Mobilise and confirm team
Confirm team roles, including the senior Gold strategic lead or senior leader representative who has the responsibility to oversee the internal and external crisis comms response. There must also be a confirmed second in command (Silver tactical) and third in command (Bronze operational) to assist and deputise.
Avoid creating too large a team that could delay key decision-making. It is paramount that the leadership team actively sponsor and support the comms response. The Gold strategic lead should also be part of the council’s Strategic Command Group (SCG) for the incident, see more on the 'Delivering your services' page.
Once the team has been set up, consider creating a group chat between the team, to enable fast and efficient internal communication. Consider establishing other means of communication if usual channels are out of action due to the incident.
Check with your insurers (if you have cyber insurance)
Some comms may risk compromising contractual agreements with your cyber insurer. Before releasing public comms, check with your insurer that this will not invalidate any claim you may have to make.
Consult MHCLG, the lead government department (for supply chain incidents), NCSC and law enforcement
Involve MHCLG, the relevant lead government department (for supply chain incidents), NCSC and the Police in drafting or reviewing your proposed communications. This may slow down the process but their insight will be key to ensure you issue only appropriate information.
Identify where you may need to coordinate with other organisations
In the event of a supply chain incident (where a supplier of services to more than one council is affected) it will be important to coordinate and align communications with the supplier and other councils/organisations whose services are impacted.
Agree key messages to brief internal staff
Provide clear and consistent information: Detail what is currently known and what is not yet known. Explain how services are being impacted.
Outline Business Continuity: Explain measures currently in place. Clarify how unaffected services will continue and how disruption is being managed.
Select appropriate channels: Identify the best and safest ways to communicate (for example, internal newsletters, letters, email, or phone) using systems unaffected by the incident.
Consider the audience: Remember that staff interact with residents and many are residents themselves. Maintain strict consistency in all information provided.
Agree initial public statement to acknowledge the incident.
Using the information you have available and the key messages you’ve agreed issue your first public statement. Make sure your communication is transparent. Do not release differing information to your staff and the public, as this risks causing confusion and also distrust in the council’s communication and incident handling. Your communications should address the specific concerns and needs of each group, while also ensuring that the core points are consistent across them. Be mindful not to disclose information that may heighten the risk to your organisation or residents.
Some examples of communication lines you could use are below:
- When you discovered the incident. For example, “X council was subject to a cyber security incident, which began on the X date. We are responding to this and have enacted our incident response plan."
- The known impacts. For example, “We are investigating the impacts on our services. At the moment X and Y are not available and we will provide further updates as our investigations progress.”
- Indicate how often updates will be provided to the public, and (where possible), set expectations on the likely duration of impacts to services.
Ensure you time and date stamp any communications. This may be important to customers and third parties checking for any revisions and updates.
Choose a safe and reliable way to communicate
Consider the most appropriate places to publish your statement:
- If unaffected, use your council’s website as a central hub for publishing all official information, along with service status information/FAQs. If your normal website is unavailable, consider how you can provide a temporary website to share essential information.
- Consider setting up a hotline number and designated email inbox for queries and urgent requests for support. Make sure you allocate sufficient staffing to respond to contacts you receive and avoid backlogs.
- Use your social media presence to support your communications but also make sure you have made sufficient staffing available to respond to enquiries through these channels. It is also worth considering which communities have or may have been impacted by the cyber incident. Choose the most inclusive and accessible ways of communicating with them.
- You may consider it appropriate to provide essential information through print media (for example local newsletters or printed publications that the council provides) to ensure you reach all affected communities.
Engaging with the press early
Engage with local news and media, particularly outlets for which you have existing and strong relationships, to support accurate reporting and reduce speculation or misinformation. Prepare for likely questions in advance and agree clear, consistent responses before engaging with journalists. It is recommended that officers who engage with the media have had crisis communication training.
Give consideration to the proposed Duty of Candour
The Public Office (Accountability) Bill 2024-26 (which at the time of writing is being considered by Parliament) proposes to create new responsibilities and offences for public authorities and officials when engaging with inquiries, inquests and similar investigations. While the Bill is not yet law, you should consider this as part of your response to a serious cyber incident, in the same way that you would with other major incident affecting the council. Work with your Monitoring Officer to ensure that you have current advice on the responsibilities and expectations. Reflect this in how you document decisions and engage with subsequent investigations.
Aligning your communication rhythm
The crisis team, with their now established roles, should consider their rhythm of communications (for example, daily meetings and rolling email chain to communicate quickly), and touch points with strategic and operational incident response teams. This is essential so they can relay changes to the incident’s impacts and provide accurate updates and responses to staff and the public once they become known.
Where the incident has also affected other organisations (for example a supply chain incident that has affected a provider of services to multiple councils) make sure that you have identified what coordination will be required and how that will be facilitated (for example establishing regular coordination meetings).
