured updates reassure staff that leadership has control of the situation and that progress is being made. This template provides a repeatable format that ensures every update is consistent, comprehensive, and actionable.
Subject: Security incident update #[X]
Team,
This is update number [X] regarding the security incident first reported on [date/time].
Current status: [e.g. Containment in progress / Investigation ongoing / Recovery underway / Incident resolved, monitoring continues]
What has changed since the last update: [Bullet points of key developments, e.g. We have identified the initial entry point / Affected systems have been isolated / Data analysis is underway to determine scope]
Systems affected: [List what is working normally and what remains offline or degraded. Be specific: email is operational, CRM is offline, VPN access is restored.]
Expected next steps: [What is planned for the next 12 to 24 hours]
Estimated restoration: [If known, provide a realistic timeline. Otherwise: We will update you when we have clarity on restoration timelines.]
Thank you for your patience and cooperation. The next update is expected at [time/date].
[Name and title]
External: Customer notification
If personal data has been compromised, or if the incident affects services your customers depend on, external communication may be both a legal obligation and a reputational necessity. This is the hardest message to get right. It must be honest without being alarmist, apologetic without accepting liability prematurely, and specific enough to be useful. Always review with legal counsel before sending.
Subject: Important security notice from [Company Name]
Dear [Customer / Partner],
We are writing to inform you of a security incident that may have affected some of your information held by [Company Name].
What happened: [Brief, factual description. Be specific about dates and nature of the incident without revealing technical details that could aid further attacks.]
What information was involved: [Be specific about categories, e.g. name and email address. State clearly what was NOT involved, e.g. payment card details and passwords were not affected.]
What we are doing: [Steps you have taken and continue to take, e.g. We engaged specialist incident response support immediately. We have notified the Information Commissioner’s Office. We are implementing additional security measures to prevent recurrence.]
What you can do: • Be vigilant for suspicious emails that reference this incident • Consider changing your password if you use the same password elsewhere • Monitor your accounts for any unusual activity • Contact us if you notice anything concerning
We take the security of your information seriously and sincerely apologise for any concern this may cause. We are committed to being transparent about what happened and what we are doing to address it.
If you have questions, please contact our dedicated incident response line at [email address] or [phone number]. This line is staffed [hours of availability].
Sincerely, [Name, Title]
Important: Legal review before external communication
Always consult with legal counsel before issuing external communications about a breach. The wording of customer notifications, press statements, and regulator submissions can have significant legal implications. What you say, and what you omit, may be scrutinised in regulatory proceedings, litigation, or insurance claims. Your legal team should review every external communication before it is sent. Build this review step into your process now, and agree a rapid turnaround expectation with your solicitors so that legal review does not become a bottleneck during a live incident.
Communication principles
Templates give you structure. Principles give you judgement. When the situation deviates from what the template anticipated, and it will, these principles should guide every decision about what to say, when to say it, and how.
Be honest and factual
State what you know, what you do not know, and what you are doing to find out. Speculation damages credibility. If the full picture is not yet clear, say so. People forgive uncertainty far more readily than they forgive dishonesty. The organisations that suffer the worst reputational damage are not those that get breached; they are those that get caught downplaying or concealing the truth.
Communicate early, even with incomplete information
Waiting until you have a complete picture before saying anything is one of the most common mistakes in incident communication. By the time you have full clarity, the narrative has already been shaped by rumour, social media, and employee anxiety. A brief, honest acknowledgement within the first hour buys you credibility and time. You can always add detail in subsequent updates.
Provide regular, structured updates
Set a cadence and stick to it. Even if the status has not changed, issue an update confirming that. Silence is interpreted as either incompetence or concealment. A predictable rhythm of communication, whether hourly, twice daily, or daily depending on severity, gives stakeholders confidence that the situation is under control and reduces the volume of inbound queries from anxious staff and customers.
Give clear, actionable instructions
Every communication should tell the recipient what they need to do. Not vague reassurances, but specific actions: change this password, avoid this system, report suspicious activity to this person. People cope better with crisis when they have a task. Actionable guidance also reduces the risk of well-intentioned staff making the situation worse by taking matters into their own hands.
Designate a single spokesperson
Mixed messages from multiple sources create confusion and erode trust. Appoint one person, typically the CEO or a senior director, as the external voice. Internally, ensure all updates flow through a single channel. Brief your reception team, your sales team, and anyone else who might field questions from outside. Everyone should know who speaks and what the approved messaging is.
Document everything you communicate
Keep a log of every message sent: when it was issued, who it went to, what it said. This serves multiple purposes. It demonstrates to the ICO that you acted responsibly. It provides an audit trail if legal proceedings follow. It feeds into your post-incident review so you can improve next time. In the heat of a crisis, it is easy to lose track of what was communicated to whom. A structured log prevents that.
“In the first hour of an incident, the communications lead is as important as the technical lead. One is stopping the bleeding. The other is preventing the panic that makes everything harder.”
Legal obligations: GDPR and ICO notification
Incident communication is not just good practice. In many cases, it is a legal requirement. UK GDPR imposes specific obligations on organisations that experience a personal data breach, and the penalties for non-compliance are significant.
