This high-level communications checklist is designed with steps to be followed during the first 72 hours of a security incident. Use this response process as suggested guidance as the incident develops and tailor these adjustable steps to suit your company’s
bandwidth and operations, as well as the circumstances of the incident.
Cyber Incident Communications Checklist
- Notify the Information Security Team
- Activate the Cyber Crisis Communications Team
- Decide if a planning call or meeting is needed
- Review team member roles and responsibilities
- Involve the head of corporate communications or public relations
- Confirm the process for drafting, approving and deploying communications materials
- Determine if social media monitoring and reporting should begin
- Contact external advisors
Necessary advisors may include:
- Cyber-liability insurance
- Third-party security vendors
- Incident response forensics vendors
- External counsel
- Law enforcement, etc.
- Develop a stakeholder notification plan
Be sure to include when each group should be notified and which corporate function is responsible for those communications. Common stakeholder groups include:
- Leadership
- Legal
- Insurance
- Compliance
- Board of directors
- Employees (include media protocols, if necessary)
- Customers (letter, email or phone)
- Government regulators (SEC, GDPR, CCPA, NYDFS, etc.)
- Key investors/analysts
- Business partners/vendors
- Community partners
- Assess the need to scale up customer-facing channels
Necessary communications channels include:
- Develop a microsite
- Assess social media channels
- Set up an email mailbox
- Set up a breach response call center
- Measure and, if needed, increase call center surge capacity
- Finalize an external communications rollout plan
READ: Ransomware Response Exercises for Executives
- Begin drafting communications materials
Route communications through appropriate approval channels; typical materials include:
- Media holding statement
- Key messages
- Tough Q&A
- Talking points for key stakeholder groups
- Review current and future external communications
Be sure to include social media and marketing activities to determine whether they should be halted
- Finalize communications materials
- If the incident is non-public and material
- Initiate investor notification process
- Institute stock trading “blackout window” for employees
- If there is significant customer impact
- Finalize and post official statement to website and social media channels
- Update organization statements
- If additional/new messaging is required
- Assess the need for daily media calls/briefings
- Hold regular communications update meetings
The incident team should include:
- Leadership
- Cyber-liability insurance
- Legal counsel
- Other stakeholders (as necessary)
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.