I recently spoke with the CEO of a manufacturing company that had fallen victim to a ransomware attack three weeks earlier. The systems were back up after seven days — quite fast for that type of incident. But when I asked how they handled crisis communication, there was silence. “We didn’t know what to tell our clients. We didn’t know who to report the incident to, or when. For the first two days we said nothing to anyone,” the CEO admitted. Those two days of silence cost the company more than a week-long operational shutdown. Several key contractors terminated their agreements, one filed a complaint with the data protection authority, and the local press covered the incident in a sensationalist tone — because the news leaked through employees.
The company’s CFO later asked me a question I hear regularly: “What do we tell investors? What do we tell clients? When and how do we say it?” This is a question every board should have an answer to before an incident ever occurs. Crisis communication after a cyberattack is not improvisation — it is a process that must be planned, rehearsed, and embedded in ready-made templates. This article exists so that you know what to do before it is too late.
Why does crisis communication determine a company’s survival after a cyberattack?
A cyberattack is a two-phase event. The first phase is the incident itself — loss of access to systems, data leakage, operational paralysis. The second phase, often more dangerous, is the loss of trust — from clients, partners, regulators, and the media. Organisations that contain the first phase but neglect the second face long-term consequences that, in extreme cases, end in the dissolution of the business.
Research by the Ponemon Institute indicates that the cost of reputational damage following a data breach accounts for 30 to 40% of the total cost of the incident. That is more than the combined costs of system recovery and legal fees. Clients do not leave because a company had an incident — they leave because the company communicated poorly, concealed facts, or responded too late.
Crisis communication serves three strategic functions. First, it manages the narrative — if the company is the first to disclose the incident and presents it transparently, it retains control of the message. If the news breaks through a leak or the media, the narrative escapes control. Second, communication fulfils legal obligations — NIS2, GDPR, the Cybersecurity Act, and sector-specific regulations (KNF for finance, NFZ for healthcare) impose specific reporting deadlines and formats. Exceeding them brings additional penalties. Third, professional crisis communication builds long-term trust — companies that communicate openly and quickly often emerge from a crisis with a higher level of client trust than they had before the incident.
A board that thinks “we’ll hide this for as long as possible” is making a strategic, legal, and ethical mistake simultaneously. In the era of GDPR, NIS2, and social media, concealing a serious incident is practically impossible — and the attempt to cover it up becomes a separate and often more serious problem in itself.
Who must an organisation notify after an incident — NIS2, GDPR, and financial regulator requirements?
The answer to “who to notify” depends on the nature of the incident and the sector in which the organisation operates. However, there are several obligations that apply to virtually every Polish company that processes data or provides digital services.
The first and broadest regime is the GDPR (General Data Protection Regulation). If the incident affected personal data — and most ransomware and phishing attacks do exactly that — the obligation to notify the supervisory authority (in Poland: UODO, the Personal Data Protection Office) arises automatically, provided the breach creates a risk to the rights and freedoms of natural persons. It does not matter whether the company is “small” or “large” — GDPR applies to every data controller.
The second regime is NIS2 and the Act on the National Cybersecurity System (KSC). Essential and important entities — and this list has expanded following the amendment to cover many sectors: energy, transport, banking, financial market infrastructure, healthcare, water supply, digital infrastructure, public administration, and space — are obliged to report “significant incidents” to CSIRT NASK (for most entities) or CSIRT GOV (government entities) and CSIRT MON (defence sector).
The third regime concerns regulated sectors. Companies supervised by the KNF (banks, insurers, investment firms) have additional obligations arising from sector-specific regulations — including DORA for financial institutions, KNF recommendations, and EBA/ESMA regulations. Healthcare facilities are subject to NFZ and Ministry of Health regulations. Companies listed on the Warsaw Stock Exchange are subject to MAR requirements (the Market Abuse Regulation) — meaning a serious incident may constitute inside information requiring disclosure.
The fourth circle consists of contractual partners. Many B2B contracts — particularly with large corporations, public institutions, or companies in regulated sectors — include clauses requiring notification of a security incident within a specified timeframe. A breach of these clauses may constitute grounds for terminating the contract at the fault of the company affected by the attack.
