On July 26, 2023, the SEC adopted rules requiring public companies and foreign private issuers (i) to timely disclose material cybersecurity incidents and (ii) to disclose on an annual basis the registrant's cybersecurity risk management, strategy and governance. The SEC issued its rule proposal in March 2022, which was the subject of significant public commentary. As a result, the SEC made certain changes to the required disclosures, streamlining them to decrease the amount of detail needed. Yet, the final rule still dramatically alters the disclosure landscape for domestic and foreign registrants. Set forth below is a summary of the key provisions of the final rule.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.