Crisis Communication Plan Template: Before, During, and After a Disruption

Photo of author
Written By Chris Ekai
emerging risk

On July 26, 2023, the SEC adopted rules requiring public companies to disclose material cybersecurity incidents on Form 8-K Item 1.05 within four business days of determining materiality.

By October 2024, the SEC had already brought enforcement actions against four companies for misleading cybersecurity disclosures, including a USD 2.1 million settlement with R.R. Donnelley & Sons for disclosure control deficiencies related to a 2021 cyber-attack.

The message is unambiguous: how you communicate during a crisis is no longer just a reputational concern. It is a legal and regulatory obligation with enforcement consequences.

Yet most crisis communication plans remain untested binders of generic holding statements and org charts that were last updated when someone changed roles. When an actual crisis hits, whether a ransomware attack, a product recall, a workplace safety incident, or a supply chain collapse, teams scramble to draft messaging, argue over approval chains, and make ad hoc decisions about what to disclose, to whom, and when.

The result: delayed responses that create information vacuums, inconsistent messaging across stakeholder groups, and regulatory exposure from poorly timed or poorly worded disclosures.

This guide gives you a complete, fill-in crisis communication plan template structured around the three phases that matter: before a disruption (preparation), during a disruption (response), and after a disruption (recovery and learning).

It includes pre-drafted holding statements for the six most common crisis types, a stakeholder-specific escalation matrix, SEC and regulatory disclosure considerations, media protocols, and internal communication frameworks.

Table of Contents

What Is a Crisis Communication Plan?

A crisis communication plan is a documented framework that defines how an organisation communicates with internal and external stakeholders before, during, and after a disruptive event.

It sits within your broader business continuity management system and crisis management plan, but focuses specifically on the messaging, channels, approvals, and timing of communications rather than operational recovery procedures.

The Federal Emergency Management Agency (FEMA) defines a crisis communications plan as a strategic blueprint for addressing emergencies, including the tools, processes, and protocols an organisation uses to communicate during a crisis. ISO 22301 Clause 8.4 requires organisations to establish communication procedures that address when to communicate, what to communicate, with whom to communicate, and the means of communication.

Why Crisis Communication Plans Fail

  • No pre-drafted messaging: Teams draft statements from scratch under time pressure, leading to vague, legalistic, or contradictory messages.
  • Unclear approval chains: Five people need to approve a statement, but no one knows who goes first or what happens when someone is unavailable.
  • Stakeholder blind spots: The plan covers media and customers but ignores employees, regulators, investors, or business partners who need different information at different times.
  • Channel dependency: The communication plan relies on email and intranet, but both are down because the crisis is a cyberattack.
  • No rehearsal: The plan has never been exercised. When people read their roles for the first time during a real crisis, execution collapses.
  • Regulatory ignorance: The communications team drafts a public statement without consulting legal on SEC disclosure obligations, state breach notification laws, or sector-specific reporting requirements.

The Three Phases of Crisis Communication

An effective crisis communication plan operates across three distinct phases:

  1. Before (Preparation): Build the infrastructure, draft the templates, train the team, and rehearse the process before a crisis occurs.
  2. During (Response): Execute the plan with speed, accuracy, and stakeholder-appropriate messaging under real-time pressure.
  3. After (Recovery): Communicate resolution, capture lessons learned, rebuild trust, and update the plan.

This guide provides templates and guidance for all three phases.

Phase 1: Before the Disruption (Preparation)

The quality of your crisis communication is determined before the crisis begins. Preparation is the phase where you build the team, define the processes, draft the messages, and test the system.

1.1 Crisis Communication Team Structure

Define the team that will manage crisis communications. This is not the same as your crisis management team (which manages operational response), though there is overlap. The crisis communication team focuses specifically on messaging, media, stakeholder engagement, and regulatory disclosure.

