Managing Public Relations During a Cyber Incident
When a cyber incident occurs, the crisis is quickly judged in the court of public opinion. The first hours set the tone for trust, credibility, and leadership. Silence, delay, or contradictory statements can cause more damage than the technical breach itself. Executives must recognise that communications are not a support activity; they are a core control that protects brand, stakeholder confidence, and long-term value.
The central difficulty is timing. Communications need to start before every fact is known, while the investigation is still unfolding. Leaders must balance speed with accuracy, resisting the urge to speculate while avoiding the perception of secrecy. At the same time, teams often struggle with thresholds for notifying regulators and affected individuals, especially when the scale and harm are still being assessed. Waiting for complete certainty can push an organisation past reasonable notification windows; moving too early can lock in statements that later need to be corrected.
Fragmentation is the next challenge. Without a single communications lead, legal, technical, customer, and executive voices speak at once, and messages diverge. Internal updates reach staff before an approved narrative exists. Customer-facing teams field questions without guidance and improvise answers. Media inquiries arrive while leadership is still aligning on facts and tone. The result is inconsistency that undermines credibility and fuels speculation.
Public expectations have risen in parallel. Stakeholders want clear, human-centred information that explains what happened, how they are affected, and what to do next. Technical jargon, minimising language, or generic assurances appear evasive. Messages must acknowledge impact, demonstrate control, and provide actionable steps—without revealing details that could aid the attacker or compromise remediation. Getting this balance right requires close coordination between communications, legal, privacy, and the incident response team.
Once an incident becomes public, scrutiny intensifies. Social media accelerates narratives; partial information hardens into headlines. Any misstep—an inaccurate number, a promise that slips, an update that arrives late—becomes proof of disarray. To counter this, organisations need a cadence of updates that show progress and accountability, even if the interim message is simply that work continues and timelines are unchanged. Consistency and predictability reduce anxiety and crowd out speculation.
Effective preparation transforms outcomes. Before any breach, designate a communications lead with clear authority and direct access to executive decision-makers. The pre-drafting of holding statements and customer notifications for common scenarios is so important, we have developed an automated solution, feel free to contact us to discuss further. Maintain an internal contact tree, escalation paths, and a rapid legal and privacy review lane. Rehearse with tabletop exercises that include media leaks, regulator queries, and difficult stakeholder questions, not just technical containment. Treat every rehearsal as an opportunity to refine tone, timing, and the division of responsibilities.
New Zealand regulators have issued specific recommendations to guide this balance. The Office of the Privacy Commissioner expects organisations to notify promptly if a breach is likely to cause serious harm, ideally within seventy-two hours of becoming aware of it. They emphasise documenting decision-making, being transparent about uncertainties, and showing affected people how to access support. Complementing this, OwnYourOnline and CERT NZ recommend assigning a dedicated communications lead during incidents, centralising all external and internal messaging, and preparing clear, plain-language updates that explain what has happened and what actions people should take. Together, these frameworks place speed, clarity, and empathy at the centre of incident communications.
During the incident, activate the communications lead early and place them in the core response huddle. Establish a single source of truth that governs all external and internal messaging. Open with a factual acknowledgement, outline immediate actions, and explain how affected people can protect themselves. State what is unknown and commit to the next update time. Keep messages short, plain, and empathetic. Coordinate any notifications to regulators and affected individuals in step with these public messages to ensure alignment across every audience.
After the incident stabilises, continue communicating until remediation and support measures are complete. Provide a final wrap-up that records what happened, what was learned, and what has changed to reduce the chance of recurrence. Close the loop with staff, customers, partners, and boards so that trust is rebuilt on evidence, not promises. Conduct a post-incident review that evaluates the effectiveness of communications alongside technical response, and feed those lessons into playbooks, training, and executive briefings. We also have an automated solution for post incident reviews, contact us to learn more about this. Public relations in a cyber incident is a frontline defence. Organisations that prepare, centralise authority, communicate with clarity and empathy, and sustain a disciplined update rhythm preserve reputation, meet obligations, and protect the people who rely on them.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 