I was very interested to read this article by Leah Parsons, Ericka Johnson and Colin Jennings from Squire Patton Boggs looking into whether cyber breach reports are subject to discovery in the US.  

This is often a factor that can be overlooked in the heat of a response, but as the article sets out, it is very important to consider to protect work product.