When to Report a Cyberattack? For Companies, That’s Still a Dilemmabr Yet, the S. E.C.’s new guidance doesn’t confront the practical quandary facing public companiesbr victimized by a cyberattack: Going public with news of a cyberattack isn’t always an easy call.br While the guidance acknowledges that it will often take time to “discern the implications” of a breach andbr that it “may be necessary to cooperate” with law enforcement, it concludes that an active investigation would not “on its own” be a reason to avoid disclosure of a material cybersecurity incident.br It has been seven years since the Securities and Exchange Commission first advised publicbr companies to tell investors if they had suffered a cyberattack deemed to be material.br This tension between the need for discreet cooperation with law enforcementbr and the obligation to inform investors and the markets creates a dilemma for public companies.br issued its initial cyber guidance, only 106 companies have reported incidents to the S. E.C.br While a proportion of those were private companies, it’s unlikely that public companies suffered only 106 breaches that were material in that timebr Law enforcement often encourages, or even demands, that the incident not be disclosed.br Again, it warned public companies to make “timely” disclosure, recognizing the “grave threat”br that cybercrime poses to investors and the capital markets.br Perhaps this dilemma explains why so few public companies report breaches.