TOP Mission TID-D03: Crisis Communication Planning
Developing crisis communication plans for security incidents that coordinate messaging across internal and external stakeholders.
Continue your mission
Developing crisis communication plans for security incidents that coordinate messaging across internal and external stakeholders.
# TOP Mission TID-D03: Crisis Communication Planning
Crisis communication planning is the structured process of preparing an organization to coordinate accurate, timely, and consistent messaging during and after a security incident. It exists because security events do not stay contained within IT systems: they spill into boardrooms, customer relationships, regulatory filings, and press cycles. Without a pre-built communication framework, organizations improvise under pressure, producing contradictory statements, delayed disclosures, and damaged trust that compounds the original harm. This mission defines who speaks, what they say, when they say it, and through which channels, for every significant incident category the organization is likely to face. When executed well, crisis communication planning converts a chaotic response into a controlled narrative, protecting both operational continuity and institutional credibility.
---
Crisis communication planning, in the context of cybersecurity operations, is the documented, rehearsed, and role-assigned process for managing information flow during a security incident. It covers internal communication (executive leadership, legal, HR, operations, and technical teams), external communication (customers, partners, regulators, and media), and post-incident communication (lessons learned, remediation status, and compliance reporting).
This mission is distinct from incident response planning, which governs the technical actions taken to contain, eradicate, and recover from an incident. Crisis communication planning governs the human and organizational messaging layer that runs in parallel. It is not public relations strategy, though it intersects with it. It is not a legal hold notice procedure, though legal counsel must be integrated into it. It is not a business continuity plan, though communication milestones must align with BCP activation triggers.
The scope encompasses several critical subtypes. Breach notification planning covers legally mandated disclosure timelines and content requirements under frameworks such as GDPR, HIPAA, CCPA, and state breach notification laws. Stakeholder communication planning addresses internal audiences who need situational awareness to make operational decisions. Executive communication planning prepares leadership to speak accurately without compromising the investigation. Media and public communication planning provides approved messaging for external audiences, including holding statements, FAQs, and press briefings. Regulatory communication planning ensures that reports submitted to oversight bodies are accurate, complete, and submitted on time.
Crisis communication planning exists because silence during an incident is not neutral. When organizations fail to communicate proactively, stakeholders fill the information void with speculation, assumptions, and worst-case interpretations. This speculation often proves more damaging than the facts would have been if communicated directly and promptly.
---
Crisis communication planning follows a structured build-test-refine cycle that begins long before any incident occurs and produces standing artifacts that teams can activate immediately when an incident is declared. The process requires coordination across legal, technical, operational, and executive functions.
Stakeholder Mapping and Communication Matrix
The foundation of effective crisis communication is identifying every audience that will need information during an incident and establishing clear ownership for each relationship. This produces a stakeholder communication matrix with defined columns: audience type, information requirements, communication owner, approved channels, timing triggers, legal review requirements, and escalation pathways.
For a healthcare organization, this matrix might include: board members (requiring high-level impact summaries and regulatory exposure assessments), clinical staff (needing operational status updates and patient care guidance), patients and families (requiring clear explanations of data exposure and protective actions), business associates and vendors (needing contractual notification per HIPAA requirements), HHS Office for Civil Rights (requiring formal breach notifications), state attorneys general (for state-specific notification requirements), and potentially affected individuals (requiring detailed breach notifications with specific content requirements).
Each stakeholder relationship has a primary owner and designated backup. The CISO typically owns technical stakeholder communication. General Counsel owns regulatory notifications and external legal disclosures. The CEO or designated executive owns board and investor communication. Customer success or account management owns client communication, working from legal-approved templates. Marketing or communications staff handle media inquiries using pre-approved holding statements.
Message Template Development and Pre-Authorization
Effective crisis communication depends on pre-drafted message templates that legal counsel has already reviewed and approved in framework form. Templates are not scripts but structured frameworks with clearly marked placeholder fields for incident-specific information. This approach reduces the time from incident declaration to first stakeholder notification from hours to minutes.
A customer breach notification template includes: factual description of the incident (field left blank for technical team input), data types potentially affected (field populated based on system classification), timeline of discovery and containment actions (framework language with specific dates to be added), steps the organization is taking (pre-written based on standard response procedures), recommended actions for recipients (pre-written and legally reviewed), and contact information for questions (pre-populated).
