Mar. 17, 2023
March 17, 2023 For the past 15 years, I have worked for many large and well known cybersecurity consulting firms leading incident response efforts many of them at publicly traded companies. In most cases the incident response reports, which are produced after a breach by the investigating consulting firm are issued to the breached entities outside legal counsel and not the entity themselves. This is done to shield the breached firm by leveraging attorney client privilege. If the intent of the proposals is for the public to be informed then I would recommend the use of attorney client privilege be addressed in the SEC's proposals.