WHY ORGANIZATIONS IN HIGHLY REGULATED, TRUST-DEPENDENT INDUSTRIES MUST LEAD COMMUNICATIONS, EVEN WHEN THE INCIDENT STARTS WITH A VENDOR
When a third-party vendor is compromised, your customers don’t care who owns the servers. They care that their data is exposed, their trust is shaken, and no one is giving them answers.
That reality cuts across industries. Health systems, human services organizations, financial institutions, utilities, and other regulated entities all face the same challenge: when a vendor fails, accountability is perceived, not contractual.
At NERC’s GridSecCon 2025, that message couldn’t have been clearer.
While the conference focused on critical infrastructure, the communications lessons apply far beyond utilities. Across sectors, leaders are grappling with the same gap: strong technical response plans that are not matched with clear, coordinated communications strategies.
Even the most technically advanced organizations admitted they are not ready to communicate when a cyber or vendor-driven incident occurs. They may have sophisticated detection and containment plans, but far fewer have aligned how leadership, IT, operations, legal, and communications will work together in those first critical hours.
The takeaway: You may not control the breach. But you absolutely control the narrative.
Trust Is Transferable. So Is Blame.
When customers see your logo next to a breached platform, they don’t analyze the vendor contract. They make assumptions:
- You vetted the vendor.
- You benefited from the service.
- You should have known.
That chain of perceived responsibility creates reputational risk. The burden of transparency quickly shifts to the organization closest to the customer, patient, or client.
This dynamic is especially acute in healthcare and human services, where trust, continuity of care, and regulatory scrutiny intersect. Silence or confusion in the early hours can raise questions that extend well beyond the incident itself.
In conversations with leaders across regulated industries, one theme is consistent: the biggest vulnerability isn’t technical. It’s communicative. Few organizations have formal playbooks that define who speaks first, how updates are approved, and how external messages reach patients, customers, regulators, partners, and the media in real time.
Communications Now Sits at the Core of Cyber Governance
Since the release of NIST’s Cybersecurity Framework 2.0 (CSF 2.0), communications has moved from a “nice to have” to a core pillar of risk governance.
Organizations are now expected to:
- Maintain a pre-approved holding statement for immediate use
- Assign clear communications roles within incident-response structures
- Test those roles during tabletop exercises, not just IT recovery drills
As GAVIN’s Amanda Peterson Martin often emphasizes with executive teams:
“Your first statement doesn’t have to say everything. But it has to say something fast, clear, and confident.”
That early message buys IT and legal teams time while demonstrating control, accountability, and leadership to regulators, partners, patients, and the public.
Communications Is a Risk Tool—Not a Marketing Task
In the hours after an incident, stakeholders are not reading whitepapers. They are watching how leaders respond.
If leadership is silent, inconsistent, or overly cautious, trust erodes quickly and it is expensive to rebuild.
Effective crisis communication must be:
✅ Clear (plain language, no corporate jargon)
✅ Fast (within hours, not days)
✅ Aligned (IT, legal, leadership, and communications speak with one voice)
✅ Empathetic (acknowledges impact and responsibility)
What We’re Seeing Across Regulated Industries
Insights from recent industry engagements, including GridSecCon, reinforce broader trends we are seeing across healthcare, human services, finance, and critical infrastructure:
- Vendor-driven incidents are rising faster than direct system attacks
- Board accountability for crisis response and communications is increasing
- Communications-integrated tabletop exercises are one of the most effective ways to identify gaps before a real incident occurs
Organizations that treat communications as part of enterprise risk planning, not a downstream reaction, are better positioned to protect trust when incidents occur.
GAVIN works alongside leadership teams to pressure-test crisis communications plans, define roles and escalation paths, and facilitate executive-level workshops and tabletop exercises that integrate communications with operational response.
Final Thought
The breach may not be your fault.
But in the eyes of your stakeholders, the response is your responsibility.
You don’t control the incident.
You do control how your organization leads when it matters most.
