Public companies grapple with when and how to disclose the various cybersecurity risks they face and the incidents they experience in their SEC filings. How much is enough to disclose to satisfy regulators and how much is too much – both to preserve reputations and avoid giving would-be hackers ammunition? The first part of this two-part article series provided guidance on making appropriate disclosures to meet SEC and investor expectations. This second part provides suggestions on risk themes to include in risk disclosures as well as examples of relevant disclosures made in the 10-K filings for The New York Times, Home Depot, Morgan Stanley and Target. See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions” (Apr. 8, 2015).