As it determines the materiality of a cybersecurity incident, an organization must also decide whether to report the incident to the SEC in advance of any public disclosure and whether to cooperate with any ensuing SEC inquiry or investigation. On the one hand, proactive reporting of likely material cybersecurity incidents can build goodwill with the SEC and make clear from the outset that the organization is thoroughly investigating the incident. On the other hand, informing of the SEC of immaterial incidents could expose the organization to expense, business disruption, and unwanted SEC scrutiny, particularly into the organization’s cybersecurity-related internal controls.
Here are four considerations in-house counsel should keep in mind in determining whether to proactively inform the SEC about a cybersecurity incident before making a formal public disclosure.
Source: Communicating with the SEC When Your Organization Suffers a Cybersecurity Incident