This is written for the CEO, the General Counsel, and the board. The technical team has their own playbook. Yours is about the decisions only you can make, in the 48 to 72 hour window where the trajectory of the incident — including its financial and regulatory cost over the next two years — gets set.

Hour 0-4: Assemble the Command Team

A breach is handled by a small, tight group. Too many people in the room means slow decisions and leaks. Seven seats:

  • Incident Commander — usually the CISO or designee. Runs the operational response.
  • General Counsel (or breach counsel from outside) — owns privilege, legal risk, regulatory strategy.
  • CEO — makes the calls counsel cannot make alone: ransom, disclosure timing, resource authorization.
  • CFO — cyber insurance, bond impact, financial disclosures.
  • Head of Communications — external messaging, under counsel guidance.
  • Head of HR — employee communications, leave/support for affected staff.
  • Board chair or lead director — informed in real time, not briefed after the fact.

Everyone else gets information on a need-to-know basis. Meeting cadence: every 4 hours for the first 48, then daily.

Hour 0-6: The Three Non-Negotiable Calls

  1. Breach counsel. Even if you have a good GC, specialist breach counsel (BakerHostetler, Mullen Coughlin, McDonald Hopkins, Orrick, etc.) adds muscle memory you do not build in-house. Engagement through counsel triggers privilege over the forensic investigation.
  2. Cyber insurance carrier. Most policies require notification within 24-72 hours. Failure to notify within the window can reduce or void coverage. The carrier will steer you to their approved IR firm panel.
  3. Board chair. Do not wait for the "next regularly scheduled update." This is a Regulation FD and SEC 8-K conversation in motion; the board needs to be informed in real time for governance records to hold up later.

Hour 6-24: The Decisions Only You Can Make

Should We Pay a Ransom?

You, with counsel, with insurance, with OFAC clearance. Not the IR vendor. Not the CISO alone. Key questions:

  • Is the actor on the OFAC SDN list? If yes, payment may be a federal crime. OFAC licensing is available in narrow circumstances.
  • Do working decryptors exist through No More Project or similar? (nomoreransom.org)
  • Are your backups viable and what is reconstitution cost versus ransom plus likely residual damage?
  • Does paying actually improve your position? The "we paid and still got leaked" rate is not zero; counsel and your IR firm have the data.

When to Disclose Publicly

The SEC 8-K Item 1.05 four-business-day clock starts when you determine the incident is material — not when you detect it. This gives counsel runway to complete the materiality analysis properly. Do not rush. Do not delay unreasonably.

State AG notifications have their own clocks (mostly 30-60 days once affected residents are known). GDPR is 72 hours to the supervisory authority if EU data subjects are in scope.

What the First Statement Says

The first external statement, whenever it comes, should be:

  • Accurate — say only what you are certain of.
  • Bounded — "we are investigating" is a fact; "it was a nation-state actor" is a lawsuit.
  • Empathetic — name the impact on customers, employees, partners.
  • Actionable — tell people what to do (change passwords, monitor credit, watch for phishing).

Counsel drafts. Communications polishes. The CEO signs. Nobody else speaks on the record.

Hour 24-48: Stakeholder Management

Tailor the message to the audience. One central fact set, multiple deliveries.

  • Employees: all-hands with Q&A, reassurance about the company's trajectory, clear guidance on what to do with their own credentials and devices.
  • Customers: for B2B, direct calls from account executives with talking points. For B2C, an email plus FAQ page. A call center if the population is large.
  • Partners and vendors: a tailored note from the partner-owner. They may have contractual notification obligations of their own.
  • Regulators: counsel handles. Keep updates flowing, under privilege where possible.
  • Investors and analysts: Reg FD applies. Counsel coordinates with IR.

Hour 48-72: The Governance Record

Litigation, regulatory action, and shareholder suits that follow breaches often turn on one question: did the board and management exercise appropriate oversight? The answer lives in your documented decision trail.

  • Contemporaneous board briefing materials.
  • Meeting minutes showing the questions asked and answered.
  • Documentation that material decisions (ransom, disclosure timing, customer remediation) were made with appropriate advice.
  • Preservation of all incident artifacts under counsel's direction.

This is what protects the board and the officers individually if the case goes anywhere.

What Executives Get Wrong Most Often

  • Delegating the ransom decision to the CISO. That is your call, not theirs.
  • Telling the story before the facts are firm. "It was only 10,000 customers" becomes "it was actually 2 million" and that is the headline.
  • Over-talking on investor calls. Stay tight until facts are firm.
  • Firing the CISO publicly in the first week. Almost always premature and always a bad signal to the rest of the security community.
  • Promising "this will never happen again." It will. Promise that you learned and improved.

The first 72 hours set the tone for the next two years. Slow down. Rely on the people you hired for exactly this moment. Let counsel drive the process. Your job is not to have the answer in hour one — your job is to make sure the right answer gets made on the right schedule.