In the first 24 hours of a cyber incident you rarely have the full facts — and yet the organisation, your customers and possibly regulators need to hear from you. The governing principle is simple: in the first day you do not communicate certainties, you communicate control. This guide sets out what a board should say, to whom, and when, while the incident response runs in parallel.
At a glance
- The rule: communicate control and process, not conclusions you cannot yet stand behind.
- The cadence: fixed update windows and a single source of truth beat a stream of contradictory messages.
- The scope: internal first, then stakeholders by audience, then external and regulators as required.
The framing rule: control, not certainty
Early messages should convey that the incident is identified, contained where possible, and being managed by a defined process — not premature claims about cause, scope or attribution. Over-promising in hour two is what creates the credibility crisis in hour twenty.
Hours 0–2: activate, contain and order the internal narrative
Convene the crisis committee, confirm who owns what, and issue a short, factual internal message to extended leadership: what is known, what is being done, when the next update will come. The aim is to stop rumour and align the people who will speak on the organisation's behalf.
Hours 2–6: map stakeholders and prepare audience messages
Identify the minimum audiences — leadership, employees, key customers, critical suppliers, and, where relevant, regulators — and draft a tailored, consistent message for each. Consistency across audiences is what protects credibility; contradictions between departments are what destroy it.
Hours 6–12: the first controlled external message, if warranted
If external communication is needed, keep it structured: acknowledge the situation, state what you are doing, avoid speculation on cause or scope, and say when you will update. A calm, specific message beats both silence and over-sharing.
Hours 12–24: stabilise the narrative and prepare the second wave
Consolidate a single, agreed version of events, keep to your update windows, and prepare the next round of communication as facts firm up. By the end of the first day the organisation should be speaking with one voice, on a predictable cadence.
What to give the board, precisely
A useful executive brief has five parts: the verified situation, the business impact, the legal and regulatory risk, the communication in progress, and — most importantly — the decisions the committee needs to make now. Anything else is noise while the clock is running.
What not to communicate in the first 24 hours
Avoid unverified cause, premature attribution, precise scope you cannot yet confirm, and any promise about recovery times you are not certain to meet. Silence on these points is not evasion; it is accuracy under uncertainty.
The mistakes that do the most damage
The recurring ones: confusing prudence with silence; over-promising; contradictory messages between areas; treating the crisis as an IT-only matter; ignoring employees and middle managers; leaving customer-facing teams unbriefed; and failing to coordinate communication with the SOC, so that what is said publicly matches what is known technically.
Minimum governance for crisis communication
Three operating rules carry most of the weight under pressure: a single source of truth, fixed update windows, and a fast approval circuit so messages go out quickly without losing control. Assign the key roles — spokesperson, coordinator, legal, technical liaison — before you need them.
Cyber crisis and compliance: NIS2, DORA, ENS and ISO 27001
NIS2 sets staggered incident-reporting deadlines, starting with an early warning; DORA defines reporting for major ICT incidents in financial entities; Spain's ENS and ISO 27001 expect defined incident handling and communication. Your first-day communication plan should be built to satisfy these obligations, not retrofitted to them afterwards. A board KPI dashboard helps leadership steer with the right signals.
Preparing the capability before the incident
None of this can be improvised at 2am. Templates, roles, audience lists and approval circuits belong in a tested plan, rehearsed like any other part of business continuity. If you want help building and rehearsing that capability — including an incident response retainer — get in touch.