The Securities and Exchange Commission adopted a long-anticipated rule modernizing corporate cyber incident disclosure, requiring public companies to report material breaches within four business days.
The final rule includes a limited national security exemption and clarifies materiality analysis for ransomware events.
Compliance obligations take effect for fiscal years beginning after December 15, 2026.
