News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Guidance
  4. Communicating in a cyber security incident

Communicating in a cyber security incident

The intent of this guide is for organisations to clearly and confidently communicate cyber security incidents in a timely, accurate, and supportive way — helping to limit harm, maintain trust, and assist others who may be affected.

When your organisation experiences a cyber security incident, fixing the technical issue is only part of the response. Just as important is:

  • how you tell people what’s happening,
  • how it’s affecting you, and
  • what it could mean for them.

Think about the kind of information people need during a natural disaster — clear, timely updates and practical advice. Responding to a cyber security incident is similar, but with one key difference: many New Zealanders don’t fully understand how these incidents happen. That’s why it’s important not only to explain what’s going on, but also help people understand what it means for them and what they can do to stay safe.

The NCSC has developed a communications framework designed for any organisation to use during a cyber security incident. It sets out when and how to communicate with customers, clients, and other stakeholders — clearly and calmly, and without creating panic. You can add it to your existing incident response plan as the communications section.

Public communications for cyber security incidents: A framework for organisations

Plan your communications

During a cyber security incident, it’s natural to want to focus inward. But the incidents we see show that going quiet often makes things worse. Keeping your staff, customers and the public informed is a key part of managing an incident well. Saying the right thing at the right time can shape how others view your response and help build trust when it matters most.

Planning your communications in advance makes responding to a cyber security incident easier. Because every incident is different, you don’t need to plan for every possibility — a flexible outline is often more useful than a rigid script.

Here are the key things to think about.

What's happening?

Start by getting a clear picture of the incident — what it is, how big it is, and which systems or people are affected. Ask questions until you understand the situation well enough to explain it to others. If something isn’t clear, don’t wait — get clarification straight away.

You won’t always have all the answers at the beginning, and that’s okay. Share what you know and be upfront about what you’re still working to understand.

Who do we need to tell?

Identify everyone who needs to know about the incident. This might include:

  • your staff,
  • your customers,
  • your board or investors, and
  • the public or media.

Each group will need different information. For example, staff may need to know whether it’s safe to continue using certain systems, while customers will want to know if they’re affected and what you’re doing about it.

Think about how your public messaging might affect your relationships with stakeholders, and what signals it might send to the people behind the incident.

What will you tell them?

Write some key messages early. These are the main points you want each audience to understand — what’s happened, what you’re doing about it, and what comes next.

Even if you only have limited details, it’s important to confirm that something has happened. If there are gaps in the information, say so. Let people know you’re investigating, and that you’ll share updates as you learn more.

For employees, you might need to explain:

  • how the incident affects their work,
  • any immediate changes they need to make (for example, stopping use of a compromised system), and
  • what they should say if customers ask questions.

For customers, focus on:

  • how the incident affects them,
  • what you’re doing to fix it, and
  • how they can tell if they’ve been impacted.

How will you tell them?

Choose the channels you’ll use to share your updates. These should be accessible and familiar, and they need to work even if parts of your system are down.

For example, if your email system is affected, you might not be able to contact staff or customers in the usual way. Avoid launching new channels mid-incident, like a fresh Facebook page, as it could confuse people or be mistaken for a scam.

Set up backup channels now, before you need them. Reuse your key messages to adapt communications across platforms. For example, post a short update on social media linking to more detailed information on your website.

When will you tell them?

Start from the inside out. Let your staff and board know first, then your customers, and then the public or media. Staff may raise questions you haven’t thought of, which can help refine your messaging before it goes out more widely.

In general, earlier is better. If people find out you’ve delayed communication, they may lose trust. Timing also matters — avoid non-urgent announcements late on a Friday or just before holidays. Plan how often you’ll send updates, too. Cyber incidents change quickly, so keeping people informed as the situation evolves is critical.

Find trusted sources

When you’re explaining a complex cyber security issue, it can help to point to a recognised authority, especially if you’re not confident with technical terms. Trusted sources often provide clear explanations and background information that can support your message.

Common risks and threats for business | Own Your Online External Link

Managing media interest

If your incident is serious, the media may help spread your message to a wider audience. But if you’re not used to dealing with journalists, it can be hard to know what to say, and what not to say.

If you’re approached by media and you’re unsure how to respond, ask for help. You might have an internal communications team, or you can get advice from a public relations professional. The Public Relations Institute of New Zealand has a directory of experienced consultants.

PR agency and consultant directory | Public Relations Institute of New Zealand External Link

The NCSC may be asked by media if we’re involved in your incident — but we’ll never confirm or deny our involvement, unless approved by you as part of a reassurance communications strategy. Because of the sensitive nature of the reports we receive, we treat all identifying details as confidential. We may share general information with media about threats like ransomware, but we don’t comment on specific businesses, organisations, or individuals.

Practice makes it easier

Communicating well during a crisis is a skill and it gets easier with practice. Ask for feedback from your team and involve your communications people early. The best approach is to have a communications section built into our incident response plan.

Practising your response plan regularly makes it feel less overwhelming when a real incident happens.

Create an incident response plan | Own Your Online External Link

Manage what you can and get help with the rest

You don’t need to handle everything yourself. Incident response is a team effort, so make sure you’re asking for help when you need it.

If you’re dealing with an incident, report it to the NCSC as soon as possible. We can provide advice and guidance based on the latest threat information.

Report an incident

Related information

Public communications for cyber security incidents: A framework for organisations