The recent cybersecurity regulations from the SEC have brought significant changes for Chief Information Security Officers (CISOs). Their responsibility is to disclose cyber risks and incidents in their 10-Ks and 8-Ks. Although the SEC’s recent enforcement actions may suggest it is the right thing to do, it can be challenging to disclose cyber risk without exposing potential weaknesses and security gaps.