An expert lawyer will be able to tell you - under legal privilege - what you are legally obliged to do, and how to ensure you have a strong defence if sued or investigated by authorities.
If you suffer a serious data breach you may be legally obliged to notify certain people (eg customers, regulators, partners, staff and alumni, depending on the data that was breached). Obligations vary by industry and by jurisdiction, and are evolving quickly. You may want to be ready to demonstrate in a court of law that - even as you suffered a criminal cyber attack - you were fulfilling your obligations to key stakeholders.