Skip to Primary Navigation

New SEC cyber disclosure rules take effect

Image of the silhouette of a man on a computer against a digital background.
Photo: Bill Hinton/Getty Images

Companies now need to disclose on risk management, strategy and governance procedures – and on material cyber incidents by December 18.

This July, the SEC voted to adopt final rules on cybersecurity disclosure. As of December 15, companies need to disclose their cyber-risk management, strategy and governance procedures – and then disclose any material cyber incidents by December 18 – under those rules. (Smaller reporting companies have a 180-day deferral.)

Rules recap

In

Get full access, free for a month

Start your 28-day free trial to continue reading and access
all content on GRIP – no payment details required.

What’s included:

  • Every new article, plus our 5,000+ archive
  • Daily regulatory insight and guidance
  • Exclusive interviews and in-depth analysis
  • Coverage of industry-leading events and conferences
  • All podcasts and videos, featuring industry experts
  • The full set of Rules Navigator tools
  • An ad-free experience