Post Incident Public Statement Checklist: Truth Discipline for Credibility and Harm Reduction

After an incident, your first public statement, rather than a scripted public relations statement, is either a seatbelt or a spark. It can protect your security posture and reduce harm, or it can multiply it.

Mission-driven orgs feel pressure from every direction at once following a cybersecurity incident. The board wants confidence. Funders want reassurance. Clients and community partners want safety. Staff want clarity. Reporters want details. In that squeeze, vague language and overly confident claims backfire fast, because people can feel when you’re guessing.

Truth discipline is the following a post incident public statement checklist which make responding to a incident a simple practice that keeps you credible: say what you know, say what you don’t know yet, and say what you’re doing next (with dates). This is a practical checklist you can use to draft a first statement quickly, without turning it into a PR spin exercise, as a key component of your incident response plan.

Key takeaways: post incident public statement checklist (credibility plus harm reduction)

• Facts first: Deliver a situation report with confirmed basics, avoid theories and blame.
• Confirm scope: name what systems or channels are involved, at a high level.
• Name the data: In your data breach notification, specify what types of information may be affected, if known.
• Say what you’re doing: Outline your containment strategy, investigation, and support actions.
• Tell people what to do now: only the steps that fit the risk.
• Give a contact path: one email and one phone line (with hours), plus communication channels where updates live.
• Commit to updates: Promise a public report with a clear cadence (example: next update in 72 hours), then keep it.

Before you speak: the truth discipline rules that protect credibility

A good statement doesn’t start with writing. It starts with decision rights.

In the first hour, rumors fill the gaps you leave open. If staff don’t know what to say, they’ll ad-lib. If leadership sounds certain and later walks it back, trust takes a real hit. Research on breach response and trust restoration points to a consistent theme: credibility grows when people see timely, consistent, evidence-based communication instead of overconfident messaging (see this open-access study on restoring public trust after a data breach crisis).

Truth discipline also protects your team. It creates a safe boundary: you don’t need perfect answers yet, but you do need clear labels for what’s confirmed to manage perceptions of incident severity.

Separate facts, assumptions, and promises (and label them)

Use a simple three-bucket method. Write your draft in three columns (even if it’s just in your head).

Facts (confirmed): What you can prove right now through evidence gathering.
Example phrases:

• “We confirmed unauthorized access to…”
• “We discovered the issue on [date]…”
• “We have reset credentials for…”

Unknowns (still investigating): What you don’t know yet, and how you’re finding out.
Example phrases:

• “We are still investigating whether files were accessed…”
• “We don’t yet know the full timeframe…”
• “We’re working with outside experts to confirm…”

Promises (time-bound): What you will do next, and when.
Example phrases:

• “We will provide an update by [day/time]…”
• “We will notify affected individuals directly as we confirm contact details…”
• “We will publish FAQs on [webpage]…”

Two phrases to treat like live wires: “no impact” and “fully resolved.” Don’t use them unless you can defend them with evidence, and you’re prepared for follow-up questions.

Choose a spokesperson and align internal stakeholders first

One voice, one message. That doesn’t mean one person does all the work. It means you pick a spokesperson, then align the people who hold facts and risk.

At minimum, loop in: incident lead, IT lead, legal counsel, program lead (client impact), donor relations (communications with external stakeholders such as funders), and a board point person when appropriate. Governance tools and board readiness matter here, because reputational risk and cyber risk are tied together (BoardEffect has a helpful overview of cybersecurity and managing reputational risk for mission-driven organizations).

This alignment supports business continuity by enabling rapid internal communication. A short internal alignment checklist:

• What staff can say (one or two approved sentences).
• Where questions go (a single inbox and internal triage owner).
• What to stop doing: no side explanations in Slack, email, or hallway chats.
• How updates get approved (one owner, one backup, fixed turnaround time).

The statement checklist: what to include, what to avoid, and how to say it clearly

A leader reviewing a post incident public statement checklist. Photo by Darlene Alderson

You can draft a first statement for a security breach in 30 to 60 minutes if you keep it tight. Think of it like a courthouse sign: plain language, no drama, clear directions.

A workable flow:

1. Open with the confirmed event and your priority (safety and service continuity).
2. Share minimum timeline and systems involved.
3. Explain who may be affected and what data types are in scope (or not yet known).
4. List what you’ve done and what happens next (with dates).
5. Give immediate harm reduction steps.
6. Provide support contacts and update cadence.

Two mini examples to keep your wording honest:

• Risky sentence: “We contained the incident and no client data was accessed.”
• Better sentence: “We contained the activity we identified and are investigating whether client data was accessed. We’ll share what we confirm by Thursday at 5 pm ET.”
• Risky sentence: “This was a sophisticated attack.”
• Better sentence: “We’re still conducting root cause analysis. We’ll share what we learn once it’s confirmed.”

