Home / Agencies / SEC / 2023-16194
Final Rule

Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Agency
Document Number
2023-16194
Published
August 4, 2023
Effective Date
September 5, 2023

Abstract

The Securities and Exchange Commission ("Commission") is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents. We are also adopting rules requiring periodic disclosures about a registrant's processes to assess, identify, and manage material cybersecurity risks, management's role in assessing and managing material cybersecurity risks, and the board of directors' oversight of cybersecurity risks. Lastly, the final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language ("Inline XBRL").

Federal Register Source

This document is published by the Office of the Federal Register, National Archives and Records Administration. Access the full regulatory text, preamble, and docket comments below.

View Full Text on FederalRegister.gov →

Opens in new tab · federalregister.gov

Frequently Asked Questions

What is the 2023-16194 Federal Register document?
Document 2023-16194 is a Final Rule published by the Securities and Exchange Commission in the Federal Register on August 4, 2023, with an effective date of September 5, 2023. The Securities and Exchange Commission ("Commission") is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. Specifically, we are adopting amendments to require current disclosure about material cybersecurity incidents. We are also adopting rules requiring periodic disclosures about a registrant's processes to assess, identify, and manage material cybersecurity risks, management's role in assessing and managing material cybersecurity risks, and the board of directors' oversight of cybersecurity risks. Lastly, the final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language ("Inline XBRL"). View the original at https://www.federalregister.gov/documents/2023/08/04/2023-16194/cybersecurity-risk-management-strategy-governance-and-incident-disclosure.
Is document 2023-16194 an economically significant rule?
No. Document 2023-16194 is not classified as economically significant under Executive Order 12866. Economically significant rules require OIRA review and are estimated to have impacts of $100 million or more per year.
Data sourced from official state legislatures, IAPP, NCSL, and federal regulatory trackers. See our methodology for details. Retrieved and formatted by PlainRegWatch Editorial

Every figure on PlainRegWatch is rendered directly from state source data, no number is typed in by an editor. This page draws directly on federal and state source data, no figure is typed in by an editor. See our editorial standards & corrections policy, the methodology behind these numbers, or report a data error.