On July 26, 2023, the Securities and Exchange Commission (the “SEC”) adopted new rules (the “Rules”) that will require public companies and foreign private issuers to disclose material cybersecurity incidents within four business days of discovering such an incident, and provide information regarding their cybersecurity risk management, strategy, and governance on their annual reports. In February 2022, the SEC proposed separate but similar rules relating to cybersecurity risk management for registered investment advisers and registered investment companies (“Proposed Rules Regarding Investment Advisers and Investment Companies”). The Proposed Rules Regarding Investment Advisers and Investment Companies have not been adopted as of the date of this blog.
Under the newly adopted Rules, certain reporting and disclosure requirements will become effective starting in December 2023. For additional details on the Rules, compliance obligations, and other considerations for public companies and foreign private issuers, please see an alert from our Corporate team. For more information about the Proposed Rules Regarding Investment Advisers and Investment Companies, please see our previous blog post.