Most listed companies already include cybersecurity risks in their investor documents, but, until now, the SEC did not mandate any disclosures from them. Public companies and foreign private issuers must also must describe how their board oversees cybersecurity risks and detail “management’s role and expertise in assessing and managing material risks from cybersecurity threats.”