RoleResponsibilitiesPrimary ContactBackup
Crisis Communication LeadOverall coordination of messaging, spokesperson management, approval workflow[Name / Title][Name / Title]
Spokesperson(s)External-facing communication: media, customers, investors, public[Name / Title][Name / Title]
Legal / General CounselRegulatory disclosure review, SEC 8-K obligations, privilege protection, breach notification[Name / Title][Name / Title]
Investor RelationsShareholder communication, analyst briefings, SEC filing coordination[Name / Title][Name / Title]
Internal CommunicationsEmployee messaging, all-hands calls, manager talking points, intranet updates[Name / Title][Name / Title]
Social Media LeadSocial media monitoring, response, platform-specific messaging[Name / Title][Name / Title]
Subject Matter ExpertTechnical briefings, fact verification (CISO for cyber, EHS for safety, etc.)[Varies by crisis][Varies]
Executive SponsorFinal approval authority, board liaison, regulatory engagement[CEO / COO][Designated alt]

1.2 Stakeholder Mapping and Communication Channels

Different stakeholders need different information, at different times, through different channels. Map every stakeholder group before a crisis occurs.

StakeholderKey ConcernsPrimary ChannelBackup ChannelTiming
EmployeesSafety, job impact, what to do, what to say externallyMass notification + intranetPersonal mobile (text), managersFirst (within 30 min)
Board / ExecScope, financial impact, legal exposure, response actionsSecure conference callEncrypted messagingWithin 1 hour
CustomersService impact, data safety, recovery timeline, what to doEmail + website bannerCustomer success teamWithin 2-4 hours
RegulatorsCompliance obligations, incident details, remediation planFormal notification (portal/letter)Phone to designated contactPer regulatory timeline
Investors / AnalystsMaterial impact, financial exposure, governance response8-K filing + IR statementAnalyst callPer SEC 4-day rule
MediaFacts, accountability, human impact, what’s being donePress release + spokespersonMedia hotlineWithin 2-4 hours
Partners / VendorsOperational impact, shared risk, mutual obligationsDirect contact (email/call)Account managerWithin 4-8 hours
General PublicSafety, transparency, corporate responsibilityWebsite + social mediaPress conferenceWithin 4-8 hours

Critical principle: Communicate to employees first. In a hyper-connected world, every employee is an unofficial spokesperson. If employees learn about a crisis from media or social media before internal communication, trust is immediately damaged and message control is lost.

1.3 Escalation Matrix

Define who escalates to whom, at what severity level, and within what timeframe.

SeverityCriteriaCommunication ActionsTimelineApproval
Level 1: LowLocalised issue, no customer/public impact, contained within one teamInternal notification only; department head informed; monitor for escalationWithin 1 hourDept. Head
Level 2: MediumMultiple teams affected, potential customer impact, media inquiry possibleCrisis comm team activated; holding statement prepared; customer FAQ drafted; media monitoring initiatedWithin 2 hoursComm Lead + Legal
Level 3: HighOrganisation-wide impact, confirmed customer/data impact, media attention, regulatory notification likelyFull crisis team activated; spokesperson designated; all stakeholder channels activated; legal reviews SEC/regulatory obligationsWithin 30 minCEO + Legal
Level 4: CriticalExistential threat, major safety/financial/legal impact, national media, regulatory investigationBoard notified; external crisis PR firm engaged; legal counsel for SEC disclosure; all channels active; CEO as spokespersonImmediateBoard + CEO

1.4 Out-of-Band Communication Channels

Your crisis communication plan must work when your normal communication systems are down. During a cyberattack, email, intranet, VoIP, and collaboration tools may all be compromised or unavailable.

  • Mass notification system: SMS and voice-based system that operates independently of corporate IT (e.g., Everbridge, AlertMedia, OnSolve).
  • Personal mobile cascade: Pre-populated contact list of all crisis team members’ personal mobile numbers, updated quarterly.
  • Encrypted messaging: Pre-configured secure messaging channel (e.g., Signal group) for crisis team coordination when corporate systems are down.
  • External email: Pre-configured external email distribution list (e.g., Gmail group) as backup when corporate email is unavailable.
  • Physical assembly: Designated physical rally point for crisis team if all electronic communication fails.

