IR-OS Editorial TeamPublished May 18, 202610 min readFree, ungated, CC BY 4.0
Five attorney-shape holding statement templates for cyber incidents. Free, ungated, and released under Creative Commons Attribution 4.0. Clone, edit, route through Legal-Communications-Executive Sponsor signoff, and release from your own domain. These are starting points for a real response. Counsel review is required.
What this is not. These templates are not legal advice. They are publicly released starting points to be reviewed by qualified breach counsel and approved by Legal, Communications, and the Executive Sponsor before release. Vague but accurate beats specific but wrong. Never include unconfirmed facts, threat-actor attribution, exact data classes, numerical counts, or remediation commitments until material facts are established and counsel has cleared them.
When to use: hours 0 to 24 of a confirmed incident, before materiality determination, when public awareness is forming or imminent. Acknowledges the event without committing to facts that are not yet confirmed.
[Organization name] is investigating a cybersecurity matter that we identified on [date]. We engaged independent forensic experts and our outside counsel promptly upon discovery. We have notified law enforcement and our insurance carrier consistent with our incident response procedures.
At this time we are continuing to assess the scope and impact of the matter. We will provide further updates as we are able to confirm facts. The investigation is ongoing.
We take the security of our systems and the trust of our [customers, employees, members, patients] seriously, and we are working diligently to complete our investigation and to communicate clearly as material facts become known.
For inquiries: [press contact name, email]
Approval chain. Legal (signoff) -> Communications Lead (signoff) -> Executive Sponsor (signoff). Capture each signoff in your incident record with timestamp and identity.
When to use: within four business days of materiality determination by an SEC registrant under 17 CFR 229.106. Outline only - exact language must be drafted by securities counsel.
Item 1.05 Material Cybersecurity Incidents.
On [date], [Registrant Name] (the "Company") determined that the cybersecurity incident first identified on [discovery date] is material under Item 1.05 of Form 8-K.
Nature, scope, and timing. The Company [describe nature: unauthorized access, ransomware, data exfiltration, etc.] affecting [describe affected systems or data, without disclosing technical detail that aids ongoing threat actors]. The Company identified the incident on [date] and engaged third-party forensic experts and outside counsel. The Company [contained, is containing, has remediated] the incident as of [date].
Material impact or reasonably likely material impact. The Company has determined that the incident [is likely to have / has had / is reasonably likely to have] a material impact on its [financial condition, operations, customers]. [Quantitative impact estimates where determinable, including disclosed financial loss ranges, operational disruption, customer-facing impact.] The Company maintains cyber insurance and is working with its insurer regarding coverage. The Company expects to incur additional expenses related to the incident, including legal, forensic, and remediation costs.
The Company is continuing to assess the incident and will amend this filing under Item 1.05 to the extent required by Form 8-K. The investigation is ongoing.
Approval chain. Outside securities counsel (drafting and signoff) -> General Counsel (signoff) -> Disclosure Committee (review) -> CFO / CEO (signoff) -> Board notification before filing. The materiality determination itself must be documented with timestamp.
When to use: within 72 hours of becoming aware of a personal data breach. Filed with the lead supervisory authority. If filed late, must include reasons for the delay.
Personal Data Breach Notification - GDPR Article 33
To: [Lead Supervisory Authority]
From: [Controller Name and contact details], [Data Protection Officer name and contact]
Date of awareness: [date and time]
Date of this notification: [date and time]
[If late: Reasons for delay: [explanation]]
1. Nature of the breach. [Describe what happened: unauthorized access, accidental disclosure, ransomware, etc. Include type of breach (confidentiality, integrity, availability) and the affected systems or processing operations.]
2. Categories and approximate numbers of data subjects concerned. [Customers, employees, contractors, patients, members. Estimated count or estimation methodology if not yet final.]
3. Categories and approximate numbers of personal data records concerned. [Identification data, contact data, financial data, health data, special categories under Article 9, children's data. Estimated count.]
4. Likely consequences of the breach. [Risk to rights and freedoms of data subjects: financial fraud, identity theft, discrimination, reputational harm, loss of confidentiality of professional secrecy.]
