Hard2bit
← Back to the cybersecurity blog

Cyber crisis communication: what to communicate in the first 24 hours

By Thilina Manana · COO y Director Técnico de Seguridad hard2bit · Published: 08 July 2026 · Updated: 08 July 2026
Cyber crisis communication: what to communicate in the first 24 hours

In the first 24 hours of a cyber incident you rarely have the full facts — and yet the organisation, your customers and possibly regulators need to hear from you. The governing principle is simple: in the first day you do not communicate certainties, you communicate control. This guide sets out what a board should say, to whom, and when, while the incident response runs in parallel.

At a glance

  • The rule: communicate control and process, not conclusions you cannot yet stand behind.
  • The cadence: fixed update windows and a single source of truth beat a stream of contradictory messages.
  • The scope: internal first, then stakeholders by audience, then external and regulators as required.

The framing rule: control, not certainty

Early messages should convey that the incident is identified, contained where possible, and being managed by a defined process — not premature claims about cause, scope or attribution. Over-promising in hour two is what creates the credibility crisis in hour twenty.

Hours 0–2: activate, contain and order the internal narrative

Convene the crisis committee, confirm who owns what, and issue a short, factual internal message to extended leadership: what is known, what is being done, when the next update will come. The aim is to stop rumour and align the people who will speak on the organisation's behalf.

Hours 2–6: map stakeholders and prepare audience messages

Identify the minimum audiences — leadership, employees, key customers, critical suppliers, and, where relevant, regulators — and draft a tailored, consistent message for each. Consistency across audiences is what protects credibility; contradictions between departments are what destroy it.

Hours 6–12: the first controlled external message, if warranted

If external communication is needed, keep it structured: acknowledge the situation, state what you are doing, avoid speculation on cause or scope, and say when you will update. A calm, specific message beats both silence and over-sharing.

Hours 12–24: stabilise the narrative and prepare the second wave

Consolidate a single, agreed version of events, keep to your update windows, and prepare the next round of communication as facts firm up. By the end of the first day the organisation should be speaking with one voice, on a predictable cadence.

What to give the board, precisely

A useful executive brief has five parts: the verified situation, the business impact, the legal and regulatory risk, the communication in progress, and — most importantly — the decisions the committee needs to make now. Anything else is noise while the clock is running.

What not to communicate in the first 24 hours

Avoid unverified cause, premature attribution, precise scope you cannot yet confirm, and any promise about recovery times you are not certain to meet. Silence on these points is not evasion; it is accuracy under uncertainty.

The mistakes that do the most damage

The recurring ones: confusing prudence with silence; over-promising; contradictory messages between areas; treating the crisis as an IT-only matter; ignoring employees and middle managers; leaving customer-facing teams unbriefed; and failing to coordinate communication with the SOC, so that what is said publicly matches what is known technically.

Minimum governance for crisis communication

Three operating rules carry most of the weight under pressure: a single source of truth, fixed update windows, and a fast approval circuit so messages go out quickly without losing control. Assign the key roles — spokesperson, coordinator, legal, technical liaison — before you need them.

Cyber crisis and compliance: NIS2, DORA, ENS and ISO 27001

NIS2 sets staggered incident-reporting deadlines, starting with an early warning; DORA defines reporting for major ICT incidents in financial entities; Spain's ENS and ISO 27001 expect defined incident handling and communication. Your first-day communication plan should be built to satisfy these obligations, not retrofitted to them afterwards. A board KPI dashboard helps leadership steer with the right signals.

Preparing the capability before the incident

None of this can be improvised at 2am. Templates, roles, audience lists and approval circuits belong in a tested plan, rehearsed like any other part of business continuity. If you want help building and rehearsing that capability — including an incident response retainerget in touch.

Frequently asked questions

Who should be the spokesperson during the first 24 hours of a cyber incident?

A single, pre-designated spokesperson supported by the crisis committee — not whoever happens to be available. Consistency of voice protects credibility, so the role, and a backup, should be assigned before an incident occurs.

Is it better to wait until you have all the information before communicating?

No. In the first 24 hours you communicate control and process, not certainties. Silence reads as loss of control; the right approach is factual, bounded messages that say what is known, what is being done and when the next update will come.

Which communication mistakes are most critical in a cyber incident?

Confusing prudence with silence, over-promising, contradictory messages between departments, treating it as an IT-only matter, ignoring employees, leaving customer-facing teams unbriefed, and not coordinating with the SOC so public statements match technical reality.

When must you notify regulators and authorities?

It depends on the regime. NIS2 sets staggered deadlines beginning with an early warning, and DORA defines reporting for major ICT incidents in financial entities. Your plan should map these obligations in advance so the timing is known, not improvised.

How do you measure whether crisis communication is working?

Track whether updates go out within their committed windows, whether messages stay consistent across audiences, and whether internal and customer-facing teams feel informed. Predictable cadence and a single version of events are the practical success signals.

What is cyber crisis communication?

It is the coordinated management of what an organisation says, to whom and when during a cyber incident, aligning business, legal and technical response so the organisation speaks with one credible voice while the incident is handled.