In response to a significant rise in cybersecurity incidents at public companies and the SEC’s view that there is inconsistent disclosure relating to such incidents, this week, the SEC adopted cybersecurity disclosure rules, with a few notable changes from the proposing release. The final rules will require a U.S. public company to disclose (1) on Form 8-K the occurrence of a material cybersecurity incident within four business days after determining that such incident is material and (2) in the Annual Report on Form 10-K, the company’s risk management, strategy and governance of cybersecurity. Foreign private issuers are subject to similar requirements. In this Alert, we discuss these important new rules in greater detail and provide recommendations on what to do now.