TL;DR
- Issue immediately. Do not wait for perfect information. A quick statement with facts is better than a delayed one.
- Be direct. "We experienced a security breach" is better than "a technical incident occurred."
- Separate facts from investigation. Say "we have confirmed X" and "we are investigating Y."
- Describe your response. What have you done, what is happening now, when will you update next.
- Get legal approval, but do not let legal hedge the statement so much that it loses credibility.
When to use this template
Use this template when you are responding to a crisis that has become public or is about to become public. This includes security breaches, product outages, data loss, employee or customer injuries, legal actions, scandals or product failures. You have basic facts (what happened, how many people affected, what you are doing about it). You do not yet have a full root cause analysis or a complete timeline, and that is okay. Issue this statement immediately and commit to follow-up statements at clear intervals.
The copy-paste template
Replace the bracketed fields with your facts. Keep the structure: acknowledgment, facts, investigation status, your response, next steps, contact. This is the format journalists and the public expect when a crisis occurs.
FOR IMMEDIATE RELEASE
{COMPANY_NAME} Statement on {INCIDENT_TYPE}
{CITY}, {COUNTRY}, {MONTH} {DAY}, {YEAR} at {TIME} {TIMEZONE} - {COMPANY_NAME} experienced {INCIDENT_DESCRIPTION} that affected {AFFECTED_PARTY_AND_SCOPE}. The incident occurred from {START_TIME} to {END_TIME} {TIMEZONE} on {DATE}. We apologize for the impact on {AFFECTED_PARTY}.
We have confirmed the following facts:
- {FACT_1}
- {FACT_2}
- {FACT_3}
We are currently investigating {INVESTIGATION_ITEM_1} and {INVESTIGATION_ITEM_2}. We will provide a detailed incident report within {TIMEFRAME}.
Immediate actions we have taken:
- {ACTION_1}
- {ACTION_2}
- {ACTION_3}
What we are doing now:
- Our engineering and security teams are {CURRENT_ACTION} around the clock.
- We have activated incident response protocols and engaged {EXTERNAL_SUPPORT} to assist with the investigation.
- Affected customers can contact our dedicated support line at {SUPPORT_CONTACT} or {SUPPORT_EMAIL}.
Our commitment:
We take full responsibility for this incident and are committed to resolving it quickly and preventing recurrence. We will issue the next update on {UPDATE_TIMELINE}. We will continue to communicate transparently as we learn more.
For media inquiries:
{MEDIA_CONTACT_NAME}, {TITLE}
{COMPANY_NAME}
{MEDIA_EMAIL}
{MEDIA_PHONE}
For customer support:
{SUPPORT_CONTACT}
{SUPPORT_EMAIL}What this template includes
- Direct acknowledgment of the incident type (breach, outage, etc.) and affected parties.
- Clear facts: scope, duration, impact, customer numbers.
- Transparent investigation status: what is confirmed, what is being investigated.
- Actions taken (deployed fix, notified law enforcement, isolated systems).
- Current response efforts (24/7 support, investigation timeline, external assistance).
- Commitment to resolution and next update timeline.
- Media contact and customer support contact clearly separated.
How to customize in 5 steps
- Gather the facts. Know: what happened (the incident), when it happened (start time, duration), who it affected (customer count, data scope), and what you are doing (investigation underway, fixes deployed, customer support available). Do not speculate on cause. Separate known facts from investigation status.
- Write a clear acknowledgment. Start with "We experienced a {incident type} that {affected who/what}. We apologize." Be direct and factual. Do not use marketing language or hedge. "We experienced a security breach that affected 10,000 customer accounts" is stronger than "a technical issue impacted some users."
- State the facts, not the investigation. Include: duration of incident (9:30 AM to 11:15 AM PT on April 15), scope (customers in North America, data accessed, financial impact if known), confirmation of severity. Say "We have confirmed {fact}" and "We are investigating {unknown}." Separate what you know from what you are still determining.
