Crisis Communications During Security Incidents | CloseProtectionHire

Communications management during a security incident is not a public relations function. It is an operational security function with legal dimensions. During a kidnap and ransom situation, media coverage can directly endanger a life. During a data breach, failure to meet regulatory disclosure timelines creates legal liability. During an active threat at a corporate premises, internal communications that create panic can cause crowd injuries.

This guide covers the communications team structure for a security crisis, the specific protocols for kidnap and ransom situations, regulatory disclosure obligations, internal staff communications during active incidents, and the communications errors that consistently worsen outcomes.

The Crisis Communications Team Structure

A security crisis requires a crisis communications team that is distinct from the operational security response team but formally coordinated with it.

The standard structure has five roles:

Head of Communications / Crisis Communications Lead: Responsible for all external and internal messaging. No unilateral authority on security decisions. All external statements cleared by legal and the Crisis Management Lead before release.

Legal Counsel: Reviews all external statements for legal liability, regulatory obligation, and commitments that may not be capable of being honoured. Provides advice on disclosure obligations in real time as the incident develops.

Crisis Management Lead (Security): Sets the operational security posture. Determines what information can be shared externally without compromising the response. In a K&R situation, this role is typically occupied by or closely coordinated with the K&R consultant.

HR / People Lead: Manages internal communications to the broader workforce. Coordinates with mental health and employee assistance resources. Manages the communications to next of kin for affected individuals.

CEO or Designated Senior Sponsor: Provides executive authority for significant decisions. The visible face of the organisation’s response in circumstances where a senior statement is appropriate.

These five roles are the decision-making unit for all communications outputs during the crisis. Decisions require consensus across legal, security, and communications before anything is issued externally.

Kidnap, Ransom, and Extortion Communications

The communications protocol for K&R situations is the most tightly specified of any security incident type. This is because the communications environment during a kidnap directly affects the outcome for the victim.

The default is media silence. K&R specialist consultants – from companies including Control Risks, Kroll, and Pinkerton – are unequivocal on this point. Media coverage during a kidnap situation routinely raises ransom demands by confirming the captors’ assessment of the target’s value. It can alert competing criminal groups to the situation, creating risk of a handoff or secondary kidnap. It can provide captors with intelligence about the company’s response – particularly any information about police involvement, family location, or the company’s insurance position.

The family of the kidnap victim is the most significant communications risk in the first 48 hours. Family members – often in shock, surrounded by well-meaning friends – may contact media, post on social media, or speak publicly about the situation before the K&R consultant has established control of the information environment. The family communications protocol, which should be activated immediately when a K&R event is confirmed, must include: a direct and compassionate explanation of why public silence is operationally necessary, specific guidance on social media (accounts should go silent or be locked), and a designated liaison between the family and the response team.

Proof of life and communications with captors: These are conducted exclusively through the K&R consultant. No company employee, family member, or communications professional should attempt direct contact with captors outside this channel. This is both an operational security principle and a legal consideration – in some jurisdictions, direct engagement with hostage-takers outside an authorised negotiation framework creates criminal liability.

The “No Ransom Policy” question: Some organisations have a publicly stated no-ransom policy. Whether to invoke this publicly during an incident, and when, is a judgement that the K&R consultant makes in context. A blanket public statement that a company will not pay ransom, made during an active incident involving an employee, may communicate a posture that harms the victim without meaningfully reducing the organisation’s long-term exposure.

For the operational crisis management framework that runs in parallel with communications, see our corporate crisis management and security incidents guide.

Regulatory Disclosure Obligations

Regulatory disclosure is a parallel track that does not pause because an incident is operationally sensitive. Failing to meet disclosure obligations while managing an active security incident is a common outcome for organisations that have not pre-planned the integration.

UK GDPR – Personal Data Breaches: Under Article 33 of UK GDPR, if a security incident results in a personal data breach (the loss, destruction, or unauthorised access to personal data), the organisation must notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. The notification does not need to be complete – a partial notification with an indication that more information will follow is permitted. But the 72-hour clock starts running from awareness, not from the incident. If a physical security incident (an intrusion, a theft of personnel records, an office evacuation) results in personal data being compromised, the data breach obligation is live from that point.

US SEC Cybersecurity Disclosure: For US-listed companies, the Securities and Exchange Commission’s Cybersecurity Disclosure Rules (effective from December 2023) require that material cybersecurity incidents be disclosed via Form 8-K within 4 business days of determination of materiality. The question of what constitutes “material” is a legal determination, but the SEC guidance makes clear that incidents affecting the company’s financial position, reputation, or ability to continue operations are within scope.

