Public companies in the United States, including listed crypto firms, will be required to disclose any major cybersecurity incidents within a four-day time limit, under new rules adopted by the United States securities regulator.
The Four-Day Reporting Rule
The United States Securities and Exchange Commission’s (SEC) rules mandate any public company to disclose a cyberattack within four days of it being deemed “material,” except in cases where such disclosure could potentially jeopardize national security or public safety.
The rules were officially adopted on July 26 and will become effective 30 days after the publication of the adopting release in the Federal Register, as stated by the SEC.
Periodic Reporting and Cybersecurity Risk Management
The regulations will also require periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risks, as well as periodic updates about previously reported cybersecurity incidents.
The incoming rules are designed to benefit investors by reinforcing cybersecurity risk management measures, according to the SEC’s July 26 statement.
Impact on Crypto Firms
The new rules will apply to any publicly listed company in the United States, including publicly-listed crypto firms such as Coinbase (COIN), Marathon Digital (MARA), Riot Blockchain (RIOT), and Hive Digital Technologies (HIVE).
The SEC has clarified that the digitization of payments and operations, along with the growing ability of criminals to monetize cybersecurity incidents, necessitated these rules to better protect investors.
Cyber Threats in the Crypto Industry
Cryptocurrencies have been a prime target for cybercriminals, including the North Korea state-backed Lazarus Group, which has amassed over $850 million from hacking cryptocurrency platforms.
The SEC first proposed these cybersecurity rules in March 2022, recognizing the growing threat and need for better protection against cyberattacks.
Conclusion: Better Protection for Investors
These newly imposed rules from the SEC signal a growing recognition of the unique vulnerabilities presented by our increasingly digital and interconnected financial ecosystem. In particular, the inclusion of publicly listed cryptocurrency firms underscores the acknowledgment of crypto assets as a significant part of the financial market.
The swift four-day reporting timeline and requirement for periodic updates about cybersecurity incidents should provide investors with timely and essential information, allowing them to make more informed decisions. It also prompts companies to fortify their cybersecurity measures and develop comprehensive risk management strategies.
Although the rules might introduce additional regulatory burdens for the companies, the overall intent is to protect the interests of investors and maintain the integrity of the markets. As cyber threats continue to evolve, regulatory bodies like the SEC will likely continue to adapt and tighten their policies to ensure the cybersecurity of the market and safeguard investor interests. The implementation of these rules marks a significant step towards more transparent and resilient financial markets in the era of digital currencies.