Updating public statements
The crisis team should ensure that public communications are updated regularly when new information becomes available and make sure this is delivered with empathy. Provide a regular tempo of updates even if there is no significant new information, to show that the council is actively managing the situation.
Some examples of communication lines you could use are below:
- What is affected: explain the known impact, including whether personal information may be involved, where to find updates on affected services (for example a service status page), and any temporary arrangements in place. Be clear about what you know and avoid false certainty.
- Email safety: confirm if it is safe to send and receive emails to or from the council’s gov.uk email address, and whether it is safe to open attachments that you send.
- What you are doing: provide reassurance about the actions you are taking, for example: “we are working with our external expert cyber response partner, government departments and law enforcement agencies, to take the necessary steps and our recovery work is ongoing.”
- What happens next: set expectations on how frequently you will provide updates on your recovery progress.
Consider setting up a grid of activity to address incoming concerns from the public, media, partners or central government, and compile a script with the latest lines to help answer expected questions.
If possible, consider scheduling spokesperson media interviews. For example, from the Chief Executive or Leader of the Council to provide updates on the incident response and reassure the public. It is recommended this individual has crisis communications training in advance.
Supporting residents
Monitor the levels of contact being received by phone, email and social media. Take steps quickly if backlogs are starting to develop to make sure you keep on top of contact and continue to build trust.
Where there is a potential risk to personal data, prioritise direct communication with affected individuals. Hearing from the council first is critical to maintaining trust. Even if you do not yet have certainty about this, consider how you can reflect any potential risks in your communications.
Supporting staff
Establish a dedicated support line and email inbox for staff to use to access support and advice. Refer to the ‘Healthy Teaming’ section for more guidance on ensuring the welfare and wellbeing of your team and colleagues when responding to a crisis.
Provide relevant security advice for staff and residents from the NCSC
This could include, but is not limited to dependent on the nature of the incident, the below:
- look out for any phishing emails or fraudulent activity on your accounts
- use strong, unique passwords
- if you suspect your account has been compromised, change your password
- be vigilant for anything that does not seem right and be cautious when sharing your personal information.
Communicating with external partners
As more information becomes available on the scale of the impact of the incident, notify relevant third parties, partners, or neighbouring councils as soon as possible so you can work together to reduce likelihood of them cutting access. To maintain frequent communication and trust with partners, provide the contact details of the crisis comms team and provide regular updates.
When you are confident you have contained the incident, consider releasing a statement to local authorities, partners and central government departments to provide reassurance and explain what systems and communication channels are considered to now be secure. Be prepared to provide further detail or verbal confirmation if requested.
Begin to build reassurance
As your response progresses, and the situation remains uncertain and unclear, begin planning for different scenarios (for example, prolonged service outage, partial recovery or data exposure) and drafting associated comms messaging and plans. This can ensure timely and clear messaging as the situation evolves.
Establish and maintain crisis communication capability
The crisis comms team, set up in the first day of response, should continue to be resourced so the team has capacity to ensure that there is sustained communication to all staff and partners, and residents and businesses, without team burn out. Refer to ‘Healthy Teaming’ for more information to prevent this. A rota, or timetable, could be set up for officers in the team to take regular breaks.
As response builds and you move into planning your recovery path, the team should collaborate with the strategic and operational response teams to maintain transparency and reassure stakeholders through regular, honest progress updates.
Continue to monitor your phone support line and email inbox and act swiftly if backlogs are starting to build.
Continue to engage with the media and press
The capability and rhythms you have established within the crisis comms team to log and manage media or press enquiries should also be maintained. Overtime, media interest may wane in the absence of major updates. However, for residents and people affected, they will still need to be informed where relevant.
Review if any further impacted data subjects from a breach
As you move through your response, and the impacts of the incident become more known, continue to review potential risks to data. It is important that affected data subjects hear it directly from you first to avoid a loss of trust, so monitor this closely.
Continuing to reassure and build confidence and trust
Continue to engage with partners, communities and residents to provide updates on the recovery plans, changes to access in services, address their concerns and maintain transparency throughout the recovery process. This can help to rebuild trust and credibility with stakeholders.
Continue to keep a log to inform post-incident comms. This may encompass thanking the public for their patience and understanding, or highlighting improvements to cyber security measures, for example.
If your council is a victim of a ransomware incident, be prepared for the risk of further data exploitation by your attackers. Have comms messaging ready to address these and be ready to affirm whether or not they are related to the initial incident rather than a separate incident. Maintain close coordination with law enforcement teams supporting the response so they are able to advise and support your communications.
After an incident, you should review your communications response and update your strategy to reflect any changes that need to be made. This can include speaking to stakeholders, both internal and external, to see how the message was received and what could be improved