Boards & CEOs Ransomware Series #9: Steering the Crisis Story with Solid Holding Statements
In the first few hours of a ransomware attack, it’s not just systems that are under pressure—it’s your entire organization’s credibility. The emails start rolling in. Staff want clarity. Customers want reassurance. Regulators expect updates. And the media? They’re already drafting headlines.
In that moment, what you say—or choose not to say—can shape the entire crisis narrative.
That’s why holding statements matter.
A holding statement is your organization’s first official response during a cyber crisis. It’s a short, composed message that acknowledges the incident, assures stakeholders that you’re investigating, and commits to sharing updates as information becomes available. It doesn’t reveal every detail—but it shows leadership, control, and transparency. And more importantly, it buys you time.
When Silence Speaks Louder (and Not in a Good Way)
Let’s be clear: silence is rarely neutral during a major cyber incident like ransomware. In the absence of information, people will fill the void with speculation—and speculation spreads fast. One poorly worded comment, or worse, complete silence, can cause more damage to trust than the breach itself.
Just look at what happened to Equifax (a major U.S. credit reporting agency), a prime example of a company that failed to manage crisis communication effectively during a data breach, leading to a significantly escalated crisis. In 2017, Equifax suffered a massive data breach that exposed the personal information of approximately 147 million people. Although not strictly a ransomware attack, the breach involved similar cyber crisis dynamics.
Equifax’s communication missteps turned the breach into a larger crisis. The company delayed public disclosure for over a month. This delay fueled perceptions of secrecy and eroded trust among stakeholders, including consumers, regulators, and investors. When Equifax did communicate, its messaging was criticized as vague and inadequate. The initial public statement downplayed the severity, referring to the incident as a “cybersecurity incident” rather than a full-scale breach, which confused and frustrated stakeholders.
On the other hand, organizations that communicate early, even with limited detail, tend to retain more trust. They come across as responsible, transparent, and in control—even if all they say is, “We’re aware of the issue, we’ve activated our response team, and we will provide updates soon.”
The Power of a Pre-Approved Holding Statement
Here’s the part many organizations miss: your holding statement shouldn’t be something you draft under pressure at 2 a.m. It should already exist.
It should be:
Pre-approved by both legal and PR teams.
Aligned with regulatory requirements.
Flexible enough to be tailored to specific situations.
Having this ready means your comms team can move fast, without second-guessing or tripping over legal reviews during crunch time. Think of it like a pause button for the crisis—it doesn’t solve the incident, but it stabilizes the narrative while your teams work behind the scenes.
Board and CEO Oversight
Let’s be honest—board members and CEOs don’t usually write or deliver these statements themselves. But your job is to ensure the organization is prepared.
That means:
Ensuring clear spokespersons are assigned in advance.
Confirming that holding statements are written, approved, and ready to go.
Supporting crisis communication tabletop exercises to rehearse the flow and messaging under pressure.
In the early hours of a ransomware attack, your first words don’t just inform—they set the tone. They can help calm employees, retain customer trust, and signal to regulators that you’re on top of it. Or, if mishandled, they can add fuel to an already growing fire.
Final Takeaway: Prepare Now, Communicate Calmly Later
A solid holding statement won’t stop a ransomware attack—but it can stop chaos from spreading.
So here’s the question for the boardroom and CEOs today:
Do we have pre-approved, legally reviewed holding statements ready for use in a ransomware event?
Do we know who’s speaking, how fast we can issue a message, and how we’ll manage the flow of information in the critical early hours?
When systems are down, one calm, well-timed message can keep trust intact. And that trust is worth more than any ransom.
That’s all for this week!
Cheers,
Siva