Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Following the announcement of finalized regulation concerning the publication of information on cybersecurity incidents by public companies and on policies and procedures that firms have in place to manage related risks (please see EventID 22504 in this context for a detailed description of the final regulation), the Securities and Exchange Commission (SEC) has now published this final rule in the Federal Register.
In brief, the final rule requires public companies to report promptly any material cybersecurity incidents and report in their financial reports on the cybersecurity policies and procedures they have in place to identify, address, and mitigate potential threats in this context. In response to comments received, the final rule is somewhat „downsized“ from the proposed one and eliminates several reporting obligations as mentioned in the aforementioned Event.
The effective dates of the new reporting obligations are outlined in the Event timeline noted above.