When a cyber incident hits, IT and legal are often the first to get the call—for good reason. IT teams must act swiftly to contain, remediate and investigate the breach, while legal teams must ensure compliance with regulatory and contractual obligations and manage legal exposure.

But a strictly technical or legal lens can narrow your field of vision. Without broader perspective, you risk overlooking the long-term impact on trust and reputation. In the critical early hours of a response, you need someone in the room to ask: “Now that we know what we’re required to do—what else should we do?”

How you manage the technical and procedural aspects of a cyber incident is essential—it’s foundational to restoring operational confidence. But reputation isn’t built on competence alone; it’s a true test of values. In a crisis, stakeholders are paying attention not only to what you do, but how you engage—and whether your actions reflect the commitments you’ve made in steadier times. The impressions formed in these moments of uncertainty can endure far beyond the incident itself.

Think of cyber incident response as a three-legged stool: IT, legal and communications. Without that third leg, your response may be technically compliant—but misaligned and disconnected from the broader reality of stakeholder expectations. That imbalance can compound risk.

Communicating through a cyber crisis is rarely straightforward. There’s significant pressure to provide clarity on the situation, but forensic investigations take time, threat actors cover their tracks and facts change. The difficulty of navigating these considerations—and the potential impact of a misstep—doesn’t mean you should downplay the need to communicate. It means it’s more important than ever to fill that space, especially when the demand for communications is highest.

That complexity isn’t a reason to step back from communication—it’s a signal to step in more thoughtfully. In moments of high uncertainty, demand for transparency rises.

The right communications strategy acknowledges these challenges while ensuring that trust and relationships aren’t casualties of the crisis. Here are three principles to guide your approach:

Be stakeholder-centric: Start with a clear understanding of who your stakeholders are and what they need to hear from you. Reputation is shaped in the details of how you communicate—how you time employee updates, brief partners and how you equip and support customer-facing teams.

Avoid media tunnel vision: The headlines matter, but they’re not the whole story. In most incidents, your long-term reputation is shaped more by internal and stakeholder communications than by a single news cycle. Media relations is just one part—often a small part—of a much broader response.

Think of future conversations: Imagine explaining your decisions months from now to a key stakeholder. They might not be fully satisfied, but will they understand and respect how you handled the situation given the constraints you were facing?

When and How to Communicate

Cyber incidents create uncertainty. If you don’t provide information to your stakeholders, others will do it for you—customers on social media, employees in break rooms, journalists on deadline.

More On Planning For Uncertainty: Meet the Global Executive Advisory

This doesn’t mean sharing everything, with everyone, all at once. It means thoughtfully assessing what your stakeholders likely know or assume, what you know and can responsibly say, and how best to bridge the gap. There’s no perfect answer. Often, it’s a day-by-day judgment call.

Understanding every stakeholder’s perspective and expectations in this level of detail takes work—but it’s work that always pays off. In a crisis, you’ll never regret having spent time preparing your communications strategy.

Some of the key questions to ask:

Clients & Partners: Should high-value relationships get a direct update or a 1:1 call? How are you supporting them through operational disruption?

Customers: Are they worried about incompetence—or their data? How are you addressing concerns, inquiries, and frustration?

Employees: Do they know what they can and can’t say? Are they prepared to respond to external questions or internal uncertainty?

Media & Digital: Should you respond to inquiries, or would that validate speculation? How do you monitor and address unverified rumors before they escalate? What should you do about blogs and anonymous accounts?

Board & Investors: How do you keep key stakeholders informed without escalating concern or overpromising outcomes?

Regulators & Authorities: Beyond mandated disclosures, what messaging aligns with your broader corporate values?

Other Key Audiences: Who else expects to hear from you? Have you considered suppliers, industry associations, or even competitors who might be affected?

More Than a Response—A Reputation Strategy

IT and legal are essential to resolving the technical and regulatory dimensions of a cyber incident. But stakeholders don’t measure your performance by minimum requirements—they measure it by how you made them feel. Ask yourself: are you communicating in a way that reassures and retains trust?

The best responses manage short-term pressures without compromising long-term relationships. Even within the constraints of investigation and legal risk, organizations that integrate communications expertise are better positioned to emerge with credibility intact—and often stronger.

Cyber incidents may be inevitable. Reputational damage doesn’t have to be. The real question isn’t just whether you responded— it’s whether you’re responding in a way that strengthens trust and credibility in the long run.

Cody Want is FleishmanHillard’s U.S. Cyber Crisis Lead with extensive experience in cyber incident response and preparedness. He has helped clients through a wide range of crisis and issues situations, including undercover media investigations, major restructures, union disputes and many other regulatory and reputational challenges.