The Securities and Exchange Commission (SEC) mandated that publicly traded businesses, including cryptocurrency businesses, submit yearly reports on their “cybersecurity risk management, strategy, and governance.”
In an effort to increase investor confidence in publicly traded corporations, the new rule mandates that businesses disclose any “material” cybersecurity issues within four business days. Along with a report outlining the occurrence and the timing, businesses must explain how the cyberattack might affect their operations. Which security lapses could have a financial impact on businesses is still a subject of debate.
“Whether a company loses a factory in a fire — millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.
Although the SEC has not yet required any disclosures from listed firms, the majority of them already identify cybersecurity concerns in their investor materials. Companies that are publicly traded and overseas private issuers are also required to provide information on how their board oversees cybersecurity risks and describes “management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
30 to 180 days after the new financial release is published in the Federal Register, the new obligation will take effect. Lesser-known businesses will have a full 180 days to start filing their disclosures.
If the US Attorney General finds that disclosing cybersecurity vulnerabilities immediately would “pose a substantial risk to national security or public safety,” registrants may request a postponement.
Hacks are known to have catastrophic impacts on a company’s stock price. Coinbase (COIN) claimed it had been compromised in an attack last year that also hit tech goliaths including Cloudflare and DoorDash, which caused its stock to crash.