Internal communication templates follow similar structures but focus on operational decision-making rather than compliance obligations. An executive briefing template includes: incident classification and severity level, affected systems and data, current containment status, regulatory notification obligations triggered, customer communication timeline, and resource requirements for sustained response.
The key to template effectiveness is legal pre-authorization. Templates undergo legal review during the planning phase, not during an active incident. Legal counsel reviews template language for accuracy, compliance with notification requirements, privilege protection, and litigation risk management. This front-loaded legal review enables rapid deployment during incidents while maintaining legal safeguards.
Communication Triggers and Decision Trees
Plans must specify exactly what events trigger each communication action, removing real-time decision-making about whether to communicate. Triggers typically align with incident severity classification systems. A Severity 1 incident (confirmed unauthorized access to regulated data) automatically triggers: immediate notification to General Counsel and CISO, executive briefing within two hours, customer notification draft for legal review within 24 hours, and regulatory notification preparation within 48 hours.
Communication decision trees map different incident types to different communication requirements. A ransomware incident with confirmed file encryption but no data exfiltration triggers internal stakeholder notification but may not require customer notification if no personal data was accessed. A phishing incident affecting employee email accounts triggers HR notification and potentially affected employee communication but may not require customer notification unless customer data was accessed through compromised accounts.
These decision trees prevent both over-communication (which can create unnecessary alarm) and under-communication (which can create regulatory violations). They also prevent the analysis paralysis that occurs when teams attempt to make communication decisions under incident pressure without pre-established frameworks.
Legal Review Integration and Timelines
Every external communication requires legal review, but legal review cannot become a bottleneck that prevents timely notification. Plans must specify maximum legal review timeframes: typically two to four hours for crisis situations. The plan also identifies fallback approval authority when primary legal counsel is unreachable.
Legal review gates are built into communication workflows with specific handoff procedures. The incident commander provides factual findings to the communication owner, the communication owner populates the pre-approved template, legal counsel reviews for accuracy and legal exposure, and the communication owner executes approved messaging through designated channels.
Legal review focuses on several key areas: factual accuracy (ensuring statements align with investigation findings), regulatory compliance (confirming notification content meets legal requirements), privilege protection (ensuring statements do not waive attorney-client privilege), and litigation exposure (avoiding admissions that could create liability in future legal proceedings).
Tabletop Exercises and Plan Validation
Crisis communication plans require regular testing through tabletop exercises that simulate realistic incident scenarios. These exercises measure plan completeness, role clarity, and decision-making effectiveness under pressure. A typical tabletop presents an evolving scenario: initial detection of suspicious activity, confirmation of unauthorized access, discovery of data exfiltration, identification of affected records, and regulatory notification deadlines.
During the exercise, participants work through their actual roles using the actual communication plan. The CISO briefs the CEO using the executive briefing template. General Counsel reviews customer notification language for legal compliance. The communications owner drafts holding statements for media inquiries. The exercise reveals gaps in stakeholder identification, unclear role assignments, unrealistic timeline assumptions, and missing template content.
Post-exercise debriefs focus on plan improvement rather than performance evaluation. Common findings include: stakeholder matrix gaps (audiences that need communication but lack assigned owners), template deficiencies (missing content or unclear placeholder fields), trigger confusion (unclear decision criteria for communication activation), and coordination breakdowns (unclear handoff procedures between roles).
Scenario Example: Financial Services Breach
Consider a regional credit union that discovers on Friday evening that attackers accessed a database containing 35,000 member account records. The institution's crisis communication plan activates automatically upon Severity 1 incident declaration.
Within 30 minutes, the CISO and General Counsel are briefed on initial findings and begin legal hold procedures. Within two hours, the customer notification draft is completed using pre-approved templates and submitted for legal review. By Saturday morning, the National Credit Union Administration receives initial notification as required. By Sunday, affected members receive detailed notification emails with specific information about compromised data types and recommended protective actions.
The controlled communication timeline prevents speculation, meets regulatory obligations, and maintains member trust through transparent, factual disclosure. Because message content was pre-approved and stakeholder relationships were pre-assigned, the institution avoided the communication chaos that typically accompanies breach discovery.
---
The absence of crisis communication planning does not eliminate communication during incidents: it eliminates communication coordination. Employees still answer customer questions. Executives still brief boards. Legal teams still submit regulatory notifications. But without structured planning, these communications happen without coordination, without consistent messaging, and often without accuracy verification.
