On July 26, 2023, the Securities and Exchange Commission (“SEC” or “Commission”), adopted a final rule requiring the disclosure of material cybersecurity incidents and cybersecurity risk management, strategy, and governance by public companies, including foreign private issuers.

Please see adopting release here, and Fact Sheet available here.

In summary, the final rule requires: (i) Form 8-K disclosure of material cybersecurity incidents within four (4) business days of the company’s determination that the cybersecurity incident is material; (ii) new annual disclosures in Form 10-K regarding the company’s cybersecurity risk management and strategy, including with respect to the company’s processes for managing cybersecurity threats and whether risks from cybersecurity threats have materially affected the company; and (iii) new annual disclosures in Form 10-K regarding the company’s cybersecurity governance, including with respect to oversight by the board and management. The annual disclosures are also required in foreign private issuers’ annual reports on Form 20-F, and material cybersecurity incident disclosure will be covered by Form 6-K.

Are private financial firms next?

Click to view reference document