On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules that generally require public companies to disclose (i) material cybersecurity incidents within four business days after determining the incident was material and (ii) material information regarding their cybersecurity risk management, strategy and governance on an annual basis. The SEC initially issued proposed rules to enhance and standardize disclosures regarding cybersecurity governance and incident reporting by public companies in March 2022. The final rules made some important modifications to the disclosure requirements, which are discussed more fully below and are set forth in Release No. 33-11216, but will still require public companies (other than foreign private issuers (FPIs)) to meet substantial compliance obligations, including to:
- Disclose in a current report on Form 8-K information regarding a material cybersecurity incident within four business days after determining the incident was material.
- Amend a prior Form 8-K disclosing a cybersecurity incident to disclose any required information that was not determined or was unavailable at the time of the initial Form…
