SEC adopts cyberattack disclosure rules for listed crypto firms.

SEC adopts cyberattack disclosure rules for listed crypto firms.

The New Era of Cybersecurity Disclosure in the Blockchain Industry

Public companies in the United States, including listed cryptocurrency firms, will now be held to a higher standard when it comes to disclosing cybersecurity incidents. The United States Securities and Exchange Commission (SEC) has recently implemented new rules that require any public company to disclose a cyberattack within four days if it is deemed “material.” This move aims to strengthen cybersecurity risk management measures and protect investors.

The SEC’s latest rules, which were adopted on July 26, 2023, will become effective 30 days following their publication in the Federal Register. The regulations will also require periodic reporting on a company’s policies and procedures for identifying and managing cybersecurity risks, as well as updates on previously reported incidents.

The significance of these rules lies in their ability to ensure consistent and timely information for investors. By mandating public disclosure of cybersecurity incidents, the SEC aims to increase transparency and overall confidence in the market. This initiative aligns with the SEC’s broader mission to safeguard investors and maintain fair, orderly, and efficient markets.

The SEC’s Chair, Gary Gensler, emphasized the benefits of these rules for investors, companies, and the interconnected markets. He stated, “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

The rise of digital payments and the increasing digitization of operations have made companies more vulnerable to cyber threats. Criminals have become increasingly adept at monetizing cybersecurity incidents, making it imperative to bolster cybersecurity measures. Cryptocurrencies, in particular, have been a prime target for cybercriminals, including state-backed groups like North Korea’s Lazarus Group. These groups have managed to hack into cryptocurrency platforms, resulting in losses exceeding $850 million.

To illustrate the importance of these new rules, consider the analogy of a fortress protecting valuable treasures. The blockchain industry represents a vault filled with digital assets, and cybersecurity measures act as defenses against potential attacks. By requiring public companies, including those operating in the crypto industry, to disclose cybersecurity incidents, the SEC is essentially enhancing the fortifications of this digital vault.

The incoming rules will apply to all publicly listed companies in the United States. Within the crypto industry, notable publicly listed firms such as Coinbase (COIN), Marathon Digital (MARA), Riot Blockchain (RIOT), and Hive Digital Technologies (HIVE) will be subject to these regulations. This demonstrates the SEC’s dedication to ensuring cybersecurity standards across all sectors, while simultaneously addressing the specific risks associated with cryptocurrencies.

The SEC’s decision to propose these cybersecurity disclosure rules in March 2022 was driven by the need to adapt to the evolving threat landscape and protect investors. The advent of blockchain technology has brought about numerous opportunities and challenges. While it offers decentralization, transparency, and security, the risks associated with cybersecurity incidents cannot be ignored.

To summarize the key points of the SEC’s new cybersecurity disclosure rules:

  1. Public companies, including those in the blockchain industry, are required to disclose material cybersecurity incidents within four days, unless there are national security or public safety risks.
  2. Periodic reporting on policies and procedures for identifying and managing cybersecurity risks is mandatory.
  3. Timeliness and consistency in cybersecurity disclosure aim to enhance transparency and protect investors.
  4. The rules apply to all publicly listed companies in the United States, including notable crypto firms.
  5. The rise of cyber threats, particularly in the cryptocurrency sector, necessitates stronger cybersecurity measures.

In conclusion, the SEC’s new cybersecurity disclosure rules mark a significant milestone in the blockchain industry. By enforcing timely and consistent disclosure of cybersecurity incidents, investors will gain greater confidence while companies strengthen their risk management measures. It is a proactive step towards fortifying the blockchain industry’s defenses and ensuring its sustainable growth in the digital era.

A fact sheet by the SEC explaining the incoming cybersecurity disclosure rules. Source: SEC. Image: A fact sheet by the SEC explaining the incoming cybersecurity disclosure rules. Source: SEC.