SEC Mandates U.S.-Listed Crypto Firms to Report Cybersecurity Breaches

CoinDesk reported that the Securities and Exchange Commission (SEC) has mandated listed companies, including crypto firms, to publish annual reports on their cybersecurity risk management, strategy, and governance. Additionally, the new rule requires companies to disclose any "material" cybersecurity incidents within four business days to build trust between investors and public companies.

Companies must provide details on the impact of the cyberattack on their business, along with a report on the incident and its timing. The process for determining the potential financial impact of security breaches remains unclear, with the SEC yet to respond to further inquiries for clarification. SEC Chair Gary Gensler emphasized the importance of considering all types of incidents, comparing cybersecurity breaches to other material events like factory fires.

While many listed companies already address cybersecurity risks in their investor documents, the SEC had not previously mandated specific disclosures. Under the new requirement, public companies and foreign private issuers must also describe how their board oversees cybersecurity risks and provide details about management's role and expertise in assessing and managing such risks. The effective date for the new requirement will be between 30 to 180 days after the publication of the financial release in the Federal Register, with smaller companies having the full 180 days to begin filing their disclosures.

In special circumstances, companies can petition to postpone disclosures if immediate cybersecurity threat disclosures would pose a substantial risk to national security or public safety as determined by the U.S. Attorney General.

Resources:

CoinDesk