Understanding these obligations before an incident occurs is essential. Discovering your regulatory duties mid-crisis, when the clock is already ticking, is a recipe for missed deadlines and enforcement action.
ICO notification (72-hour window)
Under UK GDPR, if a personal data breach is likely to result in a risk to individuals’ rights and freedoms, you must notify the Information Commissioner’s Office within 72 hours of becoming aware of it. This is not 72 hours from the moment the breach occurred, but from the moment you have reasonable confidence a breach has taken place. The notification must include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address it.
Affected individuals
If the breach is likely to result in a high risk to individuals, you must also notify those individuals directly and without undue delay. The threshold is higher than for ICO notification, but when it applies, the communication must be in clear, plain language and must include the same categories of information plus specific advice on steps individuals can take to protect themselves. Your customer notification template is designed to meet this requirement.
Contractual obligations
Many commercial contracts, particularly with larger organisations and public sector bodies, include specific breach notification requirements. These often have shorter timeframes than GDPR, sometimes 24 hours or even immediate notification. Review your key contracts now, before an incident occurs, so you know exactly who needs to be told and how quickly. Document these requirements in your incident response plan.
Sector-specific regulators
Depending on your industry, additional notification obligations may apply. Financial services firms regulated by the FCA have separate reporting requirements. Healthcare organisations may need to notify NHS Digital. Telecommunications providers have obligations under the Privacy and Electronic Communications Regulations. If you operate in a regulated sector, map your notification obligations before an incident forces you to discover them under pressure.
How to prepare before the crisis
Having templates is a start, but templates alone are not enough. The organisations that communicate well during incidents are the ones that invested time in preparation: customising the templates, testing the channels, rehearsing the process. Here is a practical, step-by-step approach to making this pack operational.
Customise the templates now, not during the incident
These templates are deliberately generic. They need to reflect your organisation: your tone of voice, your structure, your systems, your contact details. Set aside an hour to adapt each template. Fill in the static fields. Decide who signs the internal communications. Decide who is authorised to approve external communications. Pre-populate the legal counsel contact details, the ICO notification portal bookmark, and the escalation phone numbers. Every field you complete now is one fewer decision to make at 2am when your systems are down.
Establish your communication channels in advance
If your email system is compromised, how will you reach your staff? If your website is down, how will you communicate with customers? Identify backup communication channels: a WhatsApp group for the leadership team, a personal email distribution list, a pre-configured SMS broadcast service. Test these channels before you need them. Ensure the contact information is current and accessible from a device that does not depend on your corporate infrastructure.
Define roles and approval workflows
During an incident, speed matters, but so does accuracy. Define in advance who drafts communications, who approves them, and who sends them. The incident commander should not be writing emails; they should be managing the response. A designated communications lead, briefed by the technical team, should own the messaging. Legal counsel should review external communications before they go out, but establish a rapid review process so that legal review does not become a bottleneck.
Run a tabletop exercise
Templates are only useful if people know they exist and know how to use them. Run a tabletop exercise at least once a year where you simulate an incident scenario and walk through the communication process. Who gets notified first? How quickly can you assemble the crisis team? Can you actually reach everyone on the emergency contact list? These exercises reliably expose gaps that are invisible on paper. They also build the muscle memory that makes real incidents less chaotic.
Review and update quarterly
People leave. Contact details change. New systems are deployed. Regulatory requirements evolve. Your communication templates and procedures need to be living documents, reviewed at least quarterly and updated whenever a significant change occurs. Assign ownership to a specific person, not a committee, and build the review into an existing governance cadence so it does not get forgotten.
The cost of getting it wrong
The case studies are well documented and instructive. When TalkTalk suffered a data breach in 2015, the CEO gave a live television interview within hours. The intent was admirable, but the execution was damaging: key facts were wrong, the scope was understated, and subsequent corrections made the organisation look either incompetent or evasive. The share price dropped 12% in a week. Customer losses were estimated at over 100,000. The ICO issued a record fine. Much of that damage was attributable not to the breach itself, but to the communication failures that followed.
Contrast this with how Norsk Hydro handled a devastating ransomware attack in 2019. The aluminium manufacturer lost access to virtually all IT systems. Their response was textbook: immediate, transparent communication. They held press conferences, provided regular updates, published information on their website (hosted externally once their own systems went down), and were unflinchingly honest about the severity. The result was that despite suffering significant operational losses, Norsk Hydro emerged with its reputation enhanced. Customers, partners, and even competitors praised their handling of the crisis.
The difference between these two outcomes was not the severity of the breach. It was the quality, speed, and honesty of the communication. This is what prepared templates and practised processes make possible. Not perfection, but a disciplined, credible response that preserves trust when trust is most fragile.
Need help preparing for incidents?
We help UK businesses build incident response capability that works under pressure. That includes communication planning, template customisation, tabletop exercises, and integration with your broader security operations. Whether you need a full incident response retainer or simply want someone to review your existing plans and identify the gaps, we can help.
A readiness review takes around an hour and will tell you exactly where your incident communication process stands, what needs improving, and how to prioritise the work. No obligation, no sales pitch. Just practical, honest advice from people who have been through real incidents.