SEC adopts cyberattack disclosure rules, listed crypto firms included

Public companies in the United States, including listed crypto firms, will be required to disclose any major cybersecurity incidents within a four-day time limit, under new rules adopted by the United States securities regulator.

The rules from the United States Securities and Exchange Commission require any public company to disclose a cyberattack within four days of it being deemed “material,” except in cases where such disclosure is deemed a possible national security or public safety risk.

The rules have been adopted as of July 26, and will become effective 30 days following the publication of the adopting release in the Federal Register, said the SEC.

It will also require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks and give periodic updates about previously reported cybersecurity incidents. 

The incoming rules are intended to benefit investors by strengthening cybersecurity risk management measures, according to the SEC’s July 26 statement.

<em>A fact sheet by the SEC explaining the incoming cybersecurity disclosure rules. Source: SEC.</em>

“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” explained SEC Chair Gary Gensler.

The new rules will apply to any publicly listed company in the United States. In the crypto industry, publicly-listed crypto firms include Coinbase (COIN), Marathon Digital (MARA), Riot Blockchain (RIOT) and Hive Digital Technologies (HIVE).

The SEC explained that an increase in digital payments and digitzed operations in the workforce combined with the ability of criminals to monetize cybersecurity incidents made the new rules a necessity to protect investors.

Related: Coinbase domain name reportedly used by scammers in high-profile attacks

Cryptocurrencies have been a prime target for North Korea state-backed Lazarus Group and other cybercriminals looking to pull off a high-value exploit. Lazarus Group has hacked cryptocurrency platforms well over $850 million across several high-profile exploits.

The cybersecurity rules were first proposed by the SEC in March 2022.

Magazine: Crypto regulation: Does SEC Chair Gary Gensler have the final say?