Key principle: do not wait for certainty. Legal requirements do not say “report when you know everything” — they say “report within a specified timeframe from the moment you become aware of the incident.” A preliminary notification with limited information is better than a late notification that is complete.
How quickly must an incident be reported — deadlines and consequences of exceeding them?
Deadlines are unforgiving and independent of the degree of chaos prevailing in the organisation at the time of the attack. That is precisely why reporting procedures must be known and ready in advance.
Under the GDPR regime: 72 hours from the discovery of a breach to notify UODO. The clock starts from the moment the data controller “becomes aware of the breach” — that is, when it obtains sufficient knowledge that a breach has occurred, not from the moment it knows its full scope. In practice, this means that if you detect a ransomware attack on a Friday evening and by Sunday you know that it probably affected personal data, the notification to UODO should be submitted no later than Monday morning. If the incident creates a high risk to the rights and freedoms of natural persons, the obligation to notify the affected individuals themselves also comes into play — without undue delay.
Under the NIS2/KSC regime: a preliminary notification to CSIRT within 24 hours of identifying a significant incident. A full report — within 72 hours. A final report — within one month (or another deadline agreed with CSIRT). These deadlines apply to essential and important entities within the meaning of the Act.
The consequences of missing deadlines are multi-dimensional. First, administrative — UODO can impose a fine of up to 10 million euros or 2% of annual turnover for a breach of the reporting obligation. Second, civil — late or incomplete notification of persons affected by the breach increases their claims for damages. Third, reputational — a regulator that had to “discover” the incident itself (because the company did not report it) responds more harshly than in the case of a proactive notification. Fourth, criminal — in the event of the deliberate concealment of an incident, criminal charges against managing persons may follow.
One of the CEOs I spoke with told me: “I thought I had time. The incident was on a Wednesday, I reported it on Monday because I wanted to know more. UODO did not treat this as a ‘preliminary notification.’ We received a fine solely for exceeding the 72-hour deadline.” That is a real event, not a hypothetical.
How to communicate with clients after a data breach — good and bad practices?
Communication with clients after an incident is the most emotionally charged element of a crisis. Clients are not legal stakeholders — they are relational stakeholders. They respond to being treated with respect, to honesty, and to concrete actions the company takes on their behalf.
Good client communication rests on five principles.
First principle: speed matters more than completeness. Do not wait until you know everything. Send a preliminary message (“We have detected an incident, we are investigating, we will keep you informed”) before you send a full one. Silence is interpreted as concealment — and that interpretation is correct.
Second principle: specificity matters more than reassurance. “Your data may have been compromised” is a better message than “The company’s priority is the security of our clients’ data.” Clients want to know: which specific data, what does it mean for them, what should they do. Messages full of platitudes and devoid of concrete detail reinforce distrust.
Third principle: actions matter more than apologies. “We apologise for this incident” is the minimum. “In response to the incident, we have provided free identity monitoring for 12 months for all affected clients” — that is a message that builds trust.
Fourth principle: one consistent message across all channels. Email, website, social media, helpline — all must say the same thing. Discrepancies between channels are interpreted as concealment or disinformation.
Fifth principle: designate a dedicated point of contact. Clients must know who to call or write to. A crisis helpline, a dedicated email address, a special FAQ page — these are the minimum communication infrastructure that a company should activate within the first 24 hours.
An example of bad practice: a telecommunications company whose breach affected 200,000 clients sent an email notification three weeks after the incident, containing a single sentence: “We inform you that unauthorised access occurred in our systems, which may have affected some data.” No information about what data, no indication of who was affected, no concrete guidance whatsoever. The result: 40% of clients covered by the notification cancelled their services within the following 90 days.
Remember: clients forgive mistakes — they do not forgive concealment and dismissiveness.
How to communicate with the media after a cyberattack — principles of crisis communication?
The media are not the enemy — they are the vector of the narrative. If a company does not manage its own narrative, the media will build their own — and it will almost always be a narrative based on missing information, speculation, and fragmentary leaks. A company that says nothing is not protected — it is being described by those who say anything at all.
