The SEC Adopts Cybersecurity Disclosure Regime for Public Companies

On July 26, 2023, the U.S. Securities and Exchange Commission adopted enhanced disclosure requirements regarding cybersecurity risk management, strategy, governance and incident reporting for public companies. The final rules reflect a less stringent regime than initially proposed. The amendments call for (1) real-time disclosure of cybersecurity incidents on Form 8-K or Form 6-K, as applicable, and (2) annual disclosure of an issuer’s cybersecurity risk assessment processes and the respective roles of its board of directors and management in overseeing and managing cybersecurity threats. Companies should be preparing now for the rules’ coming effectiveness.