Public companies are generally required to disclose events and risks that are material to their business, but what “material” means in the environment can be hard to discern, and the SEC appears to be taking issue with risk-factor disclosures even when the risks in question may not be material, several present and former SEC officials said at the recent Securities Enforcement Forum 2019. They discussed the available guidance on cybersecurity disclosures, the challenges involved in deciding when to disclose a cyber incident, and provided lessons from recent enforcement actions and the additional challenges that arise when multiple agencies are involved. See “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)” (Aug. 12, 2015); Part Two (Aug. 26, 2015).