What happened, when you found it, and what systems were involved

Start with what you can confirm, in one to three sentences.

Include:

• Discovery date (when threat detection identified it).
• What you currently understand happened (unauthorized access to privileged accounts, phishing, vendor issue, misconfiguration).
• High-level systems involved (email, case management system, donor database), without posting a how-to guide for attackers.

Be careful with timelines. The discovery date is not always the incident start date. If you don’t know the start date, say that, and say how you’re determining it.

Avoid jargon. “We experienced a cybersecurity incident” is fine only if you add a plain label when safe: “phishing email,” “compromised account,” “third-party vendor issue.”

Who is affected and what data was involved (be specific, do not speculate)

People need specifics to protect themselves. If you’re not specific, they’ll assume the worst.

Common data types to name when relevant:

• Names, addresses, email addresses, phone numbers
• Dates of birth, Social Security numbers
• Donor records and payment details
• Case notes, documents, and confidential communications

Use “we have no evidence” only when it’s true, and say what you checked. Example: “We reviewed access logs for X system and found no evidence of downloads during Y period.” If you haven’t checked yet, don’t imply you did.

For legal nonprofits, add a safety lens while addressing regulatory requirements: client confidentiality can be life safety, not just privacy. If disclosure could increase harm (example: survivors, immigration cases), coordinate language with counsel and advocates, and share protective steps without exposing client identities.

What you have done so far, the recovery steps you are doing next, and when you will update

This is where calm action reduces panic.

Concrete actions you can often name:

• Disabled affected accounts, forced password resets
• Enabled or expanded MFA
• Segmented systems, rotated keys, removed unknown forwarding rules
• Engaged forensic investigation or your vendor’s incident team
• Coordinated with law enforcement if appropriate

Add an update cadence line that you can keep: “Next update within 72 hours, then weekly until this investigation closes.” Say where updates will live (a dedicated webpage works well).

Don’t overpromise root cause or full containment early. If you’re still learning, say so, then commit to dates.

How people can protect themselves right now (harm reduction steps)

Keep this short, and match it to the data in scope.

A menu of options (choose only what fits):

• Reset passwords for affected accounts, enable MFA
• Watch for phishing that references your org, don’t click unknown links
• Place a fraud alert or freeze credit if SSNs or DOBs may be involved
• Contact your bank if payment data may be involved
• Verify court-related communications through known numbers

If the impact is broad, set up a staffed help channel. A quiet, well-run support line can prevent a thousand angry inbox threads.

Support and contact details that reduce panic and call volume

Make it easy to get help, and easy to route questions correctly.

Include:

• Dedicated email address and phone line, with hours
• Mailing address for formal requests
• A short FAQ page
• Accessibility and language support (what’s available, how to request it)
• Media inquiry routing (one email address, one spokesperson)

If you don’t offer a channel, people will create one for you, usually in public.

After you publish: updates, corrections, and FAQs that keep trust intact

The first statement is a starting line. Trust comes from follow-through, including a post-incident review.

Set a rhythm your team can sustain. Post updates even when the update is “we’re still investigating, here’s what we did this week.” Silence reads as avoidance.

If you don’t already have a crisis communications plan, it’s worth building a simple one while things are calm (Qgiv’s primer on how nonprofits can build a crisis communication plan is a good starting point).

How to issue a correction without sounding defensive

Fast corrections beat slow perfection.

A simple correction template:

• What changed: “We previously stated X. We now know Y.”
• Why it changed: “New evidence from audit trail, forensics, interviews…”
• What you’re doing now: “We expanded the review to…”
• Acknowledge impact: “We’re sorry for the worry this causes, and we’ll keep sharing confirmed updates.”

FAQs leaders should be ready for (board, funders, clients, press)

Prepare responses informed by your technical debrief (explaining why it takes time to share details), lessons learned (for preventing future incidents), and vulnerability management (for long-term prevention).

• “Was my information exposed?”
• “What should I do today?”
• “Why did it take time to share details?”
• “Are services still available?”
• “What are you doing to prevent this again?”
• “Are you offering credit monitoring?”
• “Was a vendor involved?”
• “How can I get updates?”

Conclusion

When you’re under pressure, truth discipline is a leadership practice, not a writing trick. It reduces harm, protects the mission, and preserves credibility with the people you serve.

Turn this post incident public statement checklist into a one-page incident response plan template now, before the next incident. Then run a tabletop exercise so roles, approvals, and update cadence are already settled.

If intake, handoffs, and reporting already feel like a daily scramble, a security breach will hit even harder. Schedule a clarity call to strengthen incident response, communications readiness, and employee training. Which single chokepoint, if fixed with lessons learned, would unlock the most capacity and trust next quarter?