The SEC’s Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure Rules were officially published in the Federal Register on August 4, 2023 and go into effect on September 5, 2023.

This officially affects the timing of when companies will need to start complying with the new rules around disclosures of material cybersecurity incidents. When the SEC first released the rules last week, it stated that companies would need to start making these disclosures by the later of two dates, 1) 90 days after publication in the Federal Register or 2) December 18, 2023. Given the date of publication, the rules published in the Federal Register now clearly state that companies will need to start to comply with the incident disclosure rules on December 18. Small reporting companies will have an additional 270 days and must begin making such disclosures on June 15, 2024.

Additionally, companies whose fiscal years end on/or after December 15, 2023 will be required to begin making disclosures on their annual reports regarding cybersecurity governance.

As discussed in our analysis last week, it is imperative that companies begin preparing for compliance with these new rules immediately, including ensuring that cybersecurity is integrated into your company’s compliance regime and building/reinforcing clearly defined escalation processes.