The Importance of a Cyber Incident Response Communication Plan

April 25th, 2024 Posted in Information Security

Does your organisation have a cyber incident response communication plan in place? Imagine your organisation is currently in the midst of cyber-related incident. Your operational incident response team (IRT) is stretched thin in containing the affected systems; however, your customer services department are urgently requesting information to provide to affected customers who are unable to use your services.

So how do you ensure this situation doesn’t arise in future, or can be dealt with efficiently? The need for a robust Cyber incident response communication plan when communicating both internally and externally cannot be overstated. Whilst your operational Incident Response Team (IRT) is dealing with the technical aspects of the incident, communication with your wider business, customers,  regulators, and other third parties are vital to coordinate your response, manage your reputation, and comply with regulatory and contractual requirements.

A strong communication plan minimises the financial, reputational, and legal impact of a cyber security incident.

This is exemplified by the British Library who, following a ransomware incident, were commended by the National Cyber Security Centre (NCSC) for their post-incident report and transparency, due to having a robust Cyber Incident Response Plan (IRP) in place, alongside an effective response communication plan.

Here at Evalian, we facilitate Cyber Incident Exercises for all kinds of small, medium, and large enterprises across a range of levels within the organisation, including operational level, management level, and board level. One trend we have observed when facilitating these exercises is that, whilst organisations are prepared in the technical aspects of responding to an incident, many do not have a formalised Cyber Incident communication plan.

View our Cyber Incident Response Services

This blog will dive into what makes an effective cyber incident communication plan and what organisations should be communicating during, and after, a cyber-related incident.

Objective of the Communication Plan

As we already highlighted, during a cyber incident, panic, confusion, and uncertainty can ensue. Without a formal cyber incident communication plan to direct your organisation, you risk delaying responses and providing inconsistent, or incomplete messaging ultimately exacerbating the operational, financial, legal, damage to your business, and in some cases, the safety of your staff. You may also find it useful to read our blog on what to do after a cyber incident.

The objective of a cyber incident communication plan is to anticipate these security scenarios and potential risks, ensuring your organisation’s response to the incident is prepared, timely, clear, concise, and accurate. This should also support your overall cyber security strategy and business objectives. 

Elements of a communication plan

A cyber incident communication plan should be tailored to your organisation and your unique operating environment. We discuss considerations to account for in the section below. However, all plans should contain core elements that underpin any organisation’s communication strategy. An effective communication plan should:

  1. Define objective, scope and audience
  2. Set out roles and responsibilities
  3. Identify key stakeholders; internal and external
  4. Establish communication channels and mechanisms
  5. Establish requirements for distribution and maintenance of the plan, training, and lessons learned

The scope and requirements of a communication plan may be very broad and therefore there may be multiple plans depending on the objectives of the communication. E.g., data sharing between internal teams, reporting a data breach to regulatory bodies, or media engagement, etc.

Considerations for Your Communication Plan

In this section we identify and explore key considerations to account for when tailoring your communication plan.

Stakeholder Management

During an incident, your internal and external stakeholders will demand timely and accurate information and seek reassurances that your organisation is responding to the incident in the correct manner. These stakeholders can include, but are not limited to, employees, members of the board of directors, investors, customers, regulatory bodies, and the media.

A formal incident response communication plan will help to ensure that each stakeholder is receiving tailored communications, and that only relevant information is provided to them. This in turn can maintain trust in your organisation and mitigate any reputational damage by preserving long-term relationships.

Legal and Regulatory Compliance

Cyber incidents often trigger legal and regulatory processes. From informing the Information Commissioner’s Office about a data breach, to your organisations industry specific compliance standards such as the Charities Commission, the Gambling Commission, and the Financial Conduct Authority, it can be hard to keep track and understand what information you should be providing and when during an incident.

By documenting the responsibility, deadlines in which to make such notifications, and the information to be provided when an incident is first detected, your organisation can navigate through these legal minefields with clarity.

Protecting Your Brand’s Reputation

As part of the wider process of continuing or returning to Business as Usual (BAU), protecting your brands reputation during, and following, a cyber incident is a critical factor. Cyber incidents can tarnish the reputation of even the most established organisation, leading to a loss of trust and the potential that your customers and investors may take their business elsewhere.

In preparation for an incident, your organisation may wish to consider the creation of holding statements. Holding statements serve as temporary responses during the initial stages of an incident. They enable your organisation to address the situation quickly and proactively provide assurance that the incident is in hand whilst evidence is gathered and assessed to determine the type and extent of the incident – buying time for more tailored and accurate communications to be prepared. Pre-prepared statements also provide a greater level of control and consistency over communications reducing the risk presented by misinformation and speculation.

Communication Methods and Communication Groups

Including the methods of communication in your plan is essential for several reasons, including defining the platforms on which to communicate, identification of a secondary communication method to provide resilience, and segmentation of the various IRT functions.

Formalising the methods of communication by which the IRT should communicate ensures clarity, whether that be in person, or remotely via apps such as Microsoft Teams, Zoom, and Slack. When selecting your communication methods, ensure you have given consideration to your regulatory requirements where auditing is required.

Once your organisation has defined your primary communication method, a secondary method should be identified in the event that the primary communication method is compromised or becomes unavailable. You may wish to consider isolation from your network, where separate login credentials and hardware are used to provide resilience.

Implementing and Testing Emergency Communications

Depending on the size of your organisation, you may wish to implement an emergency cascading communication system. This system can be implemented in various methods, including SMS text messaging, email, and communication apps such as Teams. By implementing an emergency communication system, your organisation can raise awareness of the incident and provide critical messages and directions to your staff about the incident and how they should proceed.

Testing of the emergency communication system should be completed regularly to assess its’ effectiveness and functionality.

Public Relations and Crisis Management

Where your organisation attracts attention from external stakeholders and the media, it is important to include the responsibility for addressing these communications, be it in-house, or a third-party Public Relations and Crisis Management supplier on retainer.

By incorporating Public Relations and Crisis Management into your communication plan, your organisation can respond in a concise manner to minimise the reputational impact the incident may cause from a brand and trust perspective and protect future revenue.


Formalising your cyber incident communication plan prior to a cyber incident occurring should be considered a necessity. How you communicate during and after a cyber incident is critical to minimising the impact of a cyber security incident and maintaining trust in your organisation.

Poor communication during an incident can damage your brands reputation, resulting in financial implications and a loss of trust from your customers, staff, and investors. By implementing a communication plan, the IRT can refer to this amid a cyber incident and provide your staff with clear guidance on the exact information to be provided to your customers and other stakeholders.

Need help with your Incident Response Preparation?

If you need help or advice on maturing your Incident Response process, we are here to help. We are able to create a suite of incident response documents including the plan, policy and playbooks tailored to your organisation, as well as assess your current procedures against industry best practice and deliver incident response tabletop training exercises and provide expert recommendations for improvement to better prepare your business for any potential security incident.

Download your free Guide to Cyber Incident Response. 

Contact us using the form below for further information on how we are able to assist in your Incident Response and security training needs.

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Image by freepik

David Chadwick

Written by David Chadwick

David advises on information and cyber security. David began his career working in Digital Forensics within both law enforcement and private industry before moving into cyber security. David holds a BSc in Digital Forensics and is currently working towards an MSc in Cyber Security.