Cyber Incidents and Crisis Communications in 2026

Cyber attacks have been described for years as a growing risk, but that framing now feels inadequate for organisations dealing with the reality of cyber incidents and data breaches.

In 2026, cyber incidents sit firmly in the category of routine organisational threats. They affect day-to-day operations, staff wellbeing, customer trust and regulatory confidence, often all at once. As a result, crisis communications and data breach communications are no longer optional disciplines, nor can they be bolted on once the technical work is underway.

A recent discussion I attended on cyber incident response crystallised several themes I am seeing repeatedly in practice. The session was hosted by the Chartered Institute of Public Relations and featured invited speakers Rachel Andvig from Willis Towers Watson, Jim Steven from Experian, and Alex Wheeler from the Information Commissioner's Office.

Together, they offered a useful cross-section of how cyber incidents are being experienced across risk management, crisis response and regulation, and discussed familiar challenges in crisis communications appearing with increasing frequency and intensity.

The most important of these is straightforward. Planning for cyber incidents needs to start from the assumption that something will happen.

Why crisis communications cannot sit on the sidelines

One of the most striking themes from the discussion was how often communications teams are still being brought in after key decisions have already been made during a cyber incident or data breach.

Cyber resilience has improved in many organisations at a technical level. Backup strategies, monitoring, and incident response playbooks are far more mature than they were a decade ago. Communications resilience, particularly around crisis communications and internal communications, has lagged behind.

That gap matters because cyber incidents immediately raise questions that sit outside technology teams. Customers want to know what action to take. Staff want reassurance. Leaders want to understand what can safely be said, and when. These questions surface early and shape the story long before systems are restored.

There is also a practical reality that is still underestimated. Many cyber incidents disrupt the very channels organisations rely on to communicate. Email, intranets, websites, and collaboration tools may all be unavailable. Without an alternative plan, organisations can find themselves unable to communicate clearly at the moment it matters most.

From a crisis communications perspective, this is a continuity issue, not a technical one.

Speed and accuracy in data breach communications

A recurring challenge in cyber incidents is balancing urgency with accuracy in communications.

This tension plays out in real time. Organisations that rush to reassure and later have to correct themselves often face prolonged scrutiny. Note how often high-profile cyber attacks involve early statements being walked back once forensic work progresses.

Silence carries its own risks, particularly when attackers actively push information into the public domain to increase pressure and confusion. There have been several instances where stakeholders have been directly impacted by a cyber attack, yet who could have been notified had the organisation communicated earlier. 

So there are huge financial, legal and reputational risks at play here, regardless of the approach taken.

The most credible crisis communications responses tend to follow a similar pattern. They are clear about confirmed facts, open about what is still under investigation, and practical about immediate steps people can take. Absolute claims are avoided early on, and updates are framed as part of an evolving picture rather than a definitive position.

This approach depends on close coordination between communications, legal, and technical teams. The aim is not delay, but confidence that early messages will still stand when more is known.

Practice and preparedness for cyber incidents

Many organisations say they have tested their cyber incident response. Far fewer have tested their crisis communications under conditions that resemble a real incident.

There is a meaningful difference between talking through a scenario in a desktop-based meeting and running a simulation. A simulation requires people to draft messages, seek approvals, manage uncertainty, and make decisions while time pressure and incomplete information are deliberately introduced.

Effective exercises include complications. Systems fail. Information changes. External pressure builds. These moments expose weaknesses that are far easier to address in rehearsal than under public scrutiny.

For communications teams, simulations are also where governance is tested. If sign-off processes stall during an exercise, they are unlikely to hold up during a live cyber incident.

A final reflection on cyber crisis readiness

Cyber incidents sit at the intersection of technology, people, regulation, and reputation. Treating them as a narrow technical issue no longer reflects how cyber attacks and data breaches play out in practice.

For communications leaders, the question has shifted. It is now about readiness rather than likelihood. Preparation depends less on having perfect wording and more on having structures, relationships, and judgement in place before they are tested.

If a cyber incident happened tomorrow, would your communications team know how to operate if core systems were unavailable? Would staff know where to find reliable information? Would you feel confident about the tone and content of the first public message?

These questions are no longer theoretical. They are part of the role.