When should a holding statement be issued?

When the demand for communication (from customers, regulators, employees, media) exceeds the available verified facts. This is typical in the first 4 to 24 hours of any major incident.

What should a holding statement avoid?

Avoid claims about scope, cause, attribution, or impact. Avoid commitments that may not hold (e.g., 'no data was affected' before scope is established). Avoid hedging language that signals uncertainty about basic facts. Keep it short, calm, and honest.

Who approves a holding statement?

The incident commander, legal counsel, communications lead, and for material incidents the CEO or designated executive. Approval chains should be defined in advance so that the statement can be deployed within minutes during an active incident.

Are holding statements legally privileged?

Once published, holding statements are public records. The drafting and approval process can be privileged if conducted through counsel; the published statement itself is not. Treat any pre-publication content as carefully as any other public statement of the company.

Holding Statement - Cyber Crisis Communications

A holding statement is a pre-approved short communication used during the early hours of an incident to acknowledge awareness without committing to facts that may change. Holding statements buy time for investigation while satisfying the public, customer, employee, and regulator demand for acknowledgement. They are a core artifact of cyber crisis communications and should exist in template form before any incident occurs.

Source: derived from standard crisis communications practice (PRSA, ICCO, IABC). Cyber-specific application aligned with NIST SP 800-61 Rev. 3 communication guidance and SEC Item 1.05 disclosure timing.

What a Good Holding Statement Contains

Acknowledgement: we are aware of the issue
Action: we are investigating, taking steps, working with experts
Empathy: we recognize the impact on those affected
Update commitment: when and how the next update will come
Channel: where authoritative information will be published

Good holding statements deliberately avoid claims about scope, cause, attribution, or impact. Wrong facts in early statements are worse than no facts; they are quoted forever and undermine trust when revised.

When to Use Holding Statements

Use holding statements when the demand for communication exceeds the available facts. This is the normal state in the first 4 to 24 hours of any major incident. Holding statements should exist in pre-approved template form for the highest-likelihood incident types (ransomware, data exposure, outage, third-party breach) so that the response team can deploy them within minutes rather than draft from scratch.

Approval and Privilege

Holding statements should be approved through the incident commander, legal counsel, communications lead, and (for material incidents) the CEO or designated executive. Once published they become a public record; treat the drafting and approval chain as a privileged process where possible, but the published statement itself is not privileged.

Pre-approve your holding statements

IR-OS includes a holding statement library, approval workflows, and the outbound log every regulator and counsel expects.

Start free

Holding Statement - Cyber Crisis Communications

What a Good Holding Statement Contains

When to Use Holding Statements

Approval and Privilege

Related Terms

Pre-approve your holding statements