Companies have become more vocal about their cyber capabilities, seeking to reassure business customers and the public that their data is safe. Those communications may carry risks, as demonstrated by a recent New York federal court decision, which narrowed the SEC’s much-watched case against SolarWinds and its CISO, leaving securities fraud charges based on a website statement on security that “was materially false and misleading in numerous respects.” This article, the second in a two-part series about the groundbreaking decision, presents several lessons from the 107‑page opinion about how companies can approach internal and public cyber statements, with observations from lawyers at Cooley, Freshfields, Jenner & Block, Orrick and Sullivan & Cromwell, plus insight from the CISO of SafeBase. Part one provided perspective on the SEC’s wins and losses, and examined the decision’s multiple implications that worry CISOs. See “A Framework for Materiality Determinations Under SEC’s Cyber Incident Disclosure Rules” (Jul. 10, 2024).