Author, sign off, and export crisis comms with receipts.
23 attorney-shape templates spanning holding statements, customer breach letters, regulator notifications, public statements, internal updates, and board briefs. Privilege chain. Hash-chained signoffs. Watermarked sample exports. You author. You send from your own domain. IR-OS never touches delivery.
Card required, cancel anytime before day 7 · 30-day money-back guarantee
Four pillars
Each pillar is what is missing in a Slack-thread + Confluence + email crisis comms workflow today.
23 templates across 6 jurisdictions
Holding, breach letters, SEC 8-K, GDPR Art 33, HIPAA HHS, NY DFS, state AG, board briefs. Each cited to its rule.
Legal, Comms, Executive signoffs all hash-chained
Every signoff captures sha256 of the exact wording approved. Privileged drafts marked structurally.
PDF + DOCX with full provenance
Sample templates carry a SAMPLE watermark. Clone + edit drops the watermark. Every export logged on chain.
IR-OS never delivers external comms
Your DKIM. Your recipient list. We hand you the document. You and counsel decide who gets it.
What a SAMPLE export looks like
When you use a system template directly, the exported PDF and DOCX carry a diagonal SAMPLE watermark on every page. The watermark is a deliberate friction signal: it nudges you to clone the template into your own library, edit it with your facts and counsel review, and only then export a clean version for filing or sending.
Once cloned and edited, the watermark drops. The disclaimer footer remains on every export, regardless. The export itself is logged on the incident hash chain - you can hand a regulator both the document and the /verify URL that proves the document was approved at a specific time by specific named signers.
Item 1.05 Material Cybersecurity Incidents
On {{detection_date}}, {{company_name}} (the "Company") detected a cybersecurity incident affecting {{affected_systems}}.
Based on the information available as of the date of this filing, the Company has determined that this incident is reasonably likely to materially affect, or has materially affected, the Company.
All 23 templates, by category
Each template includes merge fields, citation to the source rule, and notes on jurisdictional variants. Templates are reference materials only - have qualified counsel review every external communication before it is sent or filed.
Holding statements (6)
First-pass acknowledgments when scope is unknown. Internal and external variants.
| Template | Audience | Citation | Use when |
|---|---|---|---|
| Generic cyber incident - internal | Internal | NIST SP 800-61 Rev. 2 | Security event declared, scope unknown |
| Ransomware - external | External | CISA IR Playbook | Confirmed or suspected ransomware |
| Suspected data breach - external | External | NIST SP 800-61 Rev. 2 | Active investigation, exposure possible |
| Third-party / supply chain - external | External | CISA SCRM Guidance | Vendor compromise being assessed |
| BEC / wire fraud - internal | Internal | FBI IC3 BEC Guidance | Confirmed business email compromise |
| OT / ICS event - internal | Internal | CISA ICS-CERT | Industrial control / OT environment hit |
Customer breach letters (5)
Notification letters to affected individuals. Counsel adapts for state-specific language.
| Template | Jurisdiction | Citation | Use when |
|---|---|---|---|
| US state breach notification - general | CA / NY / MA | Cal. Civ. Code 1798.82 | Multi-state breach affecting US residents |
| GDPR Article 34 - high risk | EU | GDPR Article 34 | Personal data breach with high risk to subjects |
| HIPAA Breach Notification | US Healthcare | 45 CFR 164.404 | Unsecured PHI breach affecting individuals |
| NY DFS Part 500 - individual notice | NY Financial | 23 NYCRR Part 500 | Cybersecurity Event affecting nonpublic info |
| PCI DSS - cardholder notification | Payment cards | PCI DSS v4.0; PFI program | Payment card data may be compromised |
Public notifications (4)
| Template | Channel | Length | Use when |
|---|---|---|---|
| Status page banner | Status page | ~50 words | Top-of-page notice during active incident |
| Press statement - initial | Press | ~150 words | First-day media-facing statement |
| Social media post | X / LinkedIn | ~30 words | Acknowledgment + link to full statement |
| Customer email - mass | ~200 words | Plain-text body for customer mass mail |
Regulator notifications (4)
| Template | Authority | Citation | Deadline |
|---|---|---|---|
| SEC Form 8-K Item 1.05 | SEC | 17 CFR 229.106 | 4 business days from materiality |
| GDPR Article 33 - DPA notice | EU DPA | GDPR Article 33 | 72 hours from awareness |
| HIPAA HHS - 500+ individuals | HHS OCR | 45 CFR 164.408 | 60 days from discovery |
| State AG - California | CA AG | Cal. Civ. Code 1798.82(f) | 500+ CA residents affected |
Internal & board (4)
| Template | Audience | Privilege | Use when |
|---|---|---|---|
| Employee all-hands brief | Employees | Standard | Day-of detection, contain rumor |
| Board emergency brief | Board | Attorney-client | First 24 hours, 2-min readability |
| Executive talking points (Q&A) | Spokesperson | Attorney-client work product | Briefing CEO before any external comm |
| Privileged legal update | GC + IR core | Attorney-client work product | Counsel update on legal status + clocks |
Why we never deliver
Every other crisis comms tool pushes toward integrated delivery. They want to send the email, post to your status page, push the SMS. We deliberately do not. Three reasons:
- DKIM and reputation belong to the subscriber. A regulatory notification email failing SPF/DKIM/DMARC because it was sent from a third-party domain is its own incident.
- The recipient list is a legal decision. Who exactly receives a customer breach notification, in what order, with what attachment, is a decision for the subscriber and outside counsel - not a feature in a platform.
- IR-OS staying out of the delivery chain keeps it out of the disclosure record. If we never send the email, we cannot be subpoenaed for what we sent, when, to whom. Less platform risk; cleaner subscriber control.
The disclaimer is real and enforced
Every user, on first visit to the Crisis Communications surface in IR-OS, must accept the template disclaimer (sha256 of the text plus version is recorded with their acceptance). The disclaimer is restated as a banner on every page in the surface. The disclaimer footer rides along on every PDF and DOCX export, on every page, regardless of whether the SAMPLE watermark applies. The full text is at app.ir-os.com/legal/crisis-comms-disclaimer.
Plain language: these templates are reference materials. They are not legal advice. Have qualified counsel review every external communication before it is sent or filed. We disclaim all warranties. We are not liable for damages arising from your use of these templates.
Run a real draft against your own incident in 7 days.
Start the trial. Pick a template. Clone it. Edit it. Run it through the privilege chain. Export the PDF. Hand the verify URL to your GC and ask if it looks defensible. We think you will be able to answer that question in under an hour.
Start 7-day trialCard required, cancel anytime before day 7 · 30-day money-back guarantee