Charlene Sweeney, media relations director at Big Partnership: “All businesses using technology are at risk of cyber outages, breaches and attacks and as with any other vulnerability, organisations should prepare for the worst. Transparent, timely and proactive communications must be at the centre of any strategy when responding to a cyber-attack. Explain what has happened and what steps you’re taking to rectify the situation. Any attempt to escape blame will create further issue and could destroy any chance of regaining trust.

“While a cyber-attack will have immediate and damaging impact on a business, the long-term consequence of failing to protect your brand and reputation could be even more devastating. Systems can be fixed and operations recovered in days, but restoring reputation could take years. In times of crisis, people seek reassurance, not excuses. Act with integrity, own up to any mistakes, demonstrate accountability, and outline clear corrective actions. It is the only way to rebuild trust.”

Katy Branson, director at Axicom: “When attackers strike, technology alone can't safeguard a company’s reputation. People want information, reassurance and advice more than they need a deep technical explanation or a head on a stick, so don’t try blaming the intern like the SolarWinds CEO or wait until there’s more to say. Mostly the rules are universal across industries and a clear and timely statement with advice on next steps and acceptance of culpability can be pre-prepared and ready to roll.

“Contrast this with M&S’ hasty initial communication, which raised more questions than it answered. It encouraged speculation and panic. Internal communications didn’t help stores to dampen the rumour and concern. The channel of communication is just as important as the statement. Consumer brands are generally better at knowing and engaging with their audiences, providing a route to reach and reassure, quickly and effectively. Another upfront investment that pays off and one that business brands can learn from.

“The bottom line is that any company drafting an incident response statement after a breach, is preparing to fail. When the tech team is testing the security architecture, include communications planning because it’s all part and parcel of protecting reputation. Draft the playbook. Test the messages. And, do it with the luxury of time and a clear head.”

Sarah Alonze, global strategy director at Red Lorry Yellow Lorry: “A cyber-attack has hit. Stakeholders are angry, pitchforks in hand, demanding answers. But crafting the perfect response doesn't have to be a headache. Regardless of the sector in question, here are a few rules of thumb for all businesses to follow when crisis hits:

• Forewarned is forearmed. The best and brightest businesses have planned for the worst before the worst even happens. This means designating a crisis team, crafting a crisis playbook, creating protocols and processes, and a tried and tested ‘response reflex’ that can be activated in moments. Stress test your playbook and team to ensure they’re fit for purpose and there are no points of failure. This preparation in advance ultimately determines your ability to respond effectively, and can influence the severity of the fallout as a result.

• Balance speed with diligence. Don't rush to respond without having all the facts to hand. Do your due diligence. How and why did this happen? Who is impacted? Where was the point of failure? The more facts you can gather, the more rounded and informed your response will be.

• Be human. This is key when managing stakeholder sentiment. All communications — whether to customers, partners, the media and beyond — should be honest, open and compassionate. It should also suggest a resolution or next action. This is where many brands fail, as they’re unable to put themselves in the shoes of those impacted. If you were the one impacted, what would you need to hear?”

Sarah Woodhouse, director and co-owner at Ambitious: "Experiencing a cyber-attack is never a deliberate choice, yet by prioritising crisis communications and fostering authenticity in your messaging, organisations can gain trust for taking a proactive stance.

“In the event of an attack, businesses need to be transparent and act quickly to address the breach or attack head-on. Draft a statement for the website homepage, blog, and social channels. Acknowledge that an incident has occurred, take ownership of it, and show solidarity with those affected by it. Depending on the severity of the damage, a video statement is a good way to convey trust and empathy. Be available to answer any questions and address concerns. Develop a list of press contacts to help you communicate the message to the wider public to prevent any leaks or speculation.

“After the event has taken place, you may want to demonstrate the steps you have taken. For example, show how you are regularly testing for vulnerabilities, bringing in cyber experts to regularly audit your systems, or investing in cyber security accreditation. When communicated effectively, there is the potential to transform a negative incident into a positive outcome."

