A divided SEC has adopted final rules requiring public companies to report cybersecurity incidents within four business days of determining they are material on Form 8-K beginning December 18, 2023, and requiring increased disclosure of cybersecurity risk management, strategy and governance in annual reports for fiscal years ending on or after December 15, 2023 (Final Rules). In this guest article, King & Spalding attorneys discuss the Final Rules’ key requirements for incident reporting and annual disclosures, describe notable differences from the proposed rules and provide compliance takeaways. See also King & Spalding’s discussion of the proposed rules: “Takeaways From the SEC’s Enhanced Cybersecurity Disclosure Regime for Public Companies” (Apr. 6, 2022).