In late July 2023, the Securities and Exchange Commission (“SEC”) adopted new rules requiring public companies to disclose cybersecurity incidents and cybersecurity governance policies and practice.  The SEC largely adopted its original proposal issued in March 2022, with some modifications applicable to cybersecurity disclosure requirements.  The SEC voted to adopt the new rules in a 3-2 vote.

The new disclosure requirements however are effective no later than December 23, 2023, or 90 days after publication in the Federal Register. Small public companies will face an effective date in June 2024.

The new rules include a major change in disclosure requirements.  Companies will now be required to file a Form 8-K to disclose material cybersecurity incidents within four (4) business days of the company’s determination of materiality.  This is a transformative new rule that requires companies to implement specific disclosure controls.

In addition to this new incident disclosure requirement, companies will be required to include in its annual Form 10-K comprehensive disclosures concerning the company’s management of cybersecurity risks and its governance structure.  All public companies will have to include the new disclosure obligations for the close of the fiscal year in 2023.