Date: 3 June 2026
A ransomware attack does not stay contained to the IT department. Within hours, it involves legal, HR, finance, the board, regulators, customers, and the press. Each of those audiences needs different information, at different levels of technical detail, communicated with a consistency and confidence that prevents speculation from filling the silence.
The technical incident response, isolating systems, activating playbooks, engaging forensics, is the part of cyber incident management that the security profession has invested most heavily in preparing. The communications response, the part that determines how the organisation is perceived by every stakeholder who cannot see the inside of the SOC, has historically received far less preparation and far less investment. That asymmetry is a strategic vulnerability, and it is one that cybersecurity leaders are increasingly being held accountable for.
The Communications Gap That Cyber Incidents Expose
Why Technical Competence Alone Does Not Contain the Damage
Most organisations that experience a significant cyber incident emerge from the technical response phase having contained the breach with reasonable effectiveness. The reputational and regulatory damage, however, often exceeds what the technical severity of the incident warranted — not because the response was poor, but because the communications that accompanied it were inconsistent, delayed, or contradicted each other across different stakeholder channels.
This pattern is well-documented in post-incident reviews. A statement released to the press at hour eight contradicts what the CEO told the board at hour four. The customer-facing message on the company website goes live three hours after a security researcher has already posted technical details on social media. The regulatory notification contains language that the legal team and the CISO interpreted differently, creating inconsistencies that regulators later cite as evidence of inadequate governance. None of these failures is a technical failure. They are communications failures, and they are almost entirely preventable with preparation.
The challenge is not that organisations lack communications expertise. Most large organisations have PR and legal functions that understand crisis communications in principle. The challenge is that cybersecurity incidents create a unique combination of pressures — extreme time compression, high technical complexity, regulatory specificity, and the simultaneous need to communicate at multiple levels of abstraction — that general crisis communications frameworks are not designed to handle without prior adaptation to the cyber context.
Video as a Crisis Communications Instrument
The use of video in crisis communications has accelerated significantly as remote working has normalised video as the primary medium for executive communication. During a cyber incident, video serves several functions that text-based communications cannot replicate with the same effectiveness.
The first is authenticity. A video statement from the CEO or CISO, recorded and distributed within the first few hours of a confirmed incident, carries a weight of accountability and presence that a written statement does not. Stakeholders — customers, employees, investors, regulators — form judgements about organisational competence and integrity based on whether leadership is visible and composed, not just whether the words on the page are accurate.
The second function is speed of comprehension. Executive and non-technical audiences absorb complex incident information more efficiently through a structured verbal briefing than through a dense written document. A four-minute video that explains what happened, what is known, what is being done, and when the next update will come is more effective as a board communication tool than a twelve-page written briefing that board members will not finish before the next questions arrive from investors or press.
The third function is training and preparedness. Video-based simulation of crisis communications scenarios — executives rehearsing responses to difficult questions, PR teams practising statement delivery under time pressure, legal teams reviewing briefing accuracy — produces better retention and performance under pressure than written-only preparation. This is one of the reasons that organisations which conduct video-enhanced tabletop exercises consistently outperform those that rely on scenario discussions alone when an actual incident occurs.
For organisations building this capability without specialist broadcast infrastructure, browser-based tools have removed most of the technical barriers to producing professional-quality video content. A video editor like Clideo — which runs entirely in the browser with no software installation — allows communications and security teams to trim, merge, subtitle, and format video briefings quickly, meaning that internal training materials, scenario simulations, and draft external statements can be produced, reviewed, and iterated on in hours rather than days without requiring a dedicated video production resource.
The Regulatory Dimension of Crisis Communications
The communications obligations that attach to a notifiable cyber incident have become increasingly specific and prescriptive. Under GDPR and the UK Data Protection Act 2018, organisations experiencing a personal data breach must notify the ICO within 72 hours of becoming aware of it — a timeline that demands communications decisions be made at a point when the technical picture is still incomplete. Under DORA, which came into full effect for financial entities in January 2025, there are structured reporting obligations that extend to incident classification, escalation timelines, and the documentation of communications made to authorities and affected parties.
Meeting these obligations requires more than good legal advice at the point of incident. It requires communications infrastructure that has been tested, documented, and approved by legal and compliance teams before an incident occurs. Organisations that rely on improvised communications during an active incident consistently take longer to meet regulatory notification deadlines, produce less consistent documentation, and face greater scrutiny in post-incident regulatory reviews than those with pre-approved templates, trained spokespersons, and documented escalation protocols.
