This tension between the need for discreet cooperation with law enforcement and the obligation to inform investors and the markets creates a dilemma for public companies. Unfortunately, the commission’s updated guidance provides little direction to corporate leaders confronting these conflicting demands. While the guidance acknowledges that it will often take time to “discern the implications” of a breach and that it “may be necessary to cooperate” with law enforcement, it concludes that an active investigation would not “on its own” be a reason to avoid disclosure of a material cybersecurity incident.
via When to Report a Cyberattack? For Companies, That’s Still a Dilemma – The New York Times.