The Securities and Exchange Commission (SEC) on Wednesday finalized its controversial rule requiring public companies to disclose the nature, scope, timing, and impact of cybersecurity incidents deemed to be material within four business days.

The rule, proposed in March 2022, has received significant attention in the past year for the relatively short timeline it provides businesses to grasp the extent of a cybersecurity incident such as a data breach. Also short will be its compliance date, as large companies as soon as December could be required to begin making the new disclosures.

Smaller reporting companies will receive an additional 180 days to comply.