An attack happens. Systems go down. The CEO's phone won't stop ringing. The IT team is in a panic, legal wants to know what to communicate, and no one knows the true extent of the damage. This scenario repeats with alarming frequency in Brazil — and most companies still discover, in the worst possible way, that they were not prepared to respond.

In 2023, Brazil was the second most attacked country in Latin America, with more than 60 billion attempted cyberattacks recorded, according to the Fortinet report. Companies across all sectors — from retail to financial — were affected. But what differentiates organizations that emerge from an incident with their reputation intact from those that watched crises turn into scandals is not the absence of attacks: it is the capacity to respond.

This article is for executives who need to understand what to do when an incident occurs — not only from a technical standpoint, but from a strategic, communicational, and organizational one. And most importantly: what to change afterward so that the next attack does not cause the same damage.

What a cyber incident means from an executive perspective

Before discussing response, it is necessary to align on the concept. For the IT team, an incident can be any technical anomaly. For an executive, what matters is the business impact: critical systems unavailable, customer data exposed, operations halted, regulatory obligations unmet.

The difference in perspective matters because it defines how leadership will behave during the crisis. A CEO who understands that their role is not to "fix the technical issue," but rather to make business decisions under pressure — communicating with stakeholders, notifying insurers, engaging legal counsel, deciding on operational continuity — responds far more effectively.

Common incidents in the Brazilian market include:

  • Ransomware: hijacking of data and systems with ransom demands. It has affected companies such as Renner, Porto Seguro, and JBS in recent years
  • Data breaches: exposure of customer databases, with direct implications under the LGPD
  • Denial-of-service attacks (DDoS): taking down digital platforms, common in the financial sector
  • Privileged account compromise: unauthorized attacker access to internal systems via stolen credentials

Each type of incident has a different impact vector, but all require the same thing: a structured, swift, and coordinated response.

The first hours: what to do (and what not to do)

The first hours of an incident are the most critical — and the most prone to mistakes. The instinct to "fix it fast" can make the situation worse. I have seen companies destroy forensic evidence while trying to erase traces of an attack, compromising any possibility of subsequent investigation.

The correct sequence for executive leadership in the first hours is:

  • Confirm and classify the incident: before any action, it is necessary to understand the scope. Is the problem isolated or has it spread? Which systems are affected? Is sensitive data involved?
  • Activate the response team: this includes IT/security, legal, communications, and, depending on the company's size, the CISO (Chief Information Security Officer). If the company does not have one, it is time to engage a specialized external partner
  • Preserve evidence: do not shut down servers, do not delete logs, do not "clean up" anything without technical guidance. Evidence is essential for forensic investigation and legal proceedings
  • Isolate, do not erase: the initial goal is to contain the incident — preventing it from spreading — not necessarily to restore everything immediately
  • Controlled internal communication: define who says what and to whom. Poorly managed internal leaks turn into leaks to the press
The biggest mistake I see executives make during an incident is trying to manage everything at once. The role of leadership is to make the decisions that only leadership can make — and delegate the rest to those who know how to handle it.

What not to do: communicate publicly before understanding the true scope of the problem, negotiate with attackers without legal and technical guidance, or worse, ignore the incident hoping it will "resolve itself."

Cyber crisis management: the executive's role in communication

Cyber crisis management has a dimension that goes far beyond technology: communication. And here executives need to be out front, not behind.

The LGPD (General Data Protection Law) establishes that incidents that may cause relevant risk or harm to data subjects must be reported to the ANPD and to the data subjects themselves within a reasonable timeframe. Ignoring this obligation is not just a reputational risk — it is a legal risk with fines that can reach 2% of the company's revenue, capped at R$ 50 million per infraction.

Communication during an incident should follow three principles:

  • Calibrated transparency: communicate what is known, without speculating about what is not. Hasty statements claiming "no data was leaked" that later prove false destroy the leadership's credibility
  • Responsible speed: communication needs to be fast enough to control the narrative, but it requires a minimum of verified information before going out
  • Channel consistency: designate a single spokesperson for each audience — press, customers, regulators, board — and ensure everyone delivers the same message

Companies that communicated incidents with clarity and proactiveness — as Nubank did in situations of technical instability — came out with their reputation preserved or even strengthened. Companies that tried to conceal or downplay the situation paid a much higher price.