Test requirement: Test every out-of-band channel at least quarterly. A channel you have not tested is a channel that will not work.

1.5 Pre-Drafted Holding Statements

A holding statement is your initial public communication, issued within 30-60 minutes of a crisis becoming known. It acknowledges the situation, demonstrates control, and buys time for a detailed response. Pre-draft holding statements for each crisis type so they can be deployed in minutes, not hours.

Below are six pre-drafted holding statements covering the most common crisis scenarios. Each follows a four-part structure: acknowledge, empathise, act, and commit.

Holding Statement 1: Cybersecurity Incident

[Organisation Name] is aware of a cybersecurity incident affecting [general description of systems/services]. We are actively investigating with the support of external cybersecurity experts and law enforcement. Our priority is to protect the security of our systems and the data entrusted to us by our customers, employees, and partners. We are working to understand the scope of this incident and will provide updates as our investigation progresses. If you have concerns about your personal data, please contact [phone number / email].

Holding Statement 2: Product Safety / Recall

[Organisation Name] has identified a potential [safety concern / quality issue] with [product name / batch range]. Out of an abundance of caution, we are [initiating a voluntary recall / advising customers to discontinue use / issuing updated usage guidance]. Customer safety is our absolute priority. We are working with [regulatory body, e.g., CPSC, FDA] and will provide detailed instructions for affected customers at [website / phone number].

Holding Statement 3: Workplace Safety Incident

[Organisation Name] can confirm that a [safety incident / workplace incident] occurred at our [location] facility on [date]. Emergency services responded immediately. We are supporting affected employees and their families and cooperating fully with [relevant authorities, e.g., OSHA, local law enforcement]. Our immediate focus is on the wellbeing of our people. We will provide further information as it becomes available.

Holding Statement 4: Supply Chain / Service Disruption

[Organisation Name] is experiencing a disruption to [specific service / product delivery / operations] due to [general cause, e.g., a third-party provider issue, logistics disruption]. We understand the impact this has on our customers and are actively working to restore normal operations. Our team is implementing contingency plans and we expect to provide a detailed update by [timeframe]. For immediate assistance, please contact [customer service channel].

Holding Statement 5: Data Breach / Privacy Incident

[Organisation Name] has become aware of an incident that may have involved unauthorised access to personal data. We take the privacy and security of personal information extremely seriously. We have engaged external forensic experts and notified relevant authorities. We will directly notify affected individuals as our investigation determines the scope of the incident and will provide complimentary [credit monitoring / identity protection] services. For questions, please contact [dedicated phone line / email].

Holding Statement 6: Financial / Regulatory Crisis

[Organisation Name] is aware of [the regulatory inquiry / the financial matter / the allegations] and is taking this matter seriously. We are cooperating fully with [regulatory body / authorities] and have engaged external advisors to conduct a thorough review. We are committed to maintaining the highest standards of [corporate governance / financial integrity / regulatory compliance] and will provide updates as appropriate. Our operations continue normally.

Usage note: These are starting templates. Customise each to your organisation’s voice, industry, and regulatory context. Legal must review all holding statements before they are finalised in your plan. During a crisis, the pre-approved template should be deployable with only factual details filled in (date, location, contact information), not requiring a full legal review from scratch.

Phase 2: During the Disruption (Response)

When a crisis is confirmed, the crisis communication plan shifts from preparation to execution. The first 60 minutes determine whether you control the narrative or the narrative controls you.

2.1 First 60 Minutes: The Golden Hour Protocol

  1. Minute 0-10: Verify and assess. Confirm the crisis is real. Determine initial severity level. Activate the crisis communication team via the escalation matrix.
  2. Minute 10-20: Assemble and brief. Crisis communication team convenes (in person or via pre-designated channel). Initial facts gathered. Severity level confirmed or adjusted.
  3. Minute 20-30: Deploy holding statement. Select the appropriate pre-drafted holding statement. Fill in factual details. Legal reviews for 5 minutes (not 5 hours). Deploy to employees first, then external stakeholders as severity dictates.
  4. Minute 30-45: Activate channels. Internal: mass notification to all employees. External: website banner, social media acknowledgement, customer service talking points distributed. Spokesperson identified and media holding line activated.
  5. Minute 45-60: Regulatory checkpoint. Legal confirms regulatory notification obligations (SEC 8-K timeline, state breach notification, sector-specific reporting). Begin materiality assessment for SEC-reporting companies. Document all communication decisions for regulatory defence.