First media principle: one spokesperson, one voice. In a crisis, the company must designate one person — most commonly the press spokesperson, the Director of Communications, or the CEO — who is the sole authorised source of information for the media. Any unauthorised statements from employees, board members, or business partners are potential information bombs that can blow the narrative apart.
Second principle: proactivity instead of reactivity. The company should be the first to contact key media outlets — rather than waiting for questions. Issuing a press statement within the first hours of a crisis, before the media independently “discover” the incident, gives the company the narrative initiative. The statement should contain: confirmation of the incident, a description of the scope (what is known at that point), actions the company has taken, information about cooperation with law enforcement and the regulator (if applicable), and a point of contact for the media.
Third principle: do not lie, but you do not have to say everything. “We are not commenting on technical details of the ongoing investigation” is a legitimate position — especially when law enforcement is conducting an investigation and has asked that disclosure of information be limited. “There was no incident” — when an incident did occur — is a lie that will sooner or later come to light and destroy the company’s credibility.
Fourth principle: do not attack the media. Companies that respond to crisis media coverage with demands for corrections, accusations of disinformation, or hostile rhetoric escalate the crisis. The media have a long memory and wide networks of contacts. An elegant correction of an erroneous fact is acceptable — a war room against the media is a strategic mistake.
Fifth principle: plan updates. The media expect regular progress reports. “We will keep you informed as the situation develops” without a concrete schedule — that is an invitation to speculation. “We are planning the next press conference for tomorrow at 3:00 PM” — that is managing expectations.
It is also worth remembering trade media and local outlets, which are often more important than national media for specific sectors. A manufacturing company whose incident is covered by a trade portal for logistics or industry will suffer greater reputational damage within its client base than if the information had appeared in a national newspaper. When mapping the media to monitor and contact, do not limit yourself to the largest titles — identify those that your clients and business partners actually read.
One final point that is rarely discussed: social media as a crisis communication channel. Twitter/X, LinkedIn, and Facebook can be both a source of information about the incident (when the news “comes out through employees”) and a channel through which the company communicates directly with clients. It is advisable to designate a person responsible for monitoring and responding on social media during a crisis — separately from the person handling traditional media. Client comments on social media require fast, personalised responses — not redirection to a general press statement.
How to cooperate with CERT Polska and law enforcement?
Notifying CSIRT is not only a regulatory obligation — it is access to competent technical and analytical support. CERT Polska (operating as part of CSIRT NASK) is an institution with many years of experience in incident handling, possessing resources and tools that most companies do not have on a day-to-day basis.
Cooperation with CERT should begin with a formal incident report submitted via the form available at incydent.cert.pl or by email. The report should contain: the date and time of incident detection, the type of incident (ransomware, phishing, data breach, DDoS, etc.), the scope (which systems, which data), remedial actions taken, and contact details for the person responsible for the incident on the organisation’s side.
CERT Polska can assist with analysis of malicious software, tracking the attackers’ infrastructure, coordination with other CSIRTs in the case of cross-border attacks, as well as warning other organisations about similar attacks. Sharing a malware sample or information about the attack techniques used serves the entire cybersecurity ecosystem — not just the one company.
In parallel, if the incident shows signs of a criminal offence — and a ransomware attack, data extortion, or system sabotage are criminal offences under the Penal Code — the company should file a report with the police or the prosecutor’s office. It is worthwhile to involve a lawyer specialising in telecommunications law in this process. A criminal complaint serves two functions: it initiates criminal proceedings and constitutes an element of the documentation of the company’s “due diligence” in the regulatory process.
An important practical principle: do not modify evidence. Before the company begins “cleaning up” after the incident — restoring systems, removing malicious code, formatting drives — it should secure evidence (system logs, disk snapshots, copies of infected files) and agree with the lawyer and law enforcement which remediation actions will not destroy evidentiary material. This tension between “return to operation as quickly as possible” and “do not destroy evidence” is one of the most difficult operational dilemmas of an incident.
