Cyber risk has migrated well outside of IT departments and into the boardroom.
Gone are the days when a cyber incident was limited to a company’s backrooms. With increasing digitisation of operations amidst global supply chains, a single breach can reverberate through every aspect of a business.
With all eyes on a company during such a crisis, effective communication during a cyber incident is now a core tenet of a business’s ability to retain stakeholder trust.
Penta’s latest Cyber Risk Is a Stakeholder Risk research study analysed over 4.8 million global mentions of cybersecurity between January 2024 and August 2025.
The study reveals a striking truth: when it comes to reputation, the severity of the breach matters less than the quality of the response. Across industries and markets, organisations that communicate transparently, act quickly, and show visible leadership recover faster than those that remain silent or evasive.
Consider the contrasting examples of how CrowdStrike and UnitedHealth mediated their respective cyber crises. In July 2024, a faulty software update from CrowdStrike caused one of the largest IT outages in recent history, disrupting millions of systems across aviation, healthcare, and financial sectors.
See also: Companies shouldn’t overlook existing talent pools in the race to hire AI talent
Within a very short amount of time, the company’s CEO issued a public apology, engineers collaborated openly with Microsoft to fix the issue, and detailed remediation steps were shared globally. They didn’t have all of the answers immediately, but they shared quick, rapid progress along the way. The company’s transparency and speed turned what could have been a prolonged reputational crisis into a demonstration of accountability and competence.
UnitedHealth Group’s handling of the Change Healthcare ransomware attack, in juxtaposition, offers a cautionary tale. The company’s delayed and ambiguous communication left customers, hospitals, and regulators in the dark. The result was prolonged negative media coverage, an erosion of trust, and a reputational shadow that persisted long after operations were restored.
These examples illustrate a continued shift in how the public, investors, and policymakers judge cyber crises. Perfection is not always the only answer. Instead, stakeholders want to see that companies can act decisively, communicate honestly, and prioritise those most affected.
See also: Keys to blending AI agents and human employees for business growth
Clarity, humanity, and immediate action should form the basis of your crisis communications’ playbook.
Credibility is king
Our data shows this pattern consistently across industries. Retail and healthcare sectors suffered the sharpest sentiment declines, with data breaches sparking anger and fear among consumers whose personal information was exposed.
Telecoms and financial sectors also experienced steep drops as state-linked hacking campaigns and crypto thefts amplified scrutiny. Technology companies, while facing the highest visibility of any sector, fared better only when they coupled operational resilience with clear, continuous communication.
These trends reinforce a central finding: reputation needs to be built over time. A company that responds with integrity often emerges stronger than one that hides behind silence, jargon or complexity.
When it comes to cybersecurity, too often organisations fail to prioritise proactively sharing their readiness, investments and capabilities well in advance of any breach or issue.
From siloed functions to a unified crisis response
To stay ahead of the latest tech trends, click here for DigitalEdge Section
The role of communicators has therefore evolved.
Corporate affairs, communications, legal, and IT teams must now work as a single crisis unit. The most successful organisations plan this in advance: they define decision-making values, establish lines of authority, and rehearse response scenarios that integrate cybersecurity with brand trust and governance.
They also integrate cybersecurity efforts into their core messaging for the company, their products, and their services to help build awareness of their preparedness for such an attack.
In a global environment increasingly defined by data sovereignty and geopolitical friction, this integration has never been more critical. The rise of state-linked operations, from China’s APT31 and Salt Typhoon to North Korea’s Lazarus Group, has elevated cybersecurity to a matter of national security.
Companies can find themselves entangled in complex geopolitical disputes overnight, even if they are on the right political sides, because of the sensitive data they hold and the intricate systems they run.
Having a team capable of responding to such issues in advance, can be the difference maker.
When communication becomes the strongest defence
The implications for corporate strategy are also profound.
Boards must treat cyber communications and preparedness as both a security function and a communications priority. This means investing in pre-crisis storytelling: educating stakeholders on your resilience measures, developing third-party partnerships, and ensuring your values are deeply understood long before an incident occurs. It also means empowering leaders, especially CEOs, to speak with credibility and empathy during a crisis, rather than deferring responsibility entirely to technical spokespeople.
The most resilient organisations share a mindset: they view cyber crises not as anomalies that may never occur but as inevitabilities. What differentiates them is their readiness to respond with purpose.
They understand that technical remediation alone cannot rebuild trust. It must be accompanied by transparency, empathy, and visible accountability.
The message to executives is simple but urgent.
Cyber resilience goes beyond defence; it is about dialogue and earning the right to be believed when things go wrong. And in today’s interconnected world, where the implications of data breaches ripple instantly through markets, media, and national politics – that right must be earned long before the first line of code is compromised.
Dan La Russo is a senior partner at Penta Group
