New federal rules will require public companies to disclose cybersecurity incidents as well as material risks from threats. Experts say the rules could be tricky to navigate and leave openings for exploitation by threat actors.

The Security and Exchange Commission’s rules policing disclosure and documentation of cyberattack incidents were adopted in July and started going into effect on December 15. Today, the remaining rules will apply to all public companies.

The rules will require businesses to disclose any cybersecurity incident they determine to be material and to disclose the incident’s scope, nature, and timing along with material impact. The rules also require organizations to describe processes for assessing, identifying, and managing material risks from those threats as well as the board of directors’ and management’s role in assessing and managing risk. The written disclosures must be filed within four business days of the event’s discovery.