The Securities and Exchange Commission’s (SEC) new disclosure requirements for how the public discloses material cybersecurity incidents will go into effect later this month after the end of the comment period.
Given the transparent and timely manner in which exploits are often reported and handled within the crypto space, the new requirements could provide public crypto companies in the US an opportunity to demonstrate their capabilities.
Erik Gerding, director of the Corporation Finance Department, issued a statement on December 14 about how the new rules will be implemented, and it appears that their implications will impact publicly traded crypto companies.
New SEC Cybersecurity Disclosure Requirements.
As Gerding said:
“These rules will provide investors with timely, consistent and comparable information on an important set of risks that could cause significant losses to listed companies and their investors.”
Following the comment period, the SEC recognized compliance and threat actor concerns, resulting in changes from the original proposal. Gerding emphasized the need for the new requirements by noting that while publicly traded companies’ disclosures have already “improved since that guidance was issued,” disclosure practices have remained inconsistent.
The final rules have two components. First, companies must report material cybersecurity incidents within four business days of determining their materiality. Second, there is a requirement for annual disclosure of information on cybersecurity risk management, strategy and governance.
Gerding explained the rationale behind the materiality standard for disclosures: “Materiality is a touchstone of securities law. It links disclosures to investor needs.” He clarified that the SEC does not prescribe specific cybersecurity measures, but ensures that investors receive the necessary and consistent information.
Cybersecurity disclosure rules affect crypto.
These developments are of particular importance for the crypto sector. The increasing use of digital payments and the “growth of economic activities dependent on electronic systems” directly exposes the crypto industry to the cybersecurity risks referenced in the new rules. As Gerding said:
“The Commission has noted that cybersecurity risks have increased, alongside the increasing share of economic activity dependent on electronic systems, the growth of remote working, the ability of criminals to monetize cybersecurity incidents, the use of digital payments and the increasing reliance on third-party service providers for information technology services, including cloud computing technology.”
The rules also allow for delayed reporting of disclosures of cybersecurity incidents that could pose a “substantial risk to national security or public safety.”
Although not a publicly traded company, the recent attack on the Ledger Connect Kit library demonstrates the industry’s ability to immediately recognize, adapt and correct security incidents. From initial disclosure to patching the affected library, Ledger took less than four hours to resolve the incident. The community also played a crucial role in analyzing the problem and helping Ledger solve the problem. However, Ledger has reportedly expressed a desire to go public in the past.
Furthermore, within hours of the attack, Tether was able to freeze the assets in the operator’s wallet, rendering the funds unusable and non-transferable on the same day.
Compared to traditional Web2 incidents, a stronger spotlight on a company’s cybersecurity practices can reveal a strength of the Web3 industry that is often not understood by conventional markets. If public crypto companies were able to disclose issues in such an efficient and transparent manner, they could set a new standard for security in the US.
However, as the crypto industry integrates technologies such as artificial intelligence, these new SEC rules could indirectly impact how public crypto companies approach cybersecurity through other arenas.
Crypto companies’ public implications of new revelations.
Public crypto companies like Coinbase, Riot Blockchain and others will have to adhere to the new rules. This means that they must report any cyber security incidents within four working days of determining their materiality. Given the higher risk of cyber threats in the cryptocurrency sector, this could lead to more frequent public disclosures.
The requirement for these companies to report cybersecurity incidents and their strategies for managing such risks can strengthen or weaken investor confidence. On the one hand, transparent disclosure of effective cybersecurity measures could increase investor confidence. On the other hand, the disclosure of significant cybersecurity incidents could lead to a loss of investor confidence and potentially affect the companies’ stock prices.
Complying with the new SEC rules could also increase operational and compliance costs for public crypto companies. They may need to invest in improved cybersecurity infrastructure, hire more cybersecurity personnel, and dedicate resources to ongoing monitoring and reporting of cybersecurity incidents.
If these companies fail to adequately disclose cybersecurity incidents or provide insufficient information about risk management strategies, they may be subject to further legal and regulatory scrutiny. This may include investigations by the SEC or other regulatory authorities, which could potentially result in fines, sanctions or other regulatory action.
Ultimately, Gerding’s comments highlight how the Commission is trying to balance the need for disclosure and the risk of providing threat actors with potentially exploitable information.
The industry will hope that further requirements are not increasingly seen as overreaching and stifling innovation in digital assets. As the crypto sector continues to intersect with mainstream financial markets, the implications of these developments could play a substantial role in any decision to go public in the US.