Cyber Incident Communication Plan: Templates and Framework
When a cyber incident hits, the technical team focuses on containment. Meanwhile, the clock is ticking on regulatory notifications, the CEO's inbox is filling with press inquiries, and employees are speculating on Slack. Communication failure during an incident can cause as much organizational damage as the incident itself. A pre-built communication plan turns a chaotic improvisation into a coordinated response.
Communication Planning Before an Incident
Every element of your communication plan should exist before you need it. Post-incident is the worst time to figure out who needs to be notified, what they need to hear, and who is authorized to say it. Pre-incident communication planning deliverables include: a stakeholder matrix (who gets notified at what severity thresholds), pre-approved message templates for each audience, a communications chain of command (who approves messages before they send), a media relations protocol (who speaks to press and what they can say), and legal review of all customer-facing and regulatory templates.
Stakeholder Matrix
Different audiences need different information at different times. Map your stakeholders before an incident:
Executive leadership (CEO, CFO, GC)
Notify immediately upon P1/P2 declaration. They need: what happened (brief), business impact, regulatory exposure, and current containment status. Update every 2 hours or upon material status changes.
Board of directors
Notify within 24 hours if the incident is material (will require SEC 8-K or equivalent disclosure). They need: incident summary, regulatory obligations, legal exposure, and your response plan.
Internal employees
Notify within the first few hours, before they hear from external sources. General employees need: that an incident occurred, what they should or should not do, and where to get updates. Avoid over-disclosure.
Affected customers
Notify per contractual and regulatory requirements. Timing varies: GDPR-covered entities must notify affected individuals without undue delay. Include: what data was involved, what you are doing about it, what they should do, and your support contact.
Regulators
Timeline is dictated by applicable law. GDPR: 72 hours to supervisory authority. SEC: 4 business days for material incidents (8-K). HHS/OCR: 60 days for HIPAA breaches. State AG notifications vary by state.
Media/public
Only communicate proactively if the incident is already public or will imminently become public. Reactive: confirm facts and explain response. Never speculate about scope or cause before investigation concludes.
Law enforcement
FBI IC3 for ransomware. CISA for critical infrastructure incidents. Notify law enforcement before paying any ransom. Reporting does not obligate you to share more than you choose.
Cyber insurer
Notify your insurer within 24 to 48 hours per your policy terms. Failure to notify promptly can create coverage disputes. Your insurer may provide incident response retainer resources.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Internal Communication Templates
Pre-draft these for your incident commander and communications lead. Fill in bracketed fields during the incident.
Initial internal notification
Subject: Security Incident - Action Required. We have identified a cybersecurity incident affecting [systems/scope]. Our security team is actively investigating and contains the issue. Until further notice: [specific actions - do not open suspicious emails / disconnect from VPN / do not access system X]. Do not discuss this incident externally. Updates will follow every [2/4] hours.
Employee update template
Update [number]: Security Incident Response. Status: [Investigating / Contained / Remediating]. Affected systems: [list]. What we know: [brief factual summary]. What we are doing: [steps]. What you should do: [actions]. Next update: [time].
All-clear notification
The cybersecurity incident that began on [date] has been fully remediated. [Systems] have been restored. We have completed forensic investigation and confirmed that [no additional systems / the following additional systems] were affected. We are implementing [improvements] to prevent recurrence. Full incident report available to [audience] on [date].
Executive Briefing Template
Executives need situational awareness without technical noise. Structure your executive briefing as: Incident summary (2-3 sentences), business impact (what is down, what revenue is affected, what customers cannot do), regulatory exposure (which notification deadlines apply and when), containment status (current phase, estimated resolution timeline), key decisions needed from leadership (approve ransom negotiation / approve customer notification / engage PR firm), and next update time. Deliver this verbally or in a secure channel, never in regular email if the incident involves email compromise.
Customer Notification Template
Customer notification letters follow a standard structure that has been refined through decades of breach litigation. Open with a direct statement of what happened (not buried apology language). Include: date of incident, date of discovery, what data was involved (be specific: names, email addresses, SSNs, payment card data), how it happened (if you know and can disclose), what you have done (containment, remediation, law enforcement notification), what affected individuals should do (credit monitoring steps, password changes, fraud alert instructions), and your support contact. Provide credit monitoring or identity protection services if SSNs or financial data were involved. Have your legal team review before sending. Each state has different specific requirements for notification content.
