When a regulated firm faces a serious failure, customers judge the response as much as the original mistake - and unclear updates can do lasting damage to trust.
Sean O'Meara, founder of Essential Content, has advised major organisations in banking, finance, insurance, and healthcare on crisis communication, corporate apologies, and reputation recovery.
He explains how to separate operational problems from cultural failures, when apologies help, and how regulated teams can keep breach communications plain, dated, and compliant.
He has also co-authored a well-known book on corporate apologies and speaks regularly on saying the right thing at the right time.
Major failures in regulated sectors rarely stay internal. Customers share frustration quickly on social media, and firms need statement templates, named spokespeople, and time-stamped updates decided before pressure peaks.
The Difference Between an Operational Problem and a Crisis
Any major failure typically falls into two broad categories.
Operational failures happen when a company does not deliver what it promises - think flight cancellations, product recalls, or even running out of the key item you are supposed to sell (like when KFC famously ran out of chicken).
Cultural failures are trickier, often related to a company's values or leadership behaviour - such as insensitive remarks from executives or advertising campaigns that offend the public.
Both types can escalate fast when customers share their frustrations via social media, which is why many teams keep a crisis communications playbook for public channels as well as direct customer updates.
Saying 'Sorry' (or Not): The Real Impact
Many businesses avoid apologising for fear of legal consequences. Sean argues that a sincere apology rarely increases litigation on its own, even though a rushed apology in a culturally charged situation can draw more scrutiny.
"An apology should reflect responsibility.
It's not always your fault if you're hacked, but it is your responsibility to handle data properly."
That distinction matters when firms are deciding how far to go in the first public statement after a breach or service failure.
Planning for a Cyber Attack or Data Breach
No business can ignore the risk of a data breach or cyber attack.
The practical starting point is to treat breaches as likely rather than theoretical and keep a simple plan ready.
Useful preparation includes:
Create a skeleton template for potential statements that cover different scenarios.
Rehearse crisis roles, including who will speak to the media or customers.
Time-stamp public updates ('As of 13:00 on Tuesday') so people see the latest version and avoid confusion.
Benchmarking against sources such as the Cyber Security Breaches Survey can also help teams rehearse realistic scenarios before an incident forces the first live statement.
Communicating During a Crisis: Tone and Clarity
When failure happens, people want quick answers.
"They don't just want empathy; they want concrete steps."
Regulated firms reviewing follow-up channels after an incident may also find it useful to compare how they handle sensitive updates with guidance on being ready when cybercrime hits a customer.
"When trust is already damaged, the next message has to be plain, dated, and specific about what the firm is doing now - not another paragraph of reassurance with no next step."
Paul Holland, Founder and CEO, Beyond Encryption (Mailock)
Balancing Compliance with Empathy
In regulated industries, the stakes are higher.
Consumer Duty rules in the UK mean banks, insurers, and other regulated firms must prove they are acting in customers' best interests.
Sending Important Documents At Scale?
Learn how Mailock Automated helps organisations protect high-volume customer communications without forcing every recipient through a portal.
Make sure communications are transparent, consistent, and prompt.
Collaborate with compliance teams at the start of crisis planning.
Provide remedies customers can trust - such as identity protection services after a data breach.
Data-handling expectations also sit alongside wider UK GDPR principles, so crisis statements should align with how the firm protects personal data in practice.
Practical Priorities for Crisis Comms
Know your potential failure points: Identify where mistakes are most likely, then figure out how to prevent or mitigate them.
Take responsibility, even if it is not your fault: Apologise sincerely when needed, and outline what you are doing to fix the issue.
Keep your messaging simple: Be honest and use direct language. Avoid corporate jargon like 'funds' or 'beneficiary' in crisis statements.
Work hand in hand with compliance: Make sure your crisis plan respects industry rules, and involve the right experts early.
Update often: Time-stamp communications, and let people know what has changed since the last update.
FAQs
What Is Crisis Communication?
It is how organisations respond to serious issues that threaten their operations or image.
Effective crisis communication aims to provide honest updates, protect trust, and reduce long-term damage.
Why Do Apologies Matter?
When done right, apologies show that a business takes responsibility and cares about customers' experiences.
They help rebuild trust after a serious mishap.
How Should We Plan for a Cyber Attack?
Work backwards from the assumption it will happen.
Create clear guidelines, appoint a crisis lead, and rehearse.
Keep a blueprint for sharing updates quickly.
What if We're a Regulated Business?
You will have extra rules to follow, so bring compliance in at the start.
Show that you are treating customers fairly and meeting key requirements.
Should We Always Bring Out the Ceo to Apologise?
Not always. If it is a technical problem, use an expert spokesperson.
Save senior leaders for more serious or escalating cases.
Sam Kendall works on digital marketing at Beyond Encryption, helping build B2B marketing activity around research, first principles, and sustainable growth. He writes about marketing effectiveness, positioning, customer communications, and digital culture, with longer-form work published at ATNL.
.svg)
Sam Kendall
.svg)
Previous post