The final SEC cyber rules focus on standardizing disclosures related to cybersecurity incidents and reporting on cybersecurity risk management, strategy, and governance for public companies.

• Report “material” cybersecurity incidents within 96 business hours
• Determine materiality within a reasonable time
• Describe the incident’s material impact or reasonably likely material impact
• Disclose the company’s risk management in annual filings
• Disclose the company’s governance structure for cybersecurity risks in annual filings