Critical National Infrastructure (CNI) notification: UK operators of CNI are subject to the Network and Information Systems (NIS) Regulations 2018, which require notification to the relevant competent authority for incidents that have a significant impact on the continuity of services. This applies beyond the cybersecurity context – a physical security incident that disrupts a CNI operator’s service provision may trigger notification.

The integration challenge: The 72-hour GDPR clock and the 4-business-day SEC clock are rigid. They impose timelines that may conflict with an ongoing sensitive security response. The resolution is pre-planning: organisations that have decided, in advance, how they will meet regulatory disclosure requirements without compromising operational security will handle this conflict more effectively than those deciding under pressure.

Internal Staff Communications

Staff communications during an active security incident serve two distinct purposes: accurate information prevents panic-driven behaviour, and continuity communications ensure the organisation continues to function.

The single-channel, timed-update approach is the baseline model. A message to all staff – from a designated senior lead, not from a general communications system – that covers: what is known, what staff should do (or continue doing), and when the next update will come. The update should be kept to facts. Speculation, incomplete information, and detail that could compromise operational security should all be excluded.

Go / no-go messaging for physical premises: If the incident involves a physical threat to a premises – an evacuation, a lockdown, or a nearby incident that affects the building – the internal communications protocol must include a clear go or no-go instruction, with the specific action required (remain in place / evacuate via designated route / do not enter the building). Ambiguous messaging that leaves staff to make their own judgements creates inconsistent outcomes and potential injury.

Next of kin communications: For incidents involving specific identified individuals (a kidnap victim, an injured employee, a missing person), next of kin communications must be managed separately and directly – by a designated HR or People lead, with the support of the company’s Employee Assistance Programme provider. Next of kin should not receive information about the incident through general staff communications.

Managing Social Media During an Active Incident

Social media is the primary communications risk in most modern security incidents. Staff who mean well, family members in shock, witnesses to an event, and journalists monitoring corporate social media accounts can all publish information that compromises the response.

There is no mechanism to prevent this entirely. But the company can manage its own platforms and brief its staff. During an active incident:

• The company’s social media accounts should go to a neutral status – no posts, or a minimal acknowledgement that the company is aware of a situation and will update when more information is available.
• Staff should receive an internal briefing that explicitly asks them not to post on social media about the incident. This request will not be universally respected, but a documented briefing creates a basis for addressing violations.
• Media monitoring should be activated to track coverage and identify any social media posts that are materially damaging to the response. The K&R consultant or crisis management lead can decide what, if any, action to take in response.

Post-Incident Communications

The end of an active security incident opens a new communications phase that requires its own planning.

Return to normal communications: The transition from crisis silence to normal organisational communications should be managed, not allowed to happen organically. Staff, investors, partners, and media will all want to know what happened, what the company is doing differently, and what the current status is for affected individuals.

Regulatory closing notifications: Where regulatory disclosures were made during the incident, closing notifications or updates are typically required. The ICO, for example, expects a follow-up with the completed breach assessment once initial notification is made.

Psychological support announcement: For incidents affecting staff directly, a public announcement of the psychological support resources available (counselling, EAP referral, line manager support) is both a genuine duty of care measure and a communications act that demonstrates the organisation’s posture toward affected employees.

Lessons learned – not publicly: The post-incident internal review is not a public communications exercise. Lessons learned should be documented internally, used to improve protocols, and not shared publicly in ways that reveal security gaps or create new legal exposure.

For the kidnap prevention and response framework that runs in parallel with communications management, see our kidnap and ransom risk guide for corporate travel.

Sources

Control Risks: K&R Crisis Response and Communications Guidance 2024. Kroll: Crisis Management and Kidnap Response Best Practice 2024. UK GDPR Article 33: Notification of a Personal Data Breach (retained from EU GDPR, 2018). ICO: Guide to Personal Data Breach Notification 2024. SEC: Cybersecurity Disclosure Rules – Release No. 33-11216 (2023). NIS Regulations 2018 (Network and Information Systems). Business Continuity Institute: Good Practice Guidelines – Crisis Communications 2024. ISO 22301:2019 Business Continuity Management Systems. Bernstein Crisis Management: The 10 Steps of Crisis Communications 2024. ICRC: Media Relations in Hostage Situations – Operational Guidance. UK Cabinet Office: Emergency Communications Handbook 2024.

James Whitfield is a Senior Security Consultant with 20 years of experience in corporate security, crisis management, and K&R response programme design across high-risk environments globally.