2.2 Ongoing Communication Cadence

After the initial holding statement, establish a regular communication cadence:

TimeframeActionAudienceContent
Every 2-4 hoursSituation updateEmployees, crisis team, boardUpdated facts, actions taken, next steps, what employees should/should not do
Every 4-8 hoursExternal updateCustomers, media, publicProgress on resolution, revised timelines, where to get help
DailyExecutive briefingBoard, C-suite, IRFinancial impact assessment, legal/regulatory status, media coverage analysis, forward plan
As requiredRegulatory notificationsSEC, state regulators, law enforcementPer regulatory requirements (see Section 4)
As requiredMedia briefingsPressOn-the-record statements, press conference if warranted

2.3 Message Development Framework

Every crisis communication should follow the AECA structure:

  1. Acknowledge: State what happened in clear, factual language. Do not speculate or assign blame.
  2. Empathise: Demonstrate genuine concern for those affected. Avoid corporate jargon.
  3. Commit: State what you are doing right now and what you will do next. Be specific about actions and timelines.
  4. Accountability: Identify who is responsible for resolution and how you will keep stakeholders informed.

What not to say: Avoid ‘no comment’ (it implies guilt), premature blame attribution, guarantees you cannot keep (‘this will never happen again’), or minimising language (‘a minor incident’) that may be contradicted by facts later.

2.4 Media Management Protocol

Media engagement during a crisis requires discipline and preparation.

  1. Single spokesperson: Designate one primary spokesperson (typically the CEO for Level 3-4 crises, the communications lead for Level 2). All media inquiries route through one contact point.
  2. Bridging technique: Train spokespeople to bridge from hostile or speculative questions back to key messages: ‘What I can tell you is…’ and ‘Our focus right now is…’
  3. Media monitoring: Assign a team member to monitor traditional media, social media, and online forums in real time. Flag misinformation immediately for corrective response.
  4. Press conference triggers: Hold a press conference only when the crisis is Level 3-4 with sustained national media interest, when misinformation is widespread, or when a proactive show of leadership is strategically valuable.
  5. Social media protocol: Acknowledge on social platforms within 60 minutes. Direct users to official channels. Do not engage with hostile or trolling accounts. Correct verifiable misinformation with factual responses.

2.5 Internal Communication During Crisis

Employees are your first audience and your most important.

  • Manager talking points: Provide line managers with a bullet-point brief they can use in team conversations. Managers should not freelance messaging.
  • Employee FAQ: Draft and distribute an FAQ covering: what happened, are employees/data safe, what should employees do, what should employees say if asked by media/customers/friends, and where to get updates.
  • No-external-comment directive: Remind employees that all external communication (including social media posts about the incident) must go through the designated spokesperson. This is a standard media policy, not a gag order.
  • Wellbeing support: For crises involving safety, violence, or significant stress, activate Employee Assistance Programme resources and communicate their availability.

SEC Disclosure and Regulatory Notification Considerations

For public companies, crisis communication intersects directly with securities regulation. Getting this wrong can turn a crisis into an enforcement action.