5. Measures taken or proposed. [Containment actions, forensic investigation engaged, law enforcement notified, third-party notifications, anticipated Article 34 notification to data subjects if high risk.]
6. Cross-border element. [Other Member States affected, anticipated notifications to other supervisory authorities.]
Signed: [Data Protection Officer or designated controller representative]
Approval chain. Data Protection Officer (drafting) -> Legal (signoff) -> Controller designated representative (signoff). For multi-jurisdiction breaches, coordinate with lead supervisory authority under Article 56.
When to use: without unreasonable delay and no later than 60 days from discovery of a breach of unsecured Protected Health Information under 45 CFR 164.404.
[Date]
[Affected Individual Name]
[Address]
Notice of Data Breach
Dear [First Name],
We are writing to notify you of a data breach that may have involved your personal information. We take the security of your information seriously and we are providing this notice and offering support resources as detailed below.
What happened. On or about [date], we [describe nature of breach: discovered unauthorized access, were notified of a data exfiltration, etc.]. We promptly engaged outside forensic experts, notified law enforcement, and began investigating the scope of the incident.
What information was involved. Based on our investigation to date, we believe the information that may have been involved includes [specific categories: name, address, Social Security number, date of birth, medical record information, treatment information, health insurance information, financial account information]. [If credit-card data was involved, note explicitly.] [If Social Security Numbers were involved, note explicitly.]
What we are doing. We have [containment actions taken]. We have engaged [forensic firm name] to assist with our investigation. We have notified law enforcement and are cooperating fully with their investigation. We have also notified the U.S. Department of Health and Human Services as required by law.
What you can do. We recommend you remain vigilant and review your account statements and credit reports for any unusual activity. We are providing [credit monitoring service name] free of charge for [period, typically 12 to 24 months]. To enroll, please [instructions].
For more information. We have established a dedicated call center to assist you. Please call [phone number] between [hours]. You can also write to us at [address] or email [email].
We sincerely regret any concern this incident may cause you and assure you we are committed to safeguarding your information.
Sincerely,
[Signature, Title]
[Organization name]
Approval chain. Privacy Officer (drafting) -> Legal (signoff) -> Chief Compliance Officer (signoff) -> CEO or designated officer (signoff). If 500+ affected residents in any state or jurisdiction, also notify prominent media outlets and HHS Secretary contemporaneously with individual notice.
When to use: hours 12 to 36 of a confirmed incident when employee awareness is at risk of leaking externally and an internal communication is needed to set expectations and discipline.
Subject: Important update regarding a cybersecurity matter
To: All Employees
From: [CEO or designated executive sponsor]
Date: [date and time]
Team,
I want to share an update on a cybersecurity matter we are actively addressing.
What is happening. On [date] we identified [neutral characterization: a cybersecurity incident, suspicious activity, an unauthorized access event] affecting [scope at a high level - do not over-specify]. We engaged our incident response team, including outside forensic experts and counsel, and we are actively investigating.
What we are doing. Our team is following our incident response plan. We have engaged the appropriate external partners. We have notified our insurance carrier and, where required, law enforcement. We are coordinating with regulators consistent with our legal obligations.
What you need to do.
1. Continue your normal work. The investigation is being handled by the designated response team. If you have not been asked to participate, please do not investigate independently or attempt to remediate systems on your own.
2. Do not discuss this matter externally. This includes social media, LinkedIn, comments to friends or family, customer conversations, and partner communications. All external inquiries should be directed to [press contact] for media and [customer support contact] for customers.
3. If approached by a journalist or external party, do not respond. Direct them to [press contact email] and notify your manager.
4. Preserve potentially relevant materials. Do not delete emails, files, messages, or system records related to your work that may be relevant to the investigation. This applies to personal devices used for work as well.
5. Be cautious of phishing. Threat actors sometimes follow incidents with social-engineering attempts targeting employees. Verify any unusual request through a known channel before acting.
We will provide further updates as we are able. I know this is unsettling. The response team is doing the work that needs to be done, and we appreciate your patience and discipline while we complete the investigation.
