The SEC adopted final rules requiring companies that file documents with the commission to disclose material cybersecurity incidents and provide periodic disclosure of the registrant’s cybersecurity risk management, strategy, and governance in annual reports.