- Describe what you are doing. What actions have you taken (deployed fix, isolated systems, notified law enforcement)? What is happening now (investigation ongoing, customer support available, incident review in progress)? Commit to a timeline for next update (within 6 hours, within 24 hours, within one week).
- Close with commitment and contact. Reaffirm your commitment to resolving the issue and protecting customers (or employees, or partners). Provide direct contact info for media and affected customers. Schedule follow-up statements at clear intervals (6 hours, 24 hours, weekly until resolved).
3 examples in the wild
Real crisis statements from companies that handled the communication well:
- GitHub (2022) - Outage: GitHub issued a crisis statement within the first 30 minutes of the outage. It named the incident type (service degradation), confirmed the scope (all GitHub.com services), stated what they were doing (investigating root cause, monitoring recovery), and committed to hourly updates. This transparency reduced panic and customer churn.
- Okta (2023) - Security breach: Okta issued a clear statement confirming that a security breach had occurred, that attackers had accessed certain customer support data, and that they had engaged law enforcement and a forensics firm. The statement was factual, not speculative, and did not minimize the incident.
- Amazon AWS (2020) - Outage: AWS issued updates every few hours as the outage progressed. Each statement updated facts, confirmed what was resolved and what was still in progress, and committed to a post-incident review. This pattern of frequent, honest updates built trust even during a major incident.
Common mistakes to avoid
- Speculation about cause. Do not say "we believe the breach was caused by {theory}" when you do not yet have evidence. Say "we are investigating the root cause."
- Minimizing the incident. Do not say "a small number of users were affected" when you mean "10,000 customer records were accessed." Be direct about scope.
- No action plan. Do not acknowledge the problem and say nothing about what you are doing. Describe immediate actions, current efforts and next steps.
- Vague timeline for next update. Do not say "we will update you soon." Say "we will issue the next update on April 16 at 6 AM PT."
- Blaming external parties without evidence. If you suspect the incident was caused by a third party (vendor, platform provider), investigate before claiming it publicly.
- Over 300 words. Long crisis statements feel hedged or evasive. Aim for one page with the key facts and your commitment. Save detailed analysis for the post-incident report.
Related templates
- Series A announcement press release template
- Product launch press release template
- Executive hire press release template
- How to distribute a press release after you write it
Frequently asked questions
When should I issue a crisis statement?
Issue immediately when the incident becomes public or when you have confirmed facts. Do not wait for perfect information. A statement with facts and an acknowledgment sent in the first 30 minutes is more credible than a polished statement sent after a delay.
What should I say about the cause of the crisis?
Do not speculate. If you do not know the root cause yet, say "we are investigating" or "we do not yet know the root cause." Once you have facts, share them. Speculation or false statements made in the first statement will be challenged by journalists and will damage your credibility more than the original crisis.
Should I apologize in a crisis statement?
Yes, if the incident is your fault (outage, security breach, product failure). Apologize clearly and without hedging. "We apologize for the outage" is better than "we regret any inconvenience." If the incident is not your fault (third-party platform outage affecting you), express empathy but do not apologize for something you did not cause.
How long should a crisis statement be?
Keep it under 300 words. One page: acknowledgment (what happened), facts (scope, duration, impact), what you are doing (investigation, fixes, customer support), and commitment (timeline for resolution). Get legal approval before sending, but do not let legal make the statement so hedged that it loses credibility.
What if I do not have all the facts yet?
Publish what you know and commit to a timeline for updates. Say "We are investigating and will provide a full update within 24 hours" or "We will issue a detailed incident report within one week." Transparency and commitment to communication are credible even when facts are still being gathered.
Should I name internal people responsible in the crisis statement?
No. The crisis statement is not the place for blame or internal accountability. Say "We take full responsibility" or "Our engineering team is working around the clock," not "John Smith failed to deploy the security patch." Deal with internal accountability separately.
Crisis communication at scale
A crisis statement is the first step. The second step is getting it to every relevant journalist, customer and stakeholder as quickly as possible. PressPilot ships AI drafting for crisis statements, a verified journalist database of 50,000 plus contacts and immediate distribution channels. Start free and have a template ready before crisis strikes.