If you have questions, please speak with your manager or contact [HR / dedicated incident inbox].
Thank you,
[CEO signature]
Approval chain. HR (drafting) -> Legal (signoff) -> Communications Lead (signoff) -> CEO or Executive Sponsor (signoff). For union environments, additional labor-counsel review may be required.
Clone before editing. Make a working copy in your own document system. Do not edit the public template directly.
Route through privilege. All edits should happen inside a privileged work product, with counsel of record. The platform you use should preserve attorney-client privilege structurally.
Fill in confirmed facts only. Brackets in the templates indicate where you insert organization-specific or incident-specific information. Do not insert unconfirmed claims.
Signoff chain. Legal, Communications, Executive Sponsor. Capture each signoff with timestamp and identity. In IR-OS this is captured at SHA-256 granularity automatically.
Send from your own domain. External delivery is the subscriber's responsibility. IR-OS does not send external communications. Use your own email infrastructure, your own regulator portal credentials, and your own outside counsel for filings.
Frequently Asked Questions
What is a holding statement in cyber incident response?
A holding statement is a pre-drafted communication issued in the early hours of a cyber incident to acknowledge an event, communicate the organization's response posture, and bridge to a more complete disclosure once material facts are confirmed. Holding statements buy time without admitting facts that are not yet established. They are written under privilege and approved by Legal, Communications, and the Executive Sponsor before release.
How is a holding statement different from a breach notification?
A holding statement is the early-stage, often pre-materiality-determination acknowledgment. A formal breach notification is the regulator-specific or law-mandated notice (SEC 8-K Item 1.05, GDPR Article 33, HIPAA, NY DFS, state breach laws) issued once material facts are confirmed and a determination triggers the relevant statutory clock. Most incidents require both: a holding statement in hours 0 to 24, then formal breach notifications as clocks fire.
Are these holding statement templates legal advice?
No. These templates are starting points to be reviewed and edited by qualified breach counsel familiar with the applicable regulators, the specific incident facts, the cyber insurance policy in force, and the organization's prior compliance posture. Templates do not substitute for counsel and should not be released without Legal, Communications, and Executive Sponsor approval.
Can I use and adapt these templates for my company?
Yes. These templates are released under Creative Commons Attribution 4.0 International (CC BY 4.0). Clone, edit, fill in your organization's specifics, route through Legal-Communications-Executive Sponsor signoff, and release from your own domain. Attribution to IR-OS is appreciated but not required for internal use.
What should a holding statement NOT include?
A holding statement should not include: specific attribution of the threat actor unless confirmed and counsel approved; exact data classes affected unless confirmed; numerical counts of affected individuals unless confirmed; commitments to remediation timelines unless feasible; legal admissions that could prejudice insurance recovery or litigation defense; or speculation about cause, scope, or impact. Vague but accurate beats specific but wrong.
Who approves a holding statement before release?
Typically Legal (General Counsel or outside breach counsel), Communications Lead, and the Executive Sponsor (CEO, CFO, or board-designated officer). In IR-OS the signoff chain is captured at SHA-256 granularity in the hash-chained event ledger so privilege is structural and the approval trail is defensible in subsequent regulatory or litigation review.
How many holding statement templates does IR-OS provide?
IR-OS provides 23 attorney-shape templates inside the platform spanning holding statements, customer breach letters, regulator notifications (SEC 8-K Item 1.05, GDPR Article 33, HIPAA, NY DFS, state AG), public statements, internal updates, and board briefs. Five are published openly on this page as starting points. The full library is available to subscribers.
License: These templates are released under Creative Commons Attribution 4.0 International (CC BY 4.0). Free to copy, edit, and adapt with attribution. Attribution suggestion: "Adapted from IR-OS Holding Statement Library, ir-os.com/holding-statement-library."
IR-OS subscribers get all 23 attorney-shape templates inside the platform, with privilege chain captured at SHA-256 and PDF/DOCX exports with SAMPLE watermarks that drop once cloned and edited. Counsel-reviewed signoff chain. Hash-chained record.