SEC Form 8-K Item 1.05: Cybersecurity Incident Disclosure

Under the SEC’s cybersecurity disclosure rules (effective December 2023), public companies must:

  1. Determine materiality without unreasonable delay: Once a cybersecurity incident is discovered, the company must assess whether it is material. There is no prescribed timeframe for the materiality determination itself, but it must be conducted ‘without unreasonable delay’ after discovery.
  2. File Form 8-K within four business days: Once the materiality determination is made, the company must file an Item 1.05 Form 8-K within four business days, describing the incident’s nature, scope, timing, and material or reasonably likely material impact.
  3. Avoid premature Item 1.05 filings: Per SEC Corp Fin Director Erik Gerding’s May 2024 guidance, do not file under Item 1.05 if materiality has not yet been determined. If you wish to disclose a not-yet-determined or immaterial incident, use Item 8.01 instead.
  4. File amendments as needed: If new material information becomes available after the initial filing, file an amended 8-K within four business days of when that information is determined or becomes available.
  5. Do not disclose technical details that impede remediation: The rule explicitly does not require disclosure of specific technical information about your planned response or system vulnerabilities.

Materiality Assessment Framework for SEC Disclosure

The materiality standard is whether there is a substantial likelihood that a reasonable shareholder would consider the information important. Consider both quantitative and qualitative factors:

Quantitative FactorsQualitative Factors
Direct financial loss (ransom, remediation, legal costs)Customer trust and relationship impact
Revenue impact (system downtime, lost sales)Reputational damage and brand equity erosion
Regulatory fines and penaltiesLikelihood of litigation (class action, derivative suits)
Insurance claim impact and premium increasesRegulatory relationship and examination consequences
Contractual penalties and SLA creditsCompetitive positioning and market perception
Remediation and technology replacement costsManagement distraction and operational disruption

Documentation: Document every step of the materiality assessment: who participated, what data was considered, what assumptions were made, and the rationale for the determination. This documentation is your regulatory defence if the SEC later questions the timing or adequacy of your disclosure.

Annual Disclosure: Reg S-K Item 106

Beyond incident disclosure, the SEC’s rules add Regulation S-K Item 106, requiring annual disclosure in your 10-K of processes for assessing, identifying, and managing material cybersecurity risks, including the board’s oversight role, management’s role, and whether risks from cybersecurity threats have materially affected or are reasonably likely to affect the company.

State Breach Notification Laws

All 50 US states, the District of Columbia, and US territories have breach notification laws requiring notification to affected individuals when personal information is compromised. Key variables:

  • Notification timeline: Ranges from 30 days (e.g., Florida) to 90 days (e.g., Connecticut) to ‘most expedient time possible’ (many states). Some states (e.g., New York) also require notification to the state attorney general.
  • Definition of personal information: Varies by state but typically includes Social Security numbers, financial account numbers, driver’s licence numbers, and increasingly biometric data and health information.
  • Notification content: Most states require the notification to describe the incident, the types of information compromised, steps the company is taking, and what affected individuals can do to protect themselves.

Sector-Specific Regulatory Notifications

Sector / RegulatorNotification RequirementTimelineKey Consideration
Banking (OCC/FDIC/Fed)Notify primary federal regulator of incidents affecting operations or customers36 hours (FDIC/OCC computer-security rule)Joint notification with service providers
Healthcare (HHS/OCR)HIPAA breach notification for protected health information60 days for breaches affecting 500+ individualsMedia notification required for large breaches
Critical Infrastructure (CISA)CIRCIA reporting for covered entities72 hours for incidents; 24 hours for ransom paymentsFinal CIRCIA rule effective 2025-2026
Defense (DOD)DFARS 7012 incident reporting72 hours to DOD CIOMust preserve images for 90 days
Energy (NERC)CIP reliability standards for cyber incidents1 hour for reportable incidentsE-ISAC reporting required

Phase 3: After the Disruption (Recovery and Learning)

Crisis communication does not end when the operational crisis is resolved. The recovery phase rebuilds trust, captures lessons, and strengthens the plan for next time.

3.1 Resolution Communication

When the crisis is resolved, communicate the resolution to every stakeholder group that received crisis communications. The resolution message should include:

  • Confirmation of resolution: Clear statement that the crisis is over and normal operations have resumed.
  • Summary of what happened: Factual, concise description of the event, its cause (if known), and its impact.
  • Actions taken: What the organisation did to resolve the crisis and mitigate harm.
  • Preventive measures: What structural changes, controls, or investments are being made to prevent recurrence. This is critical for rebuilding trust.
  • Ongoing support: Any continuing support for affected stakeholders (credit monitoring, product replacement, customer service priority).
  • Gratitude: Thank stakeholders for their patience, support, or cooperation during the crisis.

