Crisis management and communications

1) Purpose and area

Create a manageable, repeatable, and verifiable incident and crisis response process, minimizing damage to players, partners, regulators, and the brand. The section covers technological incidents, compliance risks (KYC/AML/responsible game), payment problems, data leaks, PR crises and force majeure (data center/provider, DDoS, sanctions/blocking, disasters).

2) Principles

Player safety and data first. Protection of funds, personal data and game balances - priority number 1.

Speed> perfection. Clear first communication with facts "what is known/what is not/what we are doing/when the update."

Single voice. All external messages go through approved speakers and templates.
Verifiability. Logs, timelines, solutions, hypotheses, and artifacts are captured for post-mortem.
Proportionality. The response is related to the severity level and legal requirements.
Continuous readiness. Workouts, scripts, retro and improvements - as part of BAU.

3) Terms and severity levels

An incident is an event that disrupts normal operation/compliance.
A crisis is an incident that threatens the sustainability of a business/license/reputation.

• S1 (critical): Core Gaming/wallet downtime> 15 min globally; PII/financial leakage; regulatory investigations; mass inaccessibility of payments.
• S2 (high): degradation> 5% of transactions, local region downtime, potential vulnerability without confirmed leak.
• S3 (average): partial failures (game providers, affiliate tracking), negative media noise, growth of chargeback.
• S4 (low): single complaints, local regressions.

• S1: first message ≤ 15 minutes, then every 30-60 minutes; final report ≤ 72 hours.
• S2: first ≤ 30 minutes; updates every 1-2 hours.
• S3-S4: according to an agreed schedule.

4) Organization and Roles (RACI)

IC (Incident Commander) - incident commander, timeline owner, convenes a "war room," makes decisions. (Accountable)

Comms Lead (PR/GR/CS): external and internal communications, unified narrative, coordination with lawyers. (Responsible)

Tech Lead (SRE/Platform): root diagnostics, recovery actions, fixing metrics. (Responsible)

Security Lead (AppSec/Blue Team): investigation of information security incidents, interaction with CERT/LEA.
Legal/Compliance: assessment of regulatory requirements (notifications to regulators/banks/partners, deadlines, wording).
Payments Lead: PSP/banks, alternative routes, manual settlement.
CRM/CS Lead: macros for support, compensation, "affected" segments.
Data/Analytics: Common Influence Metrics, Cohorts, MTTR Report/Financial Damage.
CEO/Exec Sponsor: S1 escalation, public stat if necessary.

5) Crisis life cycle

Triage → Detection → Escalation → Stabilization → Communication → Recovery → Post-mortem and Improvement

5. 1 Response time line (S1 reference point)

0-15 minutes: IC assignment; opening a "war room"; primary hypothesis; temporary blocking of risky actions (for example, outputs); holding statement for internal audience.
15-60 minutes: checking the radius of damage; switching to spare channels (DR, standby PSP, CDN Rules); first external message (status page/social networks/mail to partners).
1-4 hours: service stabilization; Support FAQ; personalized notifications to affected players; fixing the requirements of regulators.
Up to 24 hours: detailed update with reasons and prevention plan; launch of compensation/credits; brief for affiliates/providers.
Up to 72 hours: final report, legal notices, retrospective, improvement tasks.

6) Communication channels and policies

Channels: status page, e-mail/SMS/push, help center, social networks, in-app banners, affiliate mailing, tickets to regulators, PSP service updates, media ads.

• Facts, transparent actions, timing of the next update.
• Without accusations and technical "jargon" uncertainty.
• Jam templates in 5 languages ​ ​ of key markets.
• Always indicate what to do to the player now (do nothing, do not transfer funds, expect compensation, etc.).
• Tone: empathy → responsibility → action → prevention.

• key> Reason: [Component/Provider] failed. Measures: protection switching, version rollback, additional transaction checks. Impact: [percentage/geography/time slot]. Compensation: [loans/freespins] to victims. Next steps: [load capping, hotfix, audit].

7) Playbooks on typical scenarios

7. 1 Data breach/account compromise

Instantly: isolation, forensics, token/password reset, MFA campaign.
Communications: targeted notifications to affected; Password Change FAQ statement of protective measures.
Legally: notifications to regulators/banks/PSPs within mandatory deadlines; templates for DPIA/reports.
Preventive: bug bounty, secret rotation, WAF/EDR/IDS signatures, hardening.

7. 2 Payment failures (PSP/bank/AML flags)

Instantaneous: switching to redundant PSP/routes; soft deposit limits; auto-pin suspension.
Communications: status at the checkout, banner "alternative methods," partner brief.
Legally: notices under contracts; compliance with return rules and chargeback SLAs.
Prevention: multi-acquiring, monitoring of conversion deviations, traffic-to-method balancing.