Building a Video-Enhanced Crisis Communications Capability
The Four Components That Effective Programmes Share
Organisations that handle cyber incident communications well — those that contain reputational damage while meeting their regulatory obligations — share a recognisable set of capabilities that are built before an incident, not assembled during one.
The first is a library of pre-approved statement templates covering the most probable incident scenarios: ransomware, data breach, service disruption, third-party compromise, and regulatory inquiry. These templates are not intended to be read verbatim. They are designed to give communications leads a pre-cleared starting point that legal and compliance teams have already validated, so that the time from incident confirmation to first communication is measured in minutes rather than hours.
The second is a trained and tested spokesperson function. The CISO, CEO, or designated communications lead should have rehearsed delivering a clear, accurate, and composure-maintaining briefing under the pressure conditions of a simulated incident. This rehearsal must include video delivery, because the medium creates specific pressures — eye contact, pace, handling of difficult follow-up questions — that written preparation does not address. Video-based tabletop exercises that include communications scenarios produce substantially better spokesperson performance than tabletop exercises focused exclusively on technical response.
The third is an escalation protocol that connects the technical incident timeline to the communications timeline with explicit decision gates. At T+1 hour, a preliminary internal briefing should be ready. At T+4 hours, a customer or stakeholder communication should be evaluated for release. At T+24 hours, a regulatory notification assessment should be complete. These gates must be owned by named individuals who have been briefed on their responsibilities before the incident, not assigned on an ad hoc basis during it.
The fourth is a documented review process that captures communications decisions and outputs throughout an incident for post-incident analysis. This documentation serves both regulatory purposes and organisational learning — identifying where communications decisions were delayed, where messaging inconsistencies emerged, and what preparation gaps the incident exposed. Video recordings of internal briefings, spokesperson rehearsals, and tabletop exercise communications sessions are among the most valuable learning artefacts an organisation can produce, providing concrete evidence of capability development that board members and regulators can review.
The numbered steps for implementing this programme in an organisation without an existing cyber crisis communications structure are as follows:
- Conduct a communications gap assessment — Map the current state of crisis communications infrastructure against the four components above, identifying which elements exist in draft form, which are absent, and which have been tested under simulated pressure conditions.
- Develop and legally validate core statement templates — Produce template statements for the top five cyber incident scenarios the organisation's risk assessment identifies as most probable, and obtain sign-off from legal, compliance, and communications leadership before an incident occurs.
- Integrate communications scenarios into tabletop exercises — Restructure existing cyber tabletop exercises to include communications decision points, require participants to produce draft statements under time pressure, and record spokesperson rehearsals for post-exercise review.
- Establish a video production workflow for internal briefings — Identify the tools, approval chain, and distribution method for producing executive video briefings within the first four hours of a confirmed incident, and test that workflow during exercise scenarios before relying on it during an actual event.
- Review and update the programme annually — Cyber incident communications requirements evolve as the regulatory landscape changes, the threat environment shifts, and the organisation's stakeholder base grows; an annual review tied to the incident response programme review cycle ensures the communications capability remains current.
What Board-Level Engagement with Crisis Communications Looks Like
One of the most consistent findings from post-incident reviews is that board members who have participated in communications-focused tabletop exercises make better decisions under incident pressure than those who have only been briefed on technical response procedures. The difference is not primarily one of knowledge — most board members understand that cyber incidents create communications obligations. The difference is behavioural: board members who have rehearsed responding to difficult questions under simulated time pressure are significantly less likely to escalate prematurely, contradict technical communications, or request information that diverts IR team attention at critical moments.
Cybersecurity executive briefing programmes that incorporate video-based simulation of communications scenarios — asking board members to deliver a two-minute stakeholder update on camera, then reviewing the result — produce a level of communications readiness that is qualitatively different from what purely informational briefings achieve. The discomfort of the rehearsal is precisely what makes it valuable. An executive who has experienced the difficulty of communicating clearly about an incident they do not fully understand, under time pressure, in front of a camera, will approach the real scenario with preparation rather than improvisation.
Conclusion: Communications Readiness Is Part of Cyber Resilience
The organisations that manage cyber incidents most effectively are those that treat communications capability as an integral component of cyber resilience, not a supplementary function that activates after the technical response is underway. The CISO who has worked with legal, PR, and the board to build, test, and document a crisis communications programme before an incident is in a fundamentally different position when an incident occurs than one who is orchestrating those relationships for the first time under pressure.
The investment required to build this capability is modest relative to the exposure it manages. Pre-approved templates, trained spokespersons, video-enhanced tabletop exercises, and documented escalation protocols do not require a large budget. They require deliberate preparation, cross-functional collaboration, and the discipline to test the programme under realistic conditions before the test comes at the worst possible time.