3.2 After-Action Communication Review

Within 10 business days of crisis resolution, conduct a dedicated communication after-action review (separate from the operational after-action review):

  1. Timeline reconstruction: Map every communication sent, when, to whom, through what channel, and who approved it. Identify delays and their causes.
  2. Message effectiveness: Did stakeholders understand the messaging? Was misinformation corrected in time? Did any communication create confusion or new problems?
  3. Channel performance: Which channels worked? Which failed? Did out-of-band channels activate successfully?
  4. Regulatory compliance: Were all notification obligations met within required timelines? Is the documentation sufficient to demonstrate compliance?
  5. Media analysis: How did media cover the crisis? Was coverage fair and accurate? Did the organisation’s messaging shape the narrative?
  6. Stakeholder feedback: Survey key stakeholders (employees, customers, partners) on communication quality, timeliness, and trust impact.

3.3 Trust Rebuilding Strategy

Trust is rebuilt through consistent actions after the crisis, not through words during it.

  • Transparency reports: Publish a post-incident transparency report (appropriate to your industry and regulatory context) detailing what happened, what you learned, and what you changed.
  • Ongoing updates: Provide periodic updates on the implementation of preventive measures. Do not go silent after the resolution announcement.
  • Third-party validation: Where appropriate, engage independent auditors or assessors to verify that remediation measures are effective and publish the results.
  • Stakeholder engagement: Meet with key customers, partners, and regulators to discuss the incident and your response. Personal engagement accelerates trust recovery.

3.4 Plan Update and Exercise

Every crisis produces lessons that should feed directly back into your crisis communication plan:

  • Update holding statements based on what worked and what did not
  • Revise the escalation matrix based on actual decision-making during the crisis
  • Update stakeholder contact lists and channel preferences
  • Strengthen out-of-band channels that underperformed
  • Incorporate new regulatory requirements or guidance issued during or after the crisis
  • Schedule a tabletop exercise within 90 days to test the updated plan

10 Common Mistakes in Crisis Communication

  1. Communicating externally before informing employees. Employees who learn about a crisis from the news or social media lose trust immediately. Always communicate internally first.
  2. Waiting for perfect information before saying anything. In a crisis, speed beats precision. A holding statement deployed in 30 minutes is more valuable than a perfect statement deployed in 6 hours. Fill the information vacuum before someone else fills it with speculation.
  3. Using ‘no comment’. ‘No comment’ implies guilt or indifference. Instead use: ‘We are actively investigating and will provide updates as we learn more.’
  4. Inconsistent messaging across channels. When the press release says one thing, the CEO says another, and customer service says something else, credibility collapses. All messaging must derive from a single approved message framework.
  5. Ignoring social media. Social media is where the narrative forms in the first minutes. If you are not monitoring and responding on social platforms, you are ceding the narrative to speculation and misinformation.
  6. No legal review of initial communications. In the rush to communicate quickly, teams skip legal review. The first statement sets the legal and regulatory tone for everything that follows. Build a 5-minute legal checkpoint into your Golden Hour protocol, not a 5-hour review cycle.
  7. Overpromising during the crisis. Statements like ‘this will never happen again’ or ‘no data was compromised’ may be contradicted by later facts and create additional legal exposure.
  8. No post-crisis communication. Going silent after the crisis suggests the organisation has something to hide. Proactive post-crisis updates rebuild trust faster than silence.
  9. Treating all crises the same. A cyber incident requires different messaging, channels, and regulatory considerations than a product recall or a workplace safety event. Your plan should have scenario-specific playbooks.
  10. Never testing the plan. A crisis communication plan that has never been exercised will fail when it matters most. Include communication testing in your quarterly business continuity exercises.

