Quick Answer
In the first 48 hours after a data breach is discovered, your board presentation must do four things: confirm what is known, be honest about what is not yet known, set out the immediate containment steps, and give the board a clear timeline for the next update. Structure and calm matter as much as content — your board will judge your organisation’s competence partly by how well you present under pressure.
Jump To
Priya had been Chief Communications Officer for six years. She had handled product recalls, leadership transitions, and a difficult regulatory inquiry. None of it prepared her for what happened on the Tuesday morning when the IT security lead called her at 5:47 AM.
Thirty-six hours later, she was standing in front of the full board of a mid-size financial services firm. In her hand was a single printed page — a holding statement drafted by Legal, cautious to the point of saying almost nothing. The board chair’s first question was blunt: “How many customer records were accessed?” Priya didn’t know. The forensic team hadn’t finished. The incident was still live.
What she did next — and how she structured that conversation without a single prepared slide — shaped how the board perceived her firm’s response for months afterwards. She had one chance to demonstrate that the organisation was in control, even when the situation was not. The problem was not a lack of information. It was the absence of a framework for presenting with incomplete information under acute pressure.
Presenting in a crisis requires structure — especially when everything feels uncertain
The Executive Slide System gives you a clear framework for structuring high-stakes presentations — including the kind where you’re expected to project calm authority before you have all the answers. It’s built for executives who need to communicate credibly under pressure.
Why the First Communication Is the Most Important Presentation You’ll Ever Give
When a data breach becomes known inside an organisation, a clock starts running. It is not just the regulatory clock — though that matters enormously, particularly under UK GDPR, which requires notification to the Information Commissioner’s Office within 72 hours of becoming aware of a breach that poses a risk to individuals. There is also a credibility clock.
Your board, your leadership team, your regulators, and eventually your customers will form their initial judgement of your organisation’s competence based heavily on how you communicate in the first two days. The quality of your actual response matters, of course. But the perception of that response — shaped almost entirely by how you present it — can either reinforce or undermine confidence in everything that follows.
This is not a comfortable truth. Most organisations invest heavily in incident response plans, cyber insurance, and forensic retainers. Very few invest equivalent effort in preparing their senior communicators to stand in front of a board and speak clearly and credibly when the information is fragmentary and the pressure is extreme.
The first board communication after a breach does several things simultaneously. It establishes the facts as currently understood. It demonstrates that the organisation has a response structure and is following it. It sets expectations for what will be known, and when. And — critically — it positions the leadership team as the source of authoritative information, rather than allowing rumour, speculation, or press reports to fill the vacuum.
Boards that lose confidence in their leadership during a crisis often point not to the breach itself — breaches happen, and most directors understand this — but to the communication. Evasiveness, over-qualification, contradictory information given at different meetings, and a failure to give the board a clear picture of what is being done: these are the things that damage trust. A structured, honest, well-presented briefing — even when it contains significant gaps — is almost always received better than one that appears to be withholding.
Understanding board presentation best practices in non-crisis contexts will help you build the muscle memory you need before a crisis arrives. The same principles — clarity, hierarchy of information, a single clear ask — apply under pressure, but they are significantly harder to execute when the room is tense and you have been awake for 30 hours.
What Your Board Needs Before the Public Statement Goes Out
Before any external statement is issued — whether to regulators, customers, or the media — your board needs to have been briefed. This is not merely good governance, though it is that. It is also essential for ensuring that board members are not blindsided by information they should have had first.
The board briefing prior to a public statement needs to cover a specific set of information, delivered in a specific order. Getting the sequence right matters because it affects how the board processes what you are telling them.
Start with what you know for certain. State the nature of the incident as you currently understand it. When was it discovered? By whom? What systems or data appear to have been affected? Resist the temptation to speculate about cause or extent until you have information to support those statements. The board will respect precision over comprehensiveness at this stage.
Be explicit about what you do not yet know. This is the section most presenters instinctively want to minimise, and it is precisely the section that builds the most credibility when handled well. “We do not yet know how many customer records were accessed — the forensic team expects to have an initial figure by [date]” is far more credible than a vague answer that implies you are holding something back. Name the unknowns. Give the timeline for resolving them. Assign ownership.
Describe the immediate containment steps. What has been done in the hours since discovery? Systems isolated, credentials reset, external forensic support engaged, legal counsel notified — give the board a concrete picture of activity. This is what demonstrates that the organisation is responding, not simply reacting.
Outline the regulatory position. Under UK GDPR, the 72-hour notification window applies where the breach is likely to result in a risk to the rights and freedoms of individuals. Your board needs to know where you are in that window, what decision has been made about notification, and who is responsible for that communication. If your Data Protection Officer or external legal counsel has been engaged, say so.
