On July 26, 2023, the Securities and Exchange Commission (the “SEC”) voted 3–2 to adopt rules requiring public companies to disclose material cybersecurity incidents as well as information regarding their cybersecurity risk management, strategy, and governance (the “Cybersecurity Disclosure Rules” or “Final Rules”).1 The Final Rules require disclosure of “material cybersecurity incidents”. The disclosure must be made within four business days from the date on which a cybersecurity incident is determined to be “material” as opposed to four business days from the date on which the occurrence of an incident is discovered; although, that distinction may be difficult to implement in practice. Covered entities, which include all issuers that file annual reports on Form 10-K or Form 20-F, should promptly review their cybersecurity protocols and procedures to address further required disclosure items.2Continue Reading SEC Adopts Final Rules on Public Company Cybersecurity Disclosures