The SEC has made clear that material cybersecurity risks and incidents should be disclosed to investors. However, determining what is material, as well as when and how to disclose, is less clear. This article, the first in a two-part series, provides guidance on how to make appropriate disclosures that will meet the expectations of the SEC and investors regarding form, substance and timing. The second article will provide suggestions and examples for language to use in disclosures. See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).