The Securities and Exchange Commission (SEC) has recently adopted new rules that aim to enhance and standardize the disclosures of public companies regarding their cybersecurity risk management, strategy, governance, and incidents. These rules will affect domestic and foreign companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Here are some key points to know about the new rules:

The new rules will become effective 30 days after publication in the Federal Register. The annual disclosures will be due beginning with reports for fiscal years ending on or after December 15, 2023.

The new rules are intended to provide investors with more consistent, comparable, and decision-useful information about companies’ cybersecurity practices and incidents. They also reflect the SEC’s recognition of the growing importance and complexity of cybersecurity issues for public companies and the markets they operate in.

The new rules may pose significant challenges for companies to comply with, as they will require them to assess their cybersecurity risks and incidents more carefully and disclose them more promptly and transparently. Companies may also face increased scrutiny and liability from regulators, shareholders, customers, and other stakeholders as a result of their cybersecurity disclosures. Therefore, companies should review their existing cybersecurity policies and procedures, update their disclosure controls and practices, train their personnel, and consult with their legal and technical advisors to ensure compliance with the new rules.