The SEC does not aim to manage security but wants better disclosures. The final rule requires the disclosure of material cybersecurity incidents, but does not require specific technical details to avoid providing a roadmap for future attacks.