It is also worth knowing what law enforcement does not expect from a company — and what companies often fear. Reporting an incident to the police does not automatically initiate proceedings that will “turn the company upside down.” The CBZC (Central Cybercrime Bureau) operates efficiently and understands that the company’s priority is to resume operations. In most cases, the investigative proceedings run in parallel with remediation operations — not instead of them. Many companies avoid reporting incidents to law enforcement out of fear of “an on-site inspection” or “seizure of equipment” — yet cooperation with the police often accelerates the identification of attackers and the recovery of stolen data or decryption keys.
CERT Polska also runs a Threat Intelligence Sharing programme that companies can join, which enables early warning about new attack campaigns. Companies that have themselves fallen victim to an attack can — and often should — pass technical information about the techniques and infrastructure used by the attackers to CERT, thereby protecting other market participants from similar incidents. This is not purely altruism — companies that actively cooperate with CERT and the regulator are treated more leniently by supervisory authorities than those that limit their communication to the legal minimum.
Contacts to have ready in advance for an incident: CERT Polska: incydent@cert.pl, phone: +48 22 380 82 74. Cybercrime Police: Central Cybercrime Bureau (CBZC).
How to prepare a crisis communication template before an incident occurs?
The most expensive lesson companies learn after incidents is this: a crisis plan written during a crisis is not a plan — it is a redundant document. A crisis communication template must exist before the incident, it must be tested, and it must be known to the people who will use it.
The minimum set of crisis documents comprises five elements.
First: a stakeholder map and communication matrix. A document indicating who must be notified (UODO, CSIRT, KNF, clients, partners, investors, employees, media), within what timeframe, by whom, through which channel, and with what content. The matrix should be up to date — with phone numbers, email addresses, and links to reporting forms.
Second: a library of communication templates. Ready-made templates for each stakeholder group: an email to clients (preliminary and full version), a press statement (preliminary and full version), an internal communication for employees, a message for the board/supervisory board, a response to media questions (Q&A template). The templates should not be blank — they should contain ready phrases that only need to be filled in with the facts specific to the given incident.
Third: a decision-making procedure. Who makes the decision to activate the crisis procedure? Who approves communications before they are sent? Who is the press spokesperson? What is the escalation process — when do we involve the board, the supervisory board, external legal counsel? The procedure should be simple and unambiguous, because in a crisis there is no time for discussion.
Fourth: a crisis contact list. An external law firm (specialising in personal data and cybersecurity), a digital forensics firm, a crisis PR agency, CERT and police emergency numbers. The list should be updated every quarter.
Fifth: exercise scenarios. A crisis plan that has never been rehearsed is a dead plan. It is recommended to conduct tabletop exercises at least once a year — simulating an incident during which the board and key individuals go through the communication procedures in a “mock” mode. Exercises reveal gaps that are not visible in the document.
What communication mistakes deepen the crisis — case studies?
Mistakes in crisis communication can be divided into three categories: errors of omission (not doing things that should have been done), errors of commission (doing things that should not have been done), and timing errors (doing the right things at the wrong time).
Mistake no. 1: silence as a strategy. A Polish logistics company that in 2024 fell victim to an attack on its client portal decided not to inform clients until it had identified the full scope of the breach. Three weeks passed. A wholesale client learned about the attack from an external supplier and reported the matter to UODO. The authority imposed a fine for breaching Article 33 of GDPR (the obligation to notify the supervisory authority) and Article 34 (the obligation to notify affected individuals). The fine: 850,000 PLN. Notifying clients immediately and reporting to UODO within 72 hours would have been costlier in reputational terms, but legally safe.
Mistake no. 2: a statement written by lawyers rather than by humans. One regional bank, following a phishing attack, published a statement containing three paragraphs of legal jargon, without a single sentence in a language understandable to clients. The media dissected the statement and served their readers their own “translations.” Had the bank written plainly: “Login credentials for the transaction portal have been leaked. Block your card and change your password. Call xxx-xxx-xxx” — it would have controlled the narrative.
Mistake no. 3: shifting responsibility onto the victims. An e-commerce company, following a breach of clients’ login data, published a statement suggesting that “users should have been using stronger passwords.” This is the classic mistake that turns victimised clients into hostile clients. Even if weak user passwords contributed to the scale of the breach, a crisis communication moment is not the time to educate clients — it is the time to take responsibility and identify remedial actions.
