The Securities and Exchange Commission’s (SEC) new disclosure requirements for how the public discloses material cybersecurity incidents go into effect later this month following the conclusion of the comment period.
Given the transparent and timely manner in which exploits are often reported and handled within the crypto space, the new requirements may offer public crypto companies in the U.S. a chance to showcase their capabilities.
Erik Gerding, Director of the Division of Corporation Finance, made a statement on Dec. 14 concerning how the new rules will be implemented, and it appears their implications will affect publicly listed crypto companies.
New cybersecurity disclosure requirements from SEC.
As Gerding stated,
“These rules will provide investors with timely, consistent, and comparable information about an important set of risks that can cause significant losses to public companies and their investors.”
Following the comment period, the SEC has acknowledged concerns about compliance and threat actors, leading to modifications from the initial proposal. Gerding stressed the necessity of the new requirements by noting that although public companies’ disclosures have already “improved since that guidance was issued,” disclosure practices have remained inconsistent.
The final rules have two components. Firstly, companies must disclose material cybersecurity incidents within four business days after determining their materiality. Secondly, there is a requirement for annual disclosure of information regarding cybersecurity risk management, strategy, and governance.
Gerding explained the rationale behind the materiality standard for disclosures, “Materiality is a touchstone of securities laws. It connects disclosures back to the needs of investors.” He clarified that the SEC does not prescribe specific cybersecurity defenses but ensures investors receive necessary and consistent information.
Cybersecurity disclosure rules affect crypto.
These developments hold particular significance for the crypto sector. The increasing use of digital payments and the “growth of economic activities dependent on electronic systems” directly expose the crypto industry to the cybersecurity risks referenced in the new rules. As Gerding mentioned,
“The Commission has noted that cybersecurity risks have increased alongside the ever-increasing share of economic activity that depends on electronic systems, the growth of remote work, the ability of criminals to monetize cybersecurity incidents, the use of digital payments, and the increasing reliance on third party service providers for information technology services, including cloud computing technology.”
The rules also account for delayed reporting of cybersecurity incident disclosures that could pose a “substantial risk to national security or public safety.”
While not a publicly traded company, the recent attack on the Ledger Connect Kit library showcases the industry’s ability to promptly recognize, adapt, and rectify security incidents. From the initial disclosure to patching the affected library, Ledger took less than four hours to address the incident. The community also played a vital role in analyzing the issue and helping Ledger fix the problem. Ledger has reportedly expressed a desire to go public in the past, however.
Further, Tether was able to freeze the assets in the exploiter’s wallet within hours of the attack, making the funds unusable and non-transferable on the same day.
Compared to traditional web2 incidents, a stronger spotlight on a company’s cybersecurity procedures may showcase a strength of the web3 industry not often understood by conventional markets. Should public crypto companies be able to continue to disclose issues in such an efficient and transparent manner, they may set a new standard for security throughout the U.S.
However, as the crypto industry integrates technologies like artificial intelligence, these new SEC rules may indirectly influence how public crypto businesses approach cybersecurity through other arenas.
Public crypto company implications of new disclosures.
Public crypto companies such as Coinbase, Riot Blockchain, and others will need to adhere to the new rules. This means they must disclose any cybersecurity incidents within four business days of determining their materiality. Given the higher risk of cyber threats in the cryptocurrency sector, this could lead to more frequent public disclosures.
The requirement for these companies to report cybersecurity incidents and their strategies for managing such risks could either bolster or weaken investor confidence. On the one hand, transparent disclosure of effective cybersecurity measures could increase investor trust. On the other hand, the revelation of significant cybersecurity incidents could lead to a loss of investor confidence and potentially affect the companies’ stock prices.
Complying with the new SEC rules may also increase operational and compliance costs for public crypto companies. They may need to invest in enhanced cybersecurity infrastructure, hire more cybersecurity personnel, and allocate resources for ongoing monitoring and reporting of cybersecurity incidents.
Failure to adequately disclose cybersecurity incidents or provide sufficient information on risk management strategies could also subject these companies to further legal and regulatory scrutiny. This might include investigations by the SEC or other regulatory bodies, potentially leading to fines, sanctions, or other regulatory actions.
Ultimately, Gerding’s comments spotlight how the Commission aims to balance the need for disclosure and the risk of providing threat actors with potentially exploitable information.
The industry will hope that further requirements are not increasingly seen as overreaching and stifling innovation within the digital asset space. As the crypto sector continues to intersect with mainstream financial markets, the implications of these developments may play a substantive role in any decision to go public in the U.S.