In the first few hours after detecting a serious cybersecurity incident, the company's incident-response team receives multiple questions from journalists. According to widely accepted crisis-communication guidance, what is the most appropriate way to handle these initial media requests?
Publish a brief holding statement acknowledging the incident and stating that an investigation is under way.
Release a technical blog post that details the suspected attack vector and indicators of compromise to demonstrate transparency.
Refuse to comment publicly until the digital forensics and root-cause analysis are fully completed.
Allow each affected business unit to answer media queries directly so information can be shared more quickly.
Best practice is to publish a concise holding statement that confirms an incident has occurred and that an investigation is in progress. This approach acknowledges the situation without locking the organization into details that may change and avoids speculation that could later undermine credibility. Withholding all comment until forensics are complete, releasing technical indicators immediately, or allowing disparate business units to respond independently all increase the risk of misinformation or inconsistent messaging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an incident response team and what are their roles?
Open an interactive chat with Bash
What should be included in an initial holding statement during a cybersecurity incident?
Open an interactive chat with Bash
Why is it important to avoid immediate disclosure of technical details to the media during an incident?