Harvard Law School Forum on Corporate Governance, Matt Gorham, Barbara Berlin, and Kevin Vaugh, PricewaterhouseCoopers LLP: “The Securities and Exchange Commission (SEC) released its final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure on July 26, 2023. This gives your organization approximately five months to confirm your compliance plans before the new disclosure requirements take effect in mid-December. The revisions from the proposed rule have streamlined the disclosure requirements in many ways, in response to more than 150 comment letters filed from issuers, investors, and other parties. Still, disclosure can seem a daunting prospect if your company’s cybersecurity program won’t withstand investor scrutiny. Many companies are not ready today to reveal their cyber capabilities to the extent that the new rule requires. Note that final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (“Inline XBRL”). The disclosure requirements aim to protect investors from the harms that a cybersecurity breach could cause. As the number, severity, and stakes of cybersecurity incidents continue to rise, investors are demanding transparency from the companies in which they’ve placed their resources and trust. With this new rule, the SEC puts the onus on companies to give investors current, consistent and “decision-useful” information about how they manage their cyber risks. We see the rule as a call to action, challenging enterprises to be ready to expand their disclosures regarding their cyber risk management, strategy, and governance processes. For some, preparing to reveal this information will not be easy. But it might not be as difficult as you might think…”