When calm crumbles, chaos calls the shots: How communications plans fail in cyber crisis

Published by Megan Lane, Director, Crisis and Strategic Communications, CyberCX on 28 May 2025

This is the second blog in a three-part series ‘Cyber Crisis Ready’ to help organisations prepare and respond to cyber incidents

Whether it be the pandemic, industrial disputes, weather events, political uncertainty or regulatory action, it’s a rare team that hasn’t dealt with significant issues management.

But cyber and technology crises are different – and playbooks and plans for other kinds of crisis are often not fit for purpose.

After thousands of hours supporting teams and organisations through significant cyber and technology challenges, these are the most fraught moments where I have seen established practices fall short — and how they can be avoided.

1. Commitments to transparency without clear communications triggers

In a crisis, one of the hardest calls an organisation needs to make is when to begin disclosing their issue to stakeholders.

Some will seek to downplay and supress the bad news, while others will push to disclose very early and before the crisis is established.

These are robust – even fraught – debates. But they don’t need to be.

From the outset, organisations should outline their communications trigger points. These triggers do not mean you will go public when you meet one, but capture key moments an organisation will actively consider broader disclosures.

While every organisation will have their own requirements and regulatory obligations, we encourage you to consider the following thresholds:

• Establish that you are experiencing a significant cyber intrusion.
• Confirm sensitive data access or data theft.
• An inbound media query.
• A breach is found on the dark web.
• Ransomware or containment measures affect operations.

Outlining your communications triggers provides clarity across the organisation and can act as an early warning to prepare business units for appropriate action. It also ensures your organisation’s appetite to disclose information is aligned at different executive levels.

2. Decentralised stakeholder management

Crisis communications is ultimately about your stakeholders – ensuring they feel heard, and where appropriate, can be on the journey with your organisation.

Too often stakeholder management in a crisis is largely left to siloed teams who are instructed to manage their established relationships with a phone script.

Without a dedicated stakeholder management function in a cyber crisis, coordinating messaging to and from your diverse stakeholders becomes difficult to track and effectively respond to.

We encourage organisations to centralise stakeholder management in a crisis. This enables your organisation to capture key relationships relating to legal obligations, contractual responsibilities and strategic considerations.

You should then ask which stakeholders need to be informed and in what order of priority, who from your organisation will engage with each stakeholder and how, and what is required from the communications team to support the engagements.

With this in place, it becomes possible to centralise stakeholder feedback, giving senior decision makers a better sense of where the organisation is positioned.

3. Unclear drafting and clearance processes

Crisis communications is a multidisciplinary exercise – and that is most true in the clearance process.

But many crisis communications plans fail to clearly acknowledge the role that legal counsel (including external counsel), technical teams, executive leadership and the board will play in the clearance of internal and external communications.

Failure to clearly articulate roles and expectations to each team before an incident complicates your response, making it significantly more difficult to move with precision and pace in a crisis.

Instead, document these teams and their roles clearly in your crisis communications planning, and circulate this ahead of regular cyber exercises to ensure your colleagues clearly understand each team’s respective role.

4. Over-reliance on pre-prepared messaging

Some teams planning for a cyber incident scenario prepare as much communications collateral as they can.

Generally, these messaging templates stop at the “first” notification of a cyber incident, assume too much, and push organisations to get ahead of the technical reality of their incident.

We urge organisations to avoid this pitfall by ensuring they:

• Understand the anatomy of a cyber incident and possible communications trigger points.
• Create a statement structure for each trigger point.
• Prepare a suite of questions for technical, legal, and business continuity colleagues so you know what you need to ask.

5. Training stops at the top

An increasing number of executives and boards are participating in cyber crisis exercises, sometimes called simulations or wargaming. Unfortunately, this opportunity is rarely extended to operational, level communications and corporate affairs team members.

During these exercises, boards and executives often identify – correctly – that communications is one of the few strategic levers an organisation has at its disposal to regain control of the narrative during a cyber crisis. That realisation needs to translate into increased maturity and uplift through communications focused exercises or adjacent training at the operational level.

While there is no such thing as a good cyber crisis, undoubtedly some are better managed than others.

When my team works with organisations early to uplift their communications protocols and planning, we leave knowing we have made a meaningful change to improve the resilience of organisations and businesses that communities rely on.