An organization’s cyber risk management activities invariably result in the creation of sensitive communications and documents (e.g. threat risk assessments, assessments of cyber risk prevention activities and incident response preparedness, legal/contractual compliance assessments, insurance coverage advice, cyber risk management advice to directors and officers and cyber incident investigation reports) that may be subject to disclosure in connection with contractual audits, regulatory investigations and proceedings and civil lawsuits, unless the communications and documents are protected by legal privilege.

An organization’s ability to assert legal privilege over a communication or document depends on the purpose of the communication or document and the circumstances surrounding the creation and use of the communication or document. An organization that asserts legal privilege over a communication or document has the burden of proving the privilege applies. For those reasons, it is prudent for an organization to implement a reasonable legal privilege strategy designed to enable the organization to prove, where appropriate, that a communication or document was made for a privileged purpose and in circumstances that support a finding of legal privilege, and should help prevent inadvertent waiver of privilege. 

Read more here and here.