Set out the communication plan. Who will be notified, in what order, and by when? Your board should not be guessing at whether customers have already been told. The communication sequence — board first, then regulator, then affected individuals if required, then broader disclosure if needed — should be clear and documented.
Give the board a specific next touchpoint. When will they receive the next update? What will that update contain? “We will reconvene at 9am Thursday with a full forensic assessment and a draft regulatory notification for board review” is a sentence that closes a briefing with authority. It tells the board you have a plan, and it gives them a concrete anchor point for the next conversation.
If you present governance updates to your board regularly, the structure here mirrors the approach outlined in this guide to governance update presentations: lead with what the board needs to act on, be precise about risk, and give them a clear forward view.
Structure Your Crisis Presentation Before the Crisis Arrives
The Executive Slide System gives you the slide frameworks, narrative guides, and AI prompt cards to build high-stakes presentations with confidence — so when the pressure is highest, your structure is already in place.
- Ready-to-use slide templates for executive and board-level presentations
- AI prompt cards to develop your narrative quickly under time pressure
- Framework guides for structuring complex, sensitive messages clearly
- Designed for senior leaders who need to communicate with authority at short notice
The Four Slides You Need in the First 48 Hours
When time is short and information is incomplete, the instinct is often to either over-prepare (producing a lengthy deck that buries the key messages) or under-prepare (walking in with nothing, hoping to talk through it). Neither serves the board well.
A first 48-hour data breach presentation should be short, structured, and honest about its own incompleteness. Four slides — used well — is the right length for this briefing. Here is what each slide should contain.
Slide 1: Situation Summary
One headline sentence describing the incident. Date and time of discovery. Systems or data categories believed to be affected. Current status of the incident (contained, partially contained, ongoing). This slide should take under two minutes to present. It is the anchor for everything that follows.
Slide 2: Known / Not Yet Known
A simple two-column layout. On the left: what is confirmed. On the right: what is under investigation, with the expected timeline for clarity. This is the most important slide in the deck. It demonstrates intellectual honesty, shows that the investigation is structured and progressing, and prevents the board from drawing conclusions based on incomplete information. Do not pad the “known” column. Boards are experienced enough to spot it.
Slide 3: Immediate Response Actions
A chronological list of the steps taken since discovery — systems isolated, external forensic firm engaged, legal counsel notified, ICO notification window tracked, customer communications team on standby. Each action should have an owner and, where relevant, a timestamp. This is your evidence that the organisation is not in panic mode. It shows structure and accountability.
Slide 4: Next Steps and Communication Plan
Who will be notified, in what order, and by when. The date and format of the next board update. Any decisions the board needs to make today — and only decisions the board genuinely needs to make today. This slide should close with a single clear statement of what you are asking the board to do or approve. If you need nothing from them at this stage other than awareness, say that explicitly.
For guidance on how to structure executive-level communication more broadly, the framework in this guide to executive presentation structure applies directly to crisis briefings — particularly the principle of leading with the decision or action required rather than the background narrative.
Presenting With Incomplete Information
The hardest part of any crisis presentation is not knowing what to say. It is knowing how to say what you do not know in a way that preserves credibility and maintains the trust of the room.
Most senior executives are trained — formally or culturally — to have answers. Walking into a board meeting without full information feels like a failure, even when it is simply the reality of an ongoing incident investigation. The instinct to compensate by over-qualifying, hedging every sentence, or filling gaps with speculation is understandable. It is also counterproductive.
There is a significant difference between “We don’t know” (which sounds like confusion) and “We don’t yet know, and here is how and when we will find out” (which sounds like control). The second formulation is almost always available, and almost always more effective. Every gap in your knowledge should be accompanied by a timeline and an owner. This is not spin — it is accurate representation of how incident investigations actually work.
Your physical presence matters in this room, particularly given the emotional atmosphere that typically surrounds a breach disclosure. The board will be watching closely — not just for what you say but for whether you appear in command of the situation. How you use eye contact during a high-pressure presentation can significantly affect how your message lands: deliberate, calm eye contact signals authority, while rapid or avoidant eye movement can read as evasiveness even when you are being entirely transparent.
Handling questions you cannot answer is a distinct skill. A direct, simple response is always better than a lengthy deflection. “I don’t have that figure yet — I expect to have it by Thursday morning, and I’ll update you immediately when I do” is a complete answer. It respects the question, is honest about the limitation, and commits to a specific action. It does not require you to apologise for the gap.
