SEC Issues Final Rule to Improve Public-Company Cybersecurity Disclosures

The SEC has issued a final rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. The final rule requires (1) “current disclosure about material cybersecurity incidents”; (2) “periodic disclosures about a registrant’s processes to assess, identify, and manage material cybersecurity risks”; (3) a description of “management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks”; and (4) presentation of cybersecurity disclosures in inline eXtensible Business Reporting Language (XBRL).

The final rule will become effective 30 days after the date of its publication in the Federal Register. For more information, see the press release and fact sheet — as well as statements by SEC Chair Gary Gensler and Commissioners Caroline Crenshaw, Jaime Lizárraga, and Hester Peirce — on the SEC’s Web site.