Regulatory Notification Checklist
Maintain this checklist and assign owners before an incident:
GDPR (72 hours)
Notify the lead supervisory authority with: nature of breach, approximate number of individuals affected, categories of personal data involved, likely consequences, measures taken or proposed. File via the authority's breach notification portal.
SEC 8-K (4 business days)
Disclose material cybersecurity incidents via Form 8-K Item 1.05. Include: material aspects of the incident (nature, scope, timing), whether data was stolen, any reasonably likely material impact. Do not include information that would impede law enforcement investigation (consult with DOJ if needed).
HIPAA (60 days)
Notify HHS Secretary and affected individuals within 60 days of discovering the breach. If more than 500 residents of a state are affected, notify prominent media outlets in that state.
State breach notification laws
All 50 US states have breach notification laws with varying deadlines (most are 30 to 72 hours for sensitive data) and content requirements. Your legal team must map applicable state laws based on where affected individuals reside.
Post-Incident Communication
After the incident is contained, communication responsibilities do not end. Publish an incident report to affected customers and stakeholders within 30 to 60 days. The report should cover: timeline of events, root cause, data affected, response actions taken, and security improvements implemented. Organizations that communicate transparently post-incident recover reputational standing faster than those that go silent. The Cloudflare 2023 incident report is widely cited as an example of effective post-incident public communication.
The bottom line
Incident communication is a skill you build before the crisis, not during it. The organizations that handle breaches best have pre-approved templates, clear authority chains, and pre-mapped regulatory deadlines sitting in a response runbook. Build yours on a Tuesday afternoon, not at 2 AM when the alerts are firing.
Frequently asked questions
When should I notify customers during a breach?
Regulatory requirements set the floor: GDPR requires notification without undue delay (typically interpreted as within 72 hours of discovering a breach involving personal data of EU residents), and US state breach laws range from 30 to 72 hours. Beyond legal requirements, notify customers as soon as you have confirmed what data was involved and what they should do. Premature notification before facts are confirmed creates more confusion than value.
Do I have to notify law enforcement?
No US law requires mandatory law enforcement notification for cybersecurity incidents in the private sector (CIRCIA, when fully implemented, will require critical infrastructure operators to report to CISA). However, notifying the FBI is strongly recommended for ransomware incidents before any payment decision. The FBI IC3 maintains threat intelligence that can help your investigation and does not obligate you to cooperate in any prosecution.
Who should be the spokesperson for a public breach?
The CEO or CISO, depending on the severity and public profile of the incident. For material breaches affecting consumers, the CEO communicating directly signals accountability. For technical incidents without broad consumer impact, the CISO is appropriate. Legal counsel should review any public statements. Never put a junior communications staffer in the public role without executive backup for major incidents.
What should I never say during a breach response?
Never speculate about root cause before your investigation is complete. Never minimize the incident by saying 'there is no evidence of data misuse' unless forensics has confirmed this. Never say 'we take security seriously' as an opening line (it is cliche and reads as defensive). Never make commitments you cannot keep (we will notify all affected customers by tomorrow). Never blame a third-party vendor publicly before your contract and legal team review the liability implications.
How is the SEC 4-day disclosure rule applied?
The SEC requires public companies to disclose material cybersecurity incidents on Form 8-K Item 1.05 within 4 business days of determining the incident is material. Materiality is a legal determination, not purely a technical one. A significant ransomware incident at a large retailer is almost certainly material; a minor malware infection affecting no customer data probably is not. The SEC has indicated it will scrutinize situations where companies delay the materiality determination to extend the 4-day clock.
What is the difference between a breach notification and an incident report?
A breach notification is a legally required communication to affected individuals or regulators, focused on what happened and what they should do. An incident report is a post-incident analytical document that covers the technical timeline, root cause, response actions, and lessons learned. Breach notifications are legally governed and often brief; incident reports are longer, internal or semi-public documents used for improvement and accountability.
Sources & references
- NIST SP 800-61r2 Computer Security Incident Handling Guide
- SEC Cybersecurity Disclosure Rules 2023
- GDPR Article 33 Breach Notification Requirements
- Ponemon Institute Cost of a Data Breach Report 2025
- CISA Incident Response Communications Guide
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.