For the first time in many industries, the question is no longer if your company will suffer a data breach. The question is when. This board-level event can cause operational disruption, legal exposure, reputational harm, and long-term trust erosion. But it’s not the companies that avoided every attack that will emerge stronger and more resilient—those that respond to a breach with calm, transparency, and discipline will.
A breach is not just a technical event. It’s an operational one that tests the organization’s preparation, governance maturity, and commitment to “reasonable security” defense. Leaders need to know that every second in the initial hours of a breach can define the incident and its strategic impact. The first instinct can be to “pull the plug.” But hasty containment can destroy evidence and make matters far worse. Effective containment is methodical, not panicked. Leadership should know that isolating or segmenting (not abruptly powering down) affected systems, stopping any ongoing unauthorized activity or data exfiltration, and preserving logs, volatile memory, and forensic data are the first steps in damage control. Containment is not about stopping the attack. It’s about preserving the ability to analyze it.
The entire point of a breach is that it succeeds by staying quiet for as long as possible. Breach response succeeds by talking. Escalation is the first order of business: the entire incident response (IR) team needs to be activated, not just technical leadership. This includes general counsel, privacy officers, cyber insurance contacts, external digital forensics/incident response (DFIR) providers, and communications/PR. Incident leaders should never make decisions in a vacuum. Every action should be considered through operational, legal, and reputational filters.
The investigation must be forensically sound. Leaders need to recognize that facts—not assumptions or speculation—drive recovery. The first 24–48 hours of an investigation often overturn initial assumptions. False statements or assumptions can haunt an organization later in the legal/regulatory process. Investigators should focus on: how the attack happened; what systems and data were affected; if any regulated data like PII (personally identifiable information), PHI (Protected health information), etc., is at issue; how long the attacker(s) had access; and if any data was exfiltrated or manipulated.
Notifications and disclosures must follow meticulously, and leaders need to prioritize this from the outset. The landscape for data breach notifications is now a patchwork of state data breach laws, industry-specific rules like HIPAA/ GLBA, and SEC disclosure requirements for public companies. Incident response at the leadership level means assessing which notifications apply; working with counsel on the legal definition of “breach;” documenting known and unknown facts; and coordinating disclosures, communications, and messaging. All of these actions should be carefully considered for legal accuracy, timeliness, and defensibility.
Public companies are now required to file a Form 8-K within four business days of determining that a cybersecurity incident is material, per the SEC’s new disclosure rules. The disclosure should include information about the material aspects of the cybersecurity incident, including the nature, scope, timing, and likely financial or operational impact. All public companies must file a Form 8-K to report information about cybersecurity incidents, even if the incident is not considered material.
Open communication is the best practice. When facing a data breach, the best course of action is to err on the side of transparency and provide stakeholders with the information they need. Silence is not safe. Silence is the erosion of trust. Stakeholders (customers, partners, regulators, investors, employees) expect clarity, not evasion or technical jargon. Effective breach communication should: acknowledge the incident; explain what’s being done (not what’s being speculated); provide actionable next steps for affected individuals; and reassure through honesty and candor.
Remediation includes all technical fixes and hardening measures needed to eliminate attack access and prevent recurrence. This can include patching exploited vulnerabilities, removing malware and any other attacker persistence, strengthening access controls, improving network segmentation, and monitoring/logging improvements. But organizations should not stop with fixing vulnerabilities. Leadership should use the breach as an opportunity to take a step back and use it as a catalyst for growth and maturity. This can include a reassessment of the organization’s overall risk posture and security program through a risk assessment using the DoCRA (Duty of Care Risk Analysis) approach, or improved governance, policies, and controls.
Documentation. Mature organizations will record everything. Regulators, courts, insurers, and auditors will all ask: What did you do? When did you do it? And why? A defensible response includes timelines (with factual rationale for every decision), preserved evidence, recovery actions, and lessons learned. In under-documenting an incident, organizations can do far more harm to themselves than the breach itself.
A breach will reveal an organization’s identity. Mature companies do not fear cybersecurity incidents; they embrace the responsibility to show competency, leadership, and responsibility in their response. Breach response is a test of an organization’s character. Executing a well-managed breach response will not just stop further harm to customers, stakeholders, and operations—it will signal to your organization’s most important constituents (customers, regulators, partners, and employees) that you take your duty of care seriously. The companies that will stand out from the pack when it matters most are those that prove they were up to the task.
Review Your Incident Response Readiness
References
NIST Computer Security Incident Handling Guide (NIST SP 800-61 Rev. 2).
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
https://www.nist.gov/publications/computer-security-incident-handling-guide
ISO/IEC 27035-1: 2016, Information security incident management — Principles of incident management. https://www.iso.org/standard/60803.html iso.org
ISO/IEC 27035-2: 2023, Guidelines to plan and prepare for incident response. https://www.iso.org/standard/78974.html
ISO/IEC 27035-3:2020, Guidelines for ICT incident response operations. https://www.iso.org/standard/74033.html
SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rule and guidance. https://www.sec.gov/corpfin/secg-cybersecurity
SEC press release on new cyber-disclosure rules (July 26, 2023) https://www.sec.gov/newsroom/press-releases/2023-139
