The SEC has adopted new rules on cybersecurity risk management, strategy, governance, and incident disclosure for public companies. These rules require the disclosure of material cybersecurity incidents within four business days to the SEC via Form 8-K, with specific requirements for describing the nature, scope, and timing of the incident, as well as its material impact or reasonably likely material impact on the registrant. The new rules also require publicly traded companies to describe their security practices, including processes for assessing, identifying, and managing material risks from cybersecurity threats, and the board of directors' oversight of these risks. The SEC Chair emphasizes that these rules aim to protect investors by providing consistent, comparable, and decision-useful cybersecurity disclosure. However, critics argue that this approach may not be practical or effective for all companies, particularly small ones with limited resources or expertise, and raises concerns about the potential consequences of delayed disclosure and the impact on national security and public safety. The new rules also have implications for privately owned businesses, government agencies, and startups, which are not subject to the same requirements. Ultimately, experts emphasize the importance of designing and developing secure systems from the start, knowing one's assets, shifting left in terms of security practices, building muscle memory around incident response and communications, using accurate tools to fix vulnerabilities quickly, and partnering with engineering friends to achieve these goals.