On July 26, 2023, the SEC adopted new rules for public companies regarding disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy and governance. The final rules track the SEC’s proposed rules from March 2022 in many respects, with certain significant changes, and represent a significant expansion of the SEC’s existing cybersecurity disclosure framework. New Item 1.05 of Form 8-K will require disclosure in Form 8-K of information about the material aspects of the nature, scope and timing of a cybersecurity incident within four business days of determining that the incident is material. Registrants will also be required in Form 10-Ks (and Form 20-Fs) to disclose their processes for assessing, identifying and managing material risks from cybersecurity threats and their governance practices relating to cybersecurity risks. All registrants (other than smaller reporting companies, which will have an additional 180 days) will need to begin complying with the disclosure requirements relating to material cybersecurity incidents in Item 1.05 of Form 8-K and in Form 6-K on the later of (i) 90 days after the adopting release is published in the Federal Register or (ii) December 18, 2023. Registrants will be required to provide disclosures in Forms 10-K and 20-F beginning with annual reports for fiscal years ending on or after December 15, 2023 (for December 31 fiscal-year-end filers, beginning with their 2023 Form 10-Ks filed in early 2024).