The incident response plan every company should have

An incident response plan is not a technical document stored in an IT drawer. It is an executive protocol that defines who does what, when, and how — in any cyber crisis scenario.

An effective plan for medium and large companies should cover:

  • Incident classification criteria: what constitutes a level 1 incident (low impact, technical resolution) versus a level 3 incident (critical business impact, escalates to leadership)?
  • Responsibility matrix (RACI): who is accountable for each decision — technical, legal, communicational — at each incident level
  • Emergency contacts: an updated list of security vendors, attorneys specializing in the LGPD, cyber risk insurers, and crisis communication partners
  • Containment and recovery procedures: technical steps to isolate compromised systems and activate business continuity plans
  • Communication roadmap: message templates for each audience — customers, press, ANPD, sector regulators such as the Central Bank
  • Documentation protocol: how to record all decisions and actions taken during the incident, essential for forensic analysis and legal defense

The plan needs to be regularly tested through simulations — known as tabletop exercises — where leadership practices the process before a real scenario occurs. Companies in the financial sector, such as the major banks I work with, do this quarterly. For most Brazilian companies, once a year would already represent a significant leap forward.

Post-incident: what to analyze and what to change

The crisis has passed. Systems are back online. The temptation is to "close the chapter" and move on. This is the second biggest mistake companies make — the first was not being prepared.

The post-incident phase is, paradoxically, the most valuable stage of the security cycle. It is when the company gains clarity about its real vulnerabilities — not the theoretical ones from an audit report, but those that were effectively exploited by a real attacker.

An effective post-incident analysis should answer:

  • How did the attacker get in? What was the initial compromise vector — phishing, system vulnerability, leaked credential, third-party vendor?
  • How long was the attacker inside before being detected? The average dwell time of attackers on corporate networks is still over 200 days globally. Each additional day amplifies the impact
  • What did the response plan get right? What failed? Without this honesty, the plan never improves
  • Which technical controls would have detected or prevented the attack sooner?
  • Are there human training gaps? Most incidents begin with a human error — a click on a phishing email, a reused password

The changes that typically emerge from an honest analysis include investments in continuous monitoring (SOC — Security Operations Center), implementation of Zero Trust architectures, review of privileged access, and — frequently — the hiring or development of dedicated security leadership.

Cyber resilience as a competitive advantage

There is a fundamental mindset shift that needs to happen in Brazilian boardrooms: information security is not an IT cost. It is a strategic business capability.

Companies that invest in cyber resilience — the ability to withstand, adapt to, and recover from incidents — have concrete and measurable advantages. Lower premiums on cyber risk insurance. Greater ease in M&A due diligence processes. Access to contracts with large corporations and public bodies that require certifications such as ISO 27001. And, increasingly, a trust advantage with customers and partners who care about where their data is stored.

The average cost of a data breach in Brazil reached R$ 6.75 million in 2023, according to IBM Security's annual report. This figure does not include reputational damage, customer loss, or indirect operational costs. When compared to the investment in a robust security framework, the ROI of prevention and resilience becomes evident.

The question I ask the executives I work with is not "how much do you want to spend on security?" It is: "how much can you afford to lose without being prepared?" The answer almost always changes the conversation.

What to do now, before the incident happens

If you have read this far, you have probably recognized gaps in your organization. The good news is that preparation is a choice. The bad news is that it needs to happen before the crisis, not during it.

Three actions any executive can start this week:

  • Ask your IT team: "Do we have a documented and tested incident response plan?" If the answer is hesitant, you have a problem
  • Review your insurance coverage: do you have cyber risk insurance? Does it cover the most likely scenarios for your sector? Many executives discover the gaps at the time of a claim
  • Map your critical assets: which systems, data, and processes, if compromised, would cause unacceptable damage to the business? Protection should be proportional to risk — and you need to know what to protect first

Cyber incidents are not a matter of "if" — they are a matter of "when." What is entirely within leadership's control is the level of preparedness with which the organization will face that moment. Companies that treat security as a strategic priority do not eliminate risks, but they transform incidents into manageable events, not existential crises.

If you want to assess your organization's incident response maturity or structure a cyber resilience plan suited to your context and sector, get in touch. I have been helping leadership teams at companies such as BTG, B3, Inter, and others to transform security into a strategic capability — and I can do the same for your organization.