Luke McDowell, corporate news director at Tangerine: “Cyber attacks are top of the threat list for organisations of all sizes, and this should be reflected in their crisis communications strategy and scenario plan.

"While your communications strategy will be stress-tested for a range of scenarios, cyber attacks will pose particular challenges. You may lose access to your regular lines of communication, so have a backup and make sure key people such as IT teams know how to set up a secure communications channel. In large organisations, a cyber attack will generate significant media interest and journalists will reach out to employees outside of comms teams, so it is important they know not to provide their own statements and where to direct enquiries.

“It’s also worth remembering that cyber attacks are classed as criminal activity and your response should involve law enforcement and local authorities. This impacts your communications; any statements the business makes shouldn’t prejudice ongoing investigations, so work with the relevant authorities to ensure you’re providing a joined-up response."

William​​​​ Marks, director, crisis and special situations at SEC Newgate: “An effective communications response to a cyber-attack requires more than just speed — it demands strategic precision, emotional intelligence and operational alignment across the business.

“A swift acknowledgement of the incident is critical, even in the absence of full details, as it signals transparency and leadership. However, this must be balanced with caution. Premature assumptions or definitive assurances, particularly around data loss, can seriously undermine credibility if later contradicted.

“Consistency is fundamental. Ensure internal, media, customer and social messaging aligns and conveys empathy. Demonstrate control by outlining the immediate response, ongoing investigation, and future improvements. All of this can be achieved with strong preparation, plans and protocols.

“Working closely with legal and regulatory teams will ensure you meet disclosure obligations. But make sure to avoid overly technical or corporate language — people want honest, human communication.

“Once the crisis stabilises, shift the narrative to positive and proactive aspects of the response: here’s what happened, here’s how we’ve responded and here’s what we’re doing to prevent future incidents.

“Unfortunately, for almost all businesses cyber-attacks are more likely than ever before, and in some cases even expected, however, a well-managed cyber response isn’t just damage control — it can also be an opportunity to build long-term trust with all your stakeholders.”

Andy Barr, senior communications manager at Season One Communications: "They key thing to remember with these things is that you get one bite at the reputation cherry. As such, any statement has to be factual and very importantly accurate, so you need to be aware of all of the facts before you put any statement out.

"This is where those cringe but essential crisis planning role plays and tests come into their own. The comms team needs to be hard-wired (pardon the pun) into legal and IT to make sure every statement is accurate. The likes of M&S handled its own cyber incident in textbook style.

• It went out in the CEO’s name, tick.
• It was factual and professional in its tone, tick.
• It was delivered in a timely manner, tick.
• It was followed up with updates where possible, tick.

"Statements need to be short, to the point and not open up a brand to further scrutiny. Ultimately the general public is becoming more aware that the majority of cyber-attacks originate from organised criminal gangs, most typically based overseas. As such, comms professionals are no longer dealing with a criminal enterprise that was, until very recently, shrouded in mystery and we can be more transparent around what is happening."

Rhea Freeman, PR adviser at Rhea Freeman PR: “I think it’s really important to remember that each cyber attack is different depending on various factors including the kind of data that has been accessed. That said, even though there are differences, there are many similarities when it comes to how to manage the PR side of it.

“One of the things that I think M&S has done incredibly well and others could learn from, is the speed in which they’ve shared the issue, and the transparency around it. It explained there was an issue, the implications, promised updates, and steps to resolve the issue. It has also expressed regret for any inconvenience caused and thanked people for their patience. We all know that things happen in any business, but what I have seen, time and again, is that a less than ideal situation can deteriorate at an alarming rate when information is withheld and well documented/shared issues greeted with silence from the company.

“This lets people fill in the gaps themselves and create a narrative around what could have happened. This, to me, is where a brand’s reputation can suffer further as people no longer trust the company is being honest and open with them, and doubt creeps in when people fill in the gaps. Of course, being open doesn’t mean sharing every detail as it’s not needed, necessary or helpful to share every step. But what is useful is showing people that the company and, ideally, its CEO, cares, and that they’re taking positive steps to rectify a situation. Silence isn’t golden when there’s any kind of crisis.”