A great paper by Davis Polk answers the question on the minds of many public companies when it comes to disclosing cyber risk. What should we disclose? Among the list of information that should be disclosed: overall cyber-security risk, security incidents that expose any data or may trigger notification obligations and those incidents that may become news-worthy. Notably omitted are smaller “insignificant” breaches (which can be very difficult to determine). The article also points out that companies should time them carefully and not make any rushed disclosures – it is important to ensure that appropriate information is obtained first and ensure that the breach is in fact a “materiel” breach. Lastly, when disclosing a breach, companies have to walk a fine line when determining exactly what to disclose. Too much information could provide additional security related information to future cyber criminals while too little information can be equally damaging. When addressing the level of detail to be provided, they recommend remaining general in the beginning is often the best approach.

From an insurance perspective, it is important to view even seemingly insignificant breaches as “significant”. Small breaches may eventually grow or be discovered larger than initially thought, and failing to report them to your cyber insurer, or at least put your insurer on notice can entirely jeopardize coverage moving forward. Additionally making any payments at all, in relation to smaller cyber incidents can also jeopardize coverage. With many cyber policies still containing “securities exclusions”, public companies should also work closely with their broker/counsel to properly coordinate coverage.   

https://www.davispolk.com/files/agesser.Cybersecurity.Law_.Report.aug15.pdf