How to Reassure Stakeholders When Facts Are Still Unknown During Cyber Incidents

In an ideal world, everything goes according to plan. You snag the tickets to the sold-out show, it stops raining before you leave for work, and your train is running right on time. We love those moments because nobody likes a curveball. But things don’t always go according to plan, and in those moments where a reaction is needed, what we say matters. 

When responding to a cyber incident, the stakes associated with providing the right information at the right time are high, especially when threat actors escalate situations and facts change quickly. The ability to deploy the right strategy, whether rapid stakeholder communication, legal guidance or technical containment, can determine whether an organization preserves or loses trust. 

Cybersecurity incidents pose a fundamental challenge: How do you reassure stakeholders and retain their confidence throughout an incident while acknowledging that, especially early on in a forensic investigation, many facts are still unknown? It takes time to investigate the full scope of an incident and to validate the activities of threat actors. Coupled with increasingly aggressive threat actor tactics, particularly in a cyber extortion event, these realities make sharing information about an incident perilous since facts can often change.

In a world where cyberattacks are increasing in frequency, stakeholders from customers to employees to regulators scrutinize how well a victim organization handles its response. Navigating this challenge requires a holistic approach informed by the latest threat intelligence and careful coordination among the victim organization, external legal counsel and cyber communications professionals.

Cybersecurity

Rather Than Rebellion, Treat Shadow IT As Your Tech Roadmap

by Apu Pavithran

August 5, 2025

Begin by understanding the what and why of shadow IT

Read moreDetails

Communicating through double and triple extortion incidents

Nearly all ransomware incidents these days involve varying levels of extortion. Not only do threat actors often encrypt systems or data to render them inaccessible to the victim organization, but threat actors frequently also steal large quantities of data and threaten to post the data online unless a ransom is paid. Threat actors sometimes employ additional pressure tactics, like harassment of employees or continued attacks on the victim’s systems, to coerce a victim into paying a ransom.

The first step to communicating with confidence through a double or triple extortion incident is to learn the facts and plan for potential escalations. If the threat actor is known, a victim organization can prepare for potential escalations with knowledge of that actor’s techniques and patterns of behavior. For example, the Akira ransomware group was, for a number of years, a pure extortion operation: It exfiltrated and held data ransom but did not encrypt systems in the process. In 2024, experts learned the group had again begun to encrypt systems, causing additional complications for response and recovery.

When sensitive data is involved, a victim organization may have obligations under data privacy and security laws to notify affected individuals and/or regulators and may have contractual obligations to notify other third parties of an incident affecting their data. Careful communications are key to ensuring stakeholders receive the right information at the right time.

During a triple extortion event, where data is encrypted, exfiltrated and the threat actor places additional pressure on the victim organization, whether through a distributed denial-of-service (DDoS) attack or aggressive outreach to stakeholders, communications teams must be prepared for multiple waves of messaging that recognize the evolving nature of threats. A company cannot anticipate every possible escalation tactic, but they can mitigate risk by building messaging that is adaptable to a variety of scenarios.

Through thoughtful scenario planning and close coordination between legal and communications experts, organizations can prepare for these extortion curveballs in line with contractual, regulatory and litigation considerations, all while preserving attorney-client privilege over the drafting of communications.

Swatting and other stressors

Some threat actor curveballs intend to hit closer to home and require an especially careful approach. One such escalation is “swatting,” an aggressive tactic where the threat actor makes a hoax call to law enforcement claiming an emergency is underway to draw a large response to the home of a victim organization’s executives or to the business itself. Even the threat of swatting can cause major public concern, such as a recent example of a cybercriminal threatening to use swatting against patients at a hospital that had not paid a ransom.

Bringing a cyber incident to a victim’s literal front door blurs the lines between cyber threats and physical security and weaponizes fear to encourage payment. The first instance of swatting is typically a surprise and can make a victim organization look unprepared. Organizations facing swatting risk must be prepared to communicate quickly to avoid missteps and prioritize the safety of internal stakeholders.

This messaging should be drafted in close coordination with legal, law enforcement and threat intel experts, to provide instructions on how potentially at-risk individuals can protect themselves. Though swatting attempts can be unpredictable and personally challenging, assuring stakeholders the issue is being handled can go a long way to retaining trust when it matters most.

Ransomware hoaxes and threat actor lies

Challenging questions arise when the situation changes unexpectedly, such as how do you reassure key stakeholders when ransom notes are sent to employees … even though there’s no evidence an attack ever occurred?

In recent months, impersonators of threat actor group BianLian circulated ransom notes to business executives, demanding payment in bitcoin. This run-of-the-mill ransomware escalation tactic has one key difference: In this case, there was no evidence an attack had even happened. Executives were faced with a challenge: While it may be tempting to deny the legitimacy of the notes, making definitive statements you may need to walk back later erodes trust far more than taking time to gather the facts. So how should an organization respond?

What not to do: refute the claims in public right away. Making definitive statements opens up an organization to potential reputation risk and legal liability if new evidence emerges and there is legitimate threat actor activity. In this situation, the company should reassure stakeholders the organization is investigating claims and responding to the situation as they gather the facts.