The rise in high-profile cyber incidents, such as those recently involving Marks & Spencer and Adidas, has revealed much regarding best practice concerning transparency and speed-to-action. However, such breaches have also brought forward a key learning for the wider communications industry, specifically those catering to cybersecurity services: it is not just the brands affected that face reputational risks—other cybersecurity vendors and their PR teams are increasingly being put under the microscope for how they position themselves when the headlines break.
There is often a natural impulse to add to an ongoing narrative after a breach, be it to issue commentary, offer expertise, or showcase how similar threats can be prevented through continuous threat exposure management. But for those representing cybersecurity firms, these moments must be handled with precision and principle. Getting it wrong may lead to the quick blurring of the line between credible expert and opportunist.
When an incident occurs, a cyber security firm has two options from a PR perspective. The first is not to comment. The second is to offer constructive commentary on the incident. This can be a tricky exercise. The firm needs to strike the right balance in timing, tone and intention so that their commentary contributes meaningfully to the conversation.
Integrity over immediacy
When commenting in relation to a public cyber breach, misstatements lead to more than reputational damage and have the potential to become legal liabilities or the cause for regulatory scrutiny. When a cyber breach makes headlines, it is rare for the full facts to be available in the first 24 to 40 hours, which makes immediate commentary especially risky.
It is key that any thought leadership offered in the wake of a cyber breach steers clear of speculation, assigning blame or offering premature solutions to a problem, the details of which are hazy. Missteps like these undermine credibility and risk becoming outdated or outright inaccurate. In light of this, the best counsel that PR professionals can offer their cybersecurity clients is to never issue a public comment that they cannot stand by were it to be replayed, quoted or scrutinised six months down the line. Integrity in crisis communications starts with restraint because while speed matters, it should never override the need for accuracy and accountability.
Before making any public comment, it’s essential to ensure that legal, compliance, technical, and communications teams are aligned. Incorrect public statements can trigger regulatory scrutiny or breach contractual obligations. PR professionals should establish clear protocols around who can speak, what approval processes are needed, and under what conditions commentary is appropriate.
This internal rigour isn’t just about risk mitigation,it’s about credibility. When a vendor’s message appears rushed or contradictory, it undermines their authority. Consistency, caution, and clarity are the pillars of effective post-breach communication.
Empathy driving trust
Cybersecurity experts are uniquely placed to contribute to the public understanding of major cyber breaches, however, expertise must be framed with care and a certain level of emotional intelligence.
Even as technical failures, cyber breaches affect real customers, employees and sometimes even vulnerable groups. As people sort through the consequences of such breaches, such as theft of personal and payment information, it is crucial that cybersecurity services, including identity theft protection services, lending insight into the situation are mindful of this impact. More than a matter of tone, communicating with empathy is a clear signal of company values, which not only positions a cybersecurity firm as an expert in the field, but also as a trustworthy, responsible partner with genuine care for clients and stakeholders. Whereas cybersecurity firms that rush to publish commentary that jumps straight into attack vectors or threat analysis without first acknowledging the real-world consequences, risk coming off as detached or transactional.
This distinction becomes even more critical when separating meaningful thought leadership from thinly veiled marketing. In the wake of a breach, the role of public commentary is not to promote a brand’s latest solution or highlight client successes. These moments demand sector-wide reflection, not opportunistic positioning.
This doesn’t mean cybersecurity firms should remain invisible. Rather, their visibility must be purposeful. Contributing informed, ethics-led commentary on systemic vulnerabilities, industry-wide lessons, or evolving threat landscapes provides genuine value. When firms frame discussions around collective responsibility rather than individual capability, they foster trust and demonstrate professional maturity.
Reframing industry conversations
Breaches dominate headlines, but they also create an opportunity to reframe public discourse around the broader challenges in cybersecurity. PR professionals can guide their clients to use these moments to talk about the need for regulatory reform, the ethics of data protection, or the importance of cross-sector collaboration.
This long-view approach helps shift the focus away from the incident itself and toward the structural improvements the industry must make. It also positions the brand as a responsible actor, more interested in driving progress than gaining quick exposure.
The crucial insight, however, is foundational: credible crisis communication is not improvised. Companies that consistently demonstrate experience through transparency, education and genuine expertise, become the voices that are favoured during critical moments like a cyber breach, while others might find themselves relegated to the sidelines.
For communications professionals, this reality demands a fundamental shift in strategy. Client public profiles need to be anchored in substance rather than spin. When a crisis strikes, there is no opportunity to manufacture credibility overnight. This makes the objective clear, which is to be recognised as the established and reliable voice that is already in the room rather than as someone scrambling to join the conversation, after the fact.
The preparation imperative
Cybersecurity has exceeded its technical domain into a reputational one. As breaches become more frequent and more visible, the pressure on cybersecurity firms and their communications teams to engage responsibly has never been greater.
For communications teams, the strategy must extend past messaging to include factors such as timing, sector fluency and knowing when to say ‘not yet’ or even ‘not now’. Handled well, cybersecurity communications can build credibility, shape public understanding, and demonstrate leadership under pressure. But it starts with one simple rule of showing up for the right reasons and in the right way.
Ultimately, the aim is to promote an industry that is seeking to protect businesses and consumers from cyber attacks that can cause serious damage. Agencies work with cyber security firms to forward this goal, and constructively adding to a public conversation to generate better practice and awareness all feeds into a longer goal to protect and ultimately reduce the risk of cyber security incidents from occurring.
