Key takeaways

• Debevoise analyzed how Fortune 100 companies disclosed recent data security breaches in their public filings. That analysis reveals that most make initial disclosures through their periodic reports following a cyber incident, rather than on a current report Form 8-K. 
• Periodic reports typically reflected the cybersecurity event in updated risk factors, sometimes by directly calling out the event and other times by revising risk factors in light of it, though without specific reference to the event. 
• These findings highlight the importance of early preparation and, in particular, identifying the company’s most valuable assets before a cyberattack, so that their status can be more easily ascertained post-breach, enabling timely and accurate disclosures.