Uncoordinated incident communication creates several categories of business damage beyond the original security incident. Contradictory statements undermine credibility and suggest organizational confusion. Delayed notifications trigger regulatory penalties and compound legal exposure. Inaccurate initial statements require retractions that amplify negative attention and suggest cover-up attempts. Silent periods during incidents create information voids that stakeholders fill with worst-case assumptions.
The Equifax breach response demonstrates how communication failures can equal or exceed the damage from the underlying security incident. Equifax's initial disclosure provided minimal detail about the scope and timeline of the breach. The company established a dedicated breach notification website that security researchers flagged as potentially fraudulent due to poor security implementation. Customer service representatives provided contradictory information about account impacts and available remediation services. These communication failures became central themes in congressional testimony, regulatory enforcement actions, and media coverage, extending the damage period well beyond the technical incident resolution.
Regulatory enforcement consistently treats communication failures as aggravating factors in penalty calculations. GDPR enforcement actions frequently cite delayed or inaccurate breach notifications as separate violations from the underlying security failures. HIPAA enforcement treats inadequate breach notification procedures as evidence of broader compliance program deficiencies. Organizations with documented, tested communication plans receive more favorable regulatory treatment during enforcement proceedings because regulators can verify good faith compliance efforts.
Common misconceptions about crisis communication planning create dangerous gaps in organizational preparedness. Many organizations treat crisis communication as relevant only for consumer-facing businesses with significant public profiles. In practice, B2B organizations face equal or greater communication complexity due to contractual notification obligations, supply chain interdependencies, and partner organization exposure assessments.
Another misconception treats crisis communication planning as primarily reputational management rather than operational necessity. Effective incident response requires coordinated communication to function properly. Internal teams need accurate status information to make resource allocation decisions. Business partners need exposure assessments to determine their own response obligations. Customers need factual information to implement protective measures. Poor communication degrades incident response effectiveness independent of reputational considerations.
A third misconception assumes that communication content should be determined after incident details become clear. Organizations that wait for complete information before beginning communication planning typically miss regulatory deadlines and create communication crises alongside their security incidents. The most effective approach prepares framework messaging in advance and populates specific details as investigation proceeds.
---
CDA treats crisis communication planning as an intelligence-driven function rather than an administrative process. Under the Planetary Defense Model, crisis communication planning resides within the Threat Intelligence Domain (TID) because effective incident communication depends entirely on the quality and timeliness of threat intelligence available to communicators.
Accurate customer notifications require confirmed details about data access and exfiltration. Regulatory submissions require verified scope assessments and timeline documentation. Executive briefings require threat actor attribution and likely next-move analysis. Board presentations require business impact projections and recovery timeline estimates. Each communication type demands specific intelligence products that must be developed during the incident and translated into stakeholder-appropriate language.
CDA's Predictive Defense Intelligence (PDI) methodology, built on "see the threat before it sees you," shapes how CDA develops communication plans for clients. Rather than generic template development, CDA conducts threat scenario modeling to identify likely incident types based on the client's specific risk profile, then builds communication templates optimized for those scenarios.
For a healthcare client facing advanced persistent threat activity from state-sponsored actors, CDA develops communication templates that address long-term data exfiltration scenarios, complex attribution questions, and potential ongoing access concerns. For a professional services client primarily facing ransomware threats, CDA develops templates focused on operational disruption, data encryption impacts, and recovery timeline communication.
CDA also designs intelligence handoff protocols that ensure investigation findings flow to communication owners in actionable format. Technical teams often communicate in language that legal and executive stakeholders cannot directly use for external communication. CDA builds translation checkpoints into communication workflows: incident responders provide factual findings, intelligence analysts translate technical details into business impact language, communication owners populate templates with translated information, and legal counsel reviews final content for accuracy and exposure management.
What distinguishes CDA's approach is treating communication plans as living intelligence products rather than static documents. Communication plans are updated based on threat landscape changes, revised following tabletop exercise findings, and enhanced when new regulatory requirements emerge. This continuous improvement approach ensures communication plans remain relevant as both threat environments and organizational contexts evolve.
CDA also integrates communication planning with broader threat intelligence sharing programs. When clients experience incidents, their communication approaches provide valuable intelligence about adversary behavior, regulatory enforcement trends, and stakeholder response patterns. This intelligence feeds back into communication plan improvements for other clients facing similar threat profiles.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Wiki Team
Found an issue? Help improve this article.