7. 3 Massive platform unavailability/degradation

Instantly: feature-flags → functional degradation (read-only/cache), turning off "heavy" features.
Those. actions: rollback/blue-green, scaling, rate-limits, DDoS protection.
Communications: clear update intervals; map of affected regions/games.
Preventive: SLO/Error Budgets, game provider fail-open/close strategy, chaos days.

7. 4 Regulatory/licensing risks

Instant: freeze on controversial campaigns/mechanics, Legal/Compliance advice.
Communications: neutral wording, no "guilty plea," coordination with lawyers.
Preventive: pre-clearance promo, T & C/bonusing audit, regional splits feature.

7. 5 Reputational storm (media/social media)

Instant: Mention monitoring, single position prepared by Q & A.
Communications: "we hear/correct" + facts; avoid controversy in comments; prepared long-read with factcheck.
Preventive: media training of speakers, "dark site" with facts/chronology, crisis press packs.

8) Metrics and dashboards

Reaction: MTTA, MTTR, MTTD, TTS (time-to-statement),% of updates to SLA.
Impact: players/transactions affected, lost GGR, chargeback rate, share of manual processing.
Reliability: SLO by key flow (deposit, spin, output), error budget burn.
Communications: notification coverage, open/click rate,% of "repeated" calls, CSAT/DSAT.
Reputation: Sentiment (social networks/media), the share of negative publications, the time until the trend is neutralized.

Status page minimum: uptime by zone, timeline incidents, ongoing degradation, ETA and history.

9) Checklists

9. 1 Launching "war room"

• IC and stenographer appointed.
• Pulled Tech/Sec/Payments/Legal/Comms/CS Leads.
• S1-S4 level, influence radius, hypothesis triage are defined.
• Decision on rollback/phicheflags/backup routes.
• The holding statement and the time of the next update have been prepared.

9. 2 Before external message

• Facts confirmed, no PII/secrets.
• Legal review of wording.
• Clear instructions to players/partners.
• The channel/time of the next update is specified.

9. 3 Closing the incident

• Root cause/temporary protection resolved.
• Compensations accrued, disputed transactions processed.
• Final report published, status page updated.
• Retro convened, CAPA plan in backlog with owners and dates.

10) Message templates

• Event: [type/service]
• Impact: [who/where/when]
• We do: [actions]
• Next update: [time]

• Topic: [Service] outages - we are already fixing
• Body: what happened (1-2 lines), what to do now, security of funds/data, ETA of the next update, link to status.

• Brief brief (what/effect on tracking/temporal measures/expected effect) + contact for questions.

• Formal notification with facts, interim measures, customer impact assessment, prevention plan, deadlines for final report.

11) Tools and artifacts

Runbooks/Playbooks in the repository with versioning (scripted).
War Room: a permanent channel (chat/video) with a bot secretary (log of time and decisions).
Incident bot: commands '/declare ', '/severity', '/update ', '/close', timeline autocomplete.
Post-mortem template: problem → impact → root → what worked/not → CAPA → owners/deadlines.
Compensations: calculator of affected segments (by time/channel/game/payment), bonus presets.
Audit and Claim Logs - for compliance.

12) Readiness and training

Quarterly simulation of S1-S2 (table-top + live-drills), including "night" scenarios.
Media training for speakers, "bridge" briefings for CEO.

Verification of contacts (24 × 7), duty and "backup on call."

Stress tests: DDoS games, disconnecting the PSP provider, database degradation, CDN drop.
Training "PR storms": with fake headlines and Sentiment scale.

13) Legal and Compliance Loop

Mapping of mandatory notifications by jurisdiction (dates, format, language).
Log/artifact storage and access policy.
Guidance on "responsible play" in a crisis: how not to worsen the vulnerability of players.
Conditional "red lines" for communications (which cannot be disclosed before approval).
Law Enforcement Relations Order/CERT.

14) Post-mortem and improvements

Retro ≤ 7 days, out of blame, with specific CAPAs.
Update playbooks/templates, include new indicators (early signs).
Track CAPA execution and effectiveness review after 30/60 days.

15) Quick start (30-day implementation summary)

1. Approve IC/Comms/Tech/Sec/Legal/Payments/CS roles and on-call schedule.
2. Combine the S1-S4 matrix and SLA updates, publish on the internal portal.
3. Create a status page and message templates (5 languages/markets).
4. Assemble a "war room" (chat/video) with a bot logger and macros.
5. Create 5 playbooks: leak, payment crisis, platform degradation, regulatory risk, PR storm.
6. Raise monitoring of player-experience metrics: deposit/withdrawal/spin/login.
7. Conduct table-top exercise (2 hours) + update documents based on results.

• Business Continuity Plan (BCP)
• Disaster Recovery Plan (DRP)
• Escalation Matrix
• Notification and alert system
• Transaction Audit Logs
• Responsible play and player protection