Crisis Communication Plan Readiness Checklist

  • Crisis communication team identified with primary and backup contacts for every role
  • Stakeholder map completed with communication channels, timing, and key concerns for each group
  • Escalation matrix defined with severity levels, criteria, communication actions, and approval authority
  • Pre-drafted holding statements prepared for at least six crisis types (cyber, safety, recall, supply chain, privacy, regulatory)
  • All holding statements reviewed and pre-approved by legal counsel
  • Out-of-band communication channels established and tested (mass notification, encrypted messaging, personal mobile cascade)
  • Spokesperson(s) designated and media-trained within the past 12 months
  • Employee FAQ template prepared with customisable fields
  • Manager talking points template prepared for cascading internal communications
  • SEC 8-K Item 1.05 materiality assessment process documented with decision authority and legal review
  • State breach notification requirements mapped for all applicable jurisdictions
  • Sector-specific regulatory notification requirements identified with timelines and contacts
  • Social media monitoring and response protocol established
  • Media hotline or media inquiry routing process established
  • Communication approval workflow documented with maximum turnaround times at each step
  • Post-crisis communication templates prepared (resolution message, transparency report, stakeholder follow-up)
  • After-action communication review process defined
  • Crisis communication plan exercised (tabletop) within the past 12 months
  • Plan reviewed and updated within the past 6 months or after any actual crisis event
  • Board reporting on crisis communication readiness included in annual governance reporting

Frequently Asked Questions

What is a crisis communication plan?

A crisis communication plan is a documented framework that defines how an organisation communicates with internal and external stakeholders before, during, and after a disruptive event. It includes pre-drafted messaging templates, stakeholder maps, escalation matrices, communication channels, approval workflows, and regulatory notification procedures. It sits within your broader How quickly should we issue an initial statement during a crisis?

Best practice is to issue a holding statement within 30 to 60 minutes of a crisis becoming known. The holding statement does not need to contain all the facts. It acknowledges the situation, demonstrates that the organisation is taking action, and commits to providing updates. Delaying beyond 60 minutes creates an information vacuum that will be filled by speculation, social media, and media inquiries.

What are the SEC disclosure requirements for cybersecurity incidents?

Public companies must file a Form 8-K under Item 1.05 within four business days of determining that a cybersecurity incident is material. The filing must describe the incident’s nature, scope, timing, and material or reasonably likely material impact. The materiality determination must be made ‘without unreasonable delay’ after discovery. Do not file under Item 1.05 until materiality is determined; use Item 8.01 for voluntary disclosure of not-yet-determined or immaterial incidents. Additionally, Regulation S-K Item 106 requires annual disclosure in Form 10-K of cybersecurity risk management processes and governance.

Who should be the spokesperson during a crisis?

For Level 3 and Level 4 crises (organisation-wide or existential impact), the CEO or a designated senior executive should serve as the primary spokesperson. For Level 2 crises, the communications lead or a relevant senior manager is appropriate. The spokesperson must be media-trained, able to stay on message under pressure, and authorised to speak on behalf of the organisation. Always have a designated backup in case the primary spokesperson is unavailable.

How do we handle misinformation during a crisis?

Monitor social media, traditional media, and online forums in real time. When you identify misinformation, respond with factual corrections through official channels. Do not engage with trolls or hostile actors directly. Post factual updates on your official website and social media accounts. If misinformation is widespread, consider a dedicated fact-check page on your website. Speed is critical because misinformation compounds the longer it goes uncorrected.

How often should we test our crisis communication plan?

Test your crisis communication plan at least twice a year: once through a tabletop exercise focused specifically on communication (not just operational recovery), and once through a functional exercise that tests actual channel activation (mass notification deployment, spokesperson media simulation, social media response). Additionally, test out-of-band channels quarterly and update the plan after every actual crisis event or significant organisational change.

Sources

Supply Chain Business Continuity Plan: A Complete Guide with Templates

Agentic AI Risk Management: How to Govern Autonomous AI Systems

Reach out to understand more about Enterprise Risk Management, Project Management and Business Continuity.

Contact Us

© 2026 Risk Management

Privacy PolicyTerms and conditionsDisclaimer