Mistake no. 4: premature “full transparency” based on limited knowledge. A financial firm issued an extensive statement six hours after detecting the incident, claiming that “no financial data had been compromised.” Two days later it turned out that financial data had in fact leaked. Withdrawing and correcting a previous statement is a reputational catastrophe — the company lost credibility not because of the incident, but because of excessively hasty assurances. The rule: do not say “there is no breach” — say “an investigation is ongoing, the scope is not yet known.”
Mistake no. 5: lack of coordination between departments. At one manufacturing company, the marketing department published a cheerful post on LinkedIn the day after a ransomware attack (the post had been scheduled automatically and nobody thought to disable it). Employees internally laughed it off; external clients — who saw the post and were unaware of the attack — were confused. A minor communication incident that became an industry meme.
What does a crisis communication plan look like? Incident communication matrix
The table below presents a crisis communication matrix — a starting point for building an organisation’s own plan. The columns should be supplemented with company-specific data.
| Stakeholder | Notification deadline | Channel | Type of message | Responsible person | Required template |
|---|---|---|---|---|---|
| UODO | Within 72 h of discovering a personal data breach | Online form / email to UODO | Formal incident notification (Art. 33 GDPR) | DPO / Legal Counsel | UODO form + incident description |
| CSIRT NASK | Within 24 h (preliminary) / 72 h (full) — KSC entities | incydent.cert.pl / email | Technical incident report | CISO / IT Department | CSIRT NASK form |
| Affected individuals | Without undue delay (if high risk) | Email / SMS / registered letter | Client notification (Art. 34 GDPR) | Marketing / DPO | Client email template |
| KNF (financial sector) | In accordance with sector regulation / DORA | ESPI system or direct contact | Operational notification | Compliance Officer | Internal KNF template |
| Contractual partners | In accordance with contract (usually 24–72 h) | Email / phone to Account Managers | Direct notification of key B2B clients | Sales Director / Account Manager | B2B email template |
| Employees | Immediately upon deciding on external communication | Intranet / email / all-hands meeting | Internal message — facts, what not to say publicly | HR / CEO | Internal communication template |
| Media | Within 24 h of the incident (proactive statement) | Press release / press conference | Press statement — current state of knowledge, company actions | Press spokesperson / CEO | Press release template |
| Investors / Warsaw Stock Exchange | Immediately if inside information (MAR) | ESPI system | Current information / current report | CFO / IR Manager | MAR current report |
| Law enforcement (Police / CBZC) | Immediately (criminal complaint) | Written notification | Report of suspicion of a criminal offence | Legal Counsel / CEO | Criminal complaint template |
| Supervisory Board / Shareholders | Within 24 h of incident confirmation | Confidential briefing / email | Abbreviated management report | CEO / CISO | Management briefing template |
The matrix is a starting point — every organisation should adapt it to its own legal structure, sector-specific regulations, and contractual obligations. Update the matrix after every change in the organisation or the regulatory environment.
How does nFlo support clients in communication during an incident?
Over more than a decade of working with clients in the financial, industrial, healthcare, and public sectors, we have witnessed hundreds of crisis moments. Some ended as they should — quickly, efficiently, with minimal reputational damage. Others ended considerably worse — mainly because the company was not prepared for the communication dimension of a crisis.
nFlo’s Incident Response service is not just technical incident management — it is comprehensive support for the entire process, including the communication dimension. Our response time of under 15 minutes from incident notification means that during the first, critical hours we can act alongside your team — both technically and procedurally.
Within the scope of crisis support, we assist clients in several key areas. First, in establishing the scope of the incident — which enables precise and truthful external communications. A statement that is too broad (“everything leaked”) or too narrow (“only email addresses leaked”) carries both legal and reputational risk. Second, we assist with coordination with CSIRT NASK — preparing the technical documentation required for the report within regulatory deadlines. Third, we work alongside lawyers and crisis PR agencies that support companies in communicating with the media and the regulator.