Be careful with language that inadvertently implies certainty you do not have. “It appears that no financial data was accessed” means something very different from “We have confirmed that no financial data was accessed.” The former is appropriate early in an investigation. The latter should only be used when it is true. Boards — and regulators — will notice the distinction.
One further practical note: keep a record of what you said in each board session during a live incident. As information develops and your briefings evolve, you need to be able to demonstrate that your communications were consistent and that any changes to your position were driven by new evidence, not by a desire to manage perception.
The Executive Slide System includes frameworks and AI prompt cards specifically designed to help you build a clear, structured presentation quickly — useful when you have very little time and very high stakes.
The Regulatory Notification Presentation
Where a breach is notifiable to the ICO — or, in a cross-border incident, to multiple data protection authorities — there is often a secondary presentation requirement: briefing the board on the regulatory notification before it is submitted, and in some cases briefing regulators directly.
The board briefing prior to regulatory notification is structurally similar to the initial crisis briefing but with an additional dimension: the board needs to understand and, in most organisations, formally note or approve the decision to notify. This meeting should not be the first time the board hears the details of the breach. It should be the meeting at which they receive the full picture and confirm the regulatory approach.
Your presentation at this stage should include a summary of the forensic findings to date; the legal basis for the notification decision; the proposed content of the notification (or the notification itself, if complete); any customer communication that will accompany or follow the regulatory notification; and the proposed timeline for all of the above.
Where regulators themselves request a direct briefing — which is more common in sectors such as financial services and healthcare — the communication principles are similar but the audience is different. Regulators are interested in the facts, your assessment of harm to data subjects, the steps taken to contain and remediate the breach, and the measures being put in place to prevent recurrence. Tone matters: calm, factual, and forward-looking is almost always more effective than defensive or apologetic.
The structure of the data breach presentation you give to regulators should follow the same logical flow as your board presentations: situation, response, forward plan. Regulators are experienced with breaches and will assess your organisation’s competence in part by how well you understand and can articulate your own incident. A disorganised, inconsistent, or clearly improvised presentation will raise concerns that go beyond the incident itself.
Finally, consider the sequencing carefully. In most cases the correct order is: board first, then regulator, then affected individuals (if required under UK GDPR Article 34), then broader disclosure if applicable. Deviations from this sequence — particularly if the board learns about a regulatory notification from the ICO rather than from their own leadership team — can cause lasting damage to the relationship between board and management that outlasts the incident itself.
When the Stakes Are Highest, Structure Is Everything
Clarity under pressure is a skill — and like any skill, it is built in advance. The Executive Slide System gives you the tools to structure a compelling, credible executive presentation quickly, whether you have two weeks to prepare or two hours.
Frequently Asked Questions
How long should a board data breach presentation be in the first 48 hours?
At this stage, shorter is almost always better. A four-slide deck covering the situation summary, the known and not-yet-known, the immediate response actions, and the next steps and communication plan is the right length for a first 48-hour briefing. The goal is clarity and control, not comprehensiveness. The board will have questions — leave time for those. A presentation that runs for 40 minutes before questions are allowed creates frustration in an already pressured room.
What should I say when the board asks a question I cannot yet answer?
Answer directly, without hedging or over-qualifying. A simple format works well: “I don’t have that information yet. We expect to have it by [specific date/time], and [named person] is responsible for that part of the investigation. I’ll update the board as soon as we do.” Resist the temptation to speculate or to soften the uncertainty with language that implies more knowledge than you have. Boards respond well to honest precision and poorly to evasion, even well-intentioned evasion.
Do I need slides for a crisis presentation, or can I present verbally?
Slides are strongly advisable, even in a crisis — particularly for a board audience. They give the board a visual anchor, ensure consistency of information across multiple attendees, and create a record of what was presented and when. A brief, well-structured deck signals preparation and control. If slides genuinely cannot be produced in time, a one-page written summary distributed before the meeting achieves some of the same benefit. Presenting entirely verbally in a high-stakes crisis briefing places significant demands on your delivery and makes it harder for the board to retain and act on the information.
Get practical executive communication advice, weekly
The Winning Edge is a short, practical newsletter for senior leaders who want to communicate with more clarity and confidence — in the boardroom, in crisis moments, and in every high-stakes conversation in between. No fluff. No filler. Just ideas you can use.
Not ready for the full system? Start here instead: download the free Executive Presentation Checklist — a one-page framework for structuring any high-stakes board presentation.
About the author: Mary Beth Hazeldine is a presentation coach and the founder of Winning Presentations. She works with senior leaders and executives on how to communicate with clarity and authority in high-stakes environments — including board briefings, regulatory meetings, and crisis situations. She is the creator of the Executive Slide System and writes The Winning Edge newsletter.