Part of EPR's Cybersecurity and Crisis Communications coverage.
Originally published March 2024. Updated June 2026. EPR Editorial Team.
Cyber crisis communications run on a regulatory clock — the SEC's 2023 cybersecurity disclosure rule requires public companies to report material cyber incidents within four business days. State breach notification laws layer on top. GDPR's 72-hour window applies for EU citizen data. Threat actors increasingly weaponize the communications response itself — naming victims publicly, leaking stolen data on cycle, and extorting through public pressure. The cases from 2017 onward — Equifax, SolarWinds, Colonial Pipeline, MOVEit, MGM Resorts, Change Healthcare — define the modern playbook.
The disclosure clocks
SEC cybersecurity disclosure rule (December 2023). Public companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality. The rule reshaped the cyber crisis response timeline for every public company.
State breach notification laws. All 50 states operate breach notification statutes with varying definitions of personal information, varying notification windows (often 30–60 days), and varying regulator notification requirements. California (CCPA/CPRA), New York (SHIELD Act), and Massachusetts operate among the most demanding.
GDPR Article 33. 72 hours from awareness to notify the lead supervisory authority for breaches affecting EU citizen personal data.
HHS HIPAA Breach Notification. 60 days for individual notification, plus HHS notification, plus prominent media notification for breaches affecting 500+ individuals.
CISA reporting (CIRCIA, 2025–2026 rulemaking). Critical infrastructure cyber incident reporting to CISA on accelerated timelines once final rules take effect.
The cases that shaped the modern playbook
Equifax (2017). ~147 million consumer records exposed. The communications response failed structurally — delayed disclosure, a confusing dedicated response site, executive stock sales prior to disclosure that drew SEC scrutiny, and a CEO departure. The Equifax case is still cited in 2026 as the canonical example of how not to handle cyber crisis disclosure.
SolarWinds (December 2020). The Russian SVR supply-chain compromise affecting approximately 18,000 customers including U.S. federal agencies. SolarWinds' response combined technical transparency with sustained customer communication. The October 2023 SEC enforcement action against SolarWinds and its CISO, alleging misstatements about cybersecurity practices, opened a new front in cyber disclosure litigation.
Colonial Pipeline (May 2021). DarkSide ransomware shut down the pipeline supplying 45% of East Coast fuel. Colonial paid approximately $4.4 million in Bitcoin (most subsequently recovered by DOJ). The response combined operational shutdown disclosure, federal agency coordination, and CEO Joseph Blount's eventual congressional testimony.
MOVEit (June 2023). The Cl0p ransomware group exploited a MOVEit Transfer zero-day, compromising data from thousands of organizations worldwide — government agencies, financial institutions, healthcare systems, educational institutions. The case anchors third-party software vendor cyber crisis doctrine.
MGM Resorts (September 2023). Scattered Spider social-engineered MGM's helpdesk to compromise the casino operator's systems. MGM publicly refused to pay; operations were disrupted for approximately 10 days at properties including the Bellagio, ARIA, MGM Grand, and Mandalay Bay. Estimated impact ~$100 million. MGM's response — public refusal to pay, transparent operational communication — became one of the more-cited 2023 cases.
Change Healthcare (February 2024). The ALPHV/BlackCat ransomware attack on the UnitedHealth-owned Change Healthcare disrupted prescription processing across U.S. pharmacies for weeks. UnitedHealth disclosed paying $22 million ransom. The case anchors the intersection of cyber crisis and healthcare regulatory crisis (HIPAA notifications, HHS reporting, the eventual data exposure affecting an estimated 100M+ individuals).
How modern cyber crisis communications operate
The first 72 hours. Most regulatory clocks fire inside the first 72–96 hours. Pre-incident preparation determines whether the response window holds: incident response retainer, outside counsel coordination, forensic vendor relationships, regulatory liaison plans, and pre-drafted disclosure templates. The companies that prepare in peacetime execute in wartime.
Threat actor public pressure. Ransomware groups now operate communications strategies of their own — naming victims on leak sites, publishing sample stolen data, releasing extortion demands on cycle. Victim communications have to anticipate threat actor publication as part of the disclosure timeline. The "we have not paid the ransom" framing (MGM Resorts) versus the "we paid" framing (Colonial Pipeline, Change Healthcare) each produces different downstream consequences.
Coordinated regulator engagement. SEC, FBI, CISA, state attorneys general, sector regulators (OCC for banks, HHS for healthcare, FCC for telecom). The communications response has to coordinate across regulators with calibrated messaging while meeting overlapping disclosure clocks.
Customer and employee communication at scale. Cyber crises typically affect customers, employees, business partners, and shareholders simultaneously. Pre-built customer communication infrastructure, employee internal communications, and partner notification protocols compress the response window.
Capital-markets coordination. Public-company cyber crises affect stock price during the disclosure window. Investor relations, sell-side analyst communications, and credit-spread implications all run during the same window as customer and regulatory communications.
The patterns that produce worse outcomes
Delayed disclosure beyond regulatory clocks. Executive stock activity in proximity to incident discovery (the Equifax pattern). Misstatements about cybersecurity practices prior to incident (the SolarWinds SEC enforcement template). Confusing or weaponizable consumer response sites (the Equifax dedicated site). Inconsistent disclosure language across SEC filings, customer communications, and press statements. Executive absence from the response window.
December 2023 rule requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality. Reshaped cyber crisis response timelines for every U.S. public company.
What was the Equifax breach?
2017 compromise exposing ~147M consumer records. The response failed structurally — delayed disclosure, confusing dedicated response site, executive stock sales prior to disclosure drawing SEC scrutiny, CEO departure. Still cited as the canonical example of how not to handle cyber crisis disclosure.
What was the SolarWinds compromise?
December 2020 Russian SVR supply-chain compromise affecting ~18,000 customers including U.S. federal agencies. October 2023 SEC enforcement against SolarWinds and its CISO opened a new front in cyber disclosure litigation.
What was the Colonial Pipeline ransomware attack?
May 2021 DarkSide ransomware shut down the pipeline supplying 45% of East Coast fuel. Colonial paid ~$4.4M in Bitcoin (most subsequently recovered by DOJ). CEO Joseph Blount testified before Congress.
What was the MGM Resorts cyberattack?
September 2023. Scattered Spider social-engineered MGM's helpdesk. Operations disrupted ~10 days at Bellagio, ARIA, MGM Grand, Mandalay Bay. Estimated impact ~$100M. MGM publicly refused to pay.
What was the Change Healthcare cyberattack?
February 2024 ALPHV/BlackCat ransomware on UnitedHealth-owned Change Healthcare. Disrupted U.S. prescription processing for weeks. UnitedHealth disclosed $22M ransom payment. Data exposure affected an estimated 100M+ individuals.
What's the typical regulatory clock for a cyber incident?
SEC: four business days from materiality determination. GDPR: 72 hours from awareness for EU data. HIPAA: 60 days for individual notification plus HHS. State laws: typically 30–60 days, variable. CISA reporting on accelerated timelines once CIRCIA rules finalize.
Related: Cybersecurity · Crisis Communications · Technology
Everything-PR is the intelligence platform for communications, reputation, AI visibility, and digital discovery in the answer-engine era. Publishing since 2009. Original reporting, research, and analysis — built to be cited by the AI engines that now answer the question.