Our clients — over 200 organisations, over 500 security projects, 98% retention rate — know that the value of nFlo does not end with technology. The value of nFlo ends with the fact that in a moment of crisis you are not alone. You have access to experts who have been through dozens of incidents, who know what works and what does not — and who can accompany you in managing not only your systems, but also your company’s reputation.
When I spoke with the CEO of the manufacturing company mentioned at the beginning, several months after the incident, he said one thing that has stayed with me: “We knew how to put out a fire in the server room. We did not know how to put out the fire in the minds of our clients. Next time we will know.” Next time should not be your first time.
Frequently asked questions
Does a small company also have to report an incident to UODO?
Yes. The obligation to report a personal data breach to UODO under Article 33 of GDPR applies to every data controller, regardless of the size of the company. The only exception is breaches that are “unlikely” to result in a risk to the rights and freedoms of natural persons — but this is an assessment the company must conduct and document.
What is a “significant incident” within the meaning of NIS2/KSC?
A significant incident is one that causes or is capable of causing serious disruption to the provision of services or serious financial losses for the entity, or one that has or is capable of having a significant impact on other natural or legal persons by causing considerable damage. The definition is intentionally broad — in practice, consult a lawyer and/or CSIRT NASK in case of doubt.
Can a company refrain from informing clients if the breach was “minimal”?
Under the GDPR regime: the obligation to notify affected individuals (Article 34 GDPR) arises only when the breach is likely to result in a “high risk” to their rights and freedoms. Not every breach requires notifying clients — but the risk assessment must be documented. The absence of documentation of that assessment can itself constitute a GDPR violation.
How much can failure to fulfil reporting obligations after an incident cost?
UODO can impose a fine of up to 20 million euros or 4% of annual turnover (whichever is higher) for violations of provisions relating to data subjects’ rights. For a breach of the reporting obligation (Article 33) the fine can reach 10 million euros or 2% of turnover. The NIS2 supervisory authority can impose fines of up to 10 million euros (essential entities) or 7 million euros (important entities).
How long must documentation from incident handling be retained?
The minimum requirements derive from GDPR (5 years) and KSC (5 years). In practice, incident documentation may be needed in civil proceedings (limitation period of up to 6 years) and criminal proceedings. It is recommended to retain full documentation for at least 6 years.
Is it worth hiring an external crisis PR agency?
For companies with more than 50 employees or companies for whom reputation is a key asset — definitely yes. An external crisis PR agency has experience, media contacts, and ready procedures that an internal marketing department most often does not possess. It is worth establishing a relationship with an agency before an incident — as part of tabletop exercises or a retainer arrangement.
Sources
- GDPR — Regulation (EU) 2016/679 of the European Parliament, Art. 33–34
- NIS2 Directive — Directive (EU) 2022/2555 of the European Parliament
- UODO — Guidelines on reporting personal data breaches
- CERT Polska — Incident report form
- ENISA — Guidelines on Art. 4 of the ePrivacy Directive and Breach Notifications
- Ponemon Institute — Cost of a Data Breach Report 2024
- Act of 5 July 2018 on the National Cybersecurity System (as amended)
Related concepts
Explore key terms related to this article in our cybersecurity glossary:
- Incident Response — Incident Response is a structured approach to…
- GDPR — GDPR (General Data Protection Regulation) is an EU regulation…
- NIS2 — NIS2 (Network and Information Security Directive 2) is an EU directive…
- Cybersecurity — Cybersecurity is a set of techniques, processes and practices for protecting IT systems,…
- Ransomware — Ransomware is a type of malicious software (malware) that blocks access…
Learn more
Explore related articles in our knowledge base:
- Personal liability of the board for cybersecurity under NIS2
- How to conduct a KSC NIS2 readiness audit? A practical guide for CISOs
- Ransomware — what it is, how to protect yourself, what to do after an attack
- What is a security incident and how to manage it?
- OT tabletop exercises — incident response plan
Check our services
Do you need cybersecurity support? See:
- Incident Response — immediate response to cyberattacks and support during a crisis
- Security audits — comprehensive assessment of the security posture
- SOC as a Service — round-the-clock security monitoring
- Penetration testing — identifying vulnerabilities before an attacker does
