Complying with the SEC’s Final Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) finalized its rules on Cybersecurity Risk Management, Strategy Governance, and Incident Disclosure by Public Companies.

The final rule has been published in the Federal Register, and registrants should be looking to update their compliance programs promptly. As noted in the adopting release, with respect to Cybersecurity Risk Management, Strategy, and Governance disclosure requirements, all registrants must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. Moreover, for the incident disclosure requirements in Item 1.05 of Form 8–K and in Form 6–K, all registrants other than smaller reporting companies must begin complying on December 18, 2023.

This tool outlines: (1) a high-level overview of key takeaways; (2) a checklist to help boards think about oversight of the Risk Management, Strategy, and Governance disclosure requirements of the final rule; and (3) considerations for oversight of the processes supporting disclosures around material cybersecurity incidents.