Public crypto companies must disclose cybersecurity incidents, per new SEC rules
The new rules add a layer of transparency for investors to see when a public company, such as Coinbase or MicroStrategy, has faced a cybersecurity incident
Michael Traitov/Shutterstock modified by Blockworks
The US Securities and Exchange Commission is requiring public companies, including public crypto companies, to disclose cybersecurity incidents.
The new rule, adopted on Wednesday, aims to ensure that investors receive potentially “material” information when a company has been attacked.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information,” SEC Chair Gary Gensler said.
Companies such as Coinbase, Marathon Holdings, Bitdeer and MicroStrategy will be impacted by the new SEC rules.
“There has been a substantial rise in the prevalence of cybersecurity incidents, propelled by several factors: the increase in remote work spurred by the COVID-19 pandemic; the increasing reliance on third-party service providers for information technology services; and the rapid monetization of cyberattacks facilitated by ransomware, black markets for stolen data, and crypto-asset technology,” the SEC noted.
The SEC added that “evidence suggests” that companies are “underreporting cybersecurity risks.”
The new rule change will make it necessary for companies to give clear and specific information about any incidents that occur. This information will include details about when the incident happened, how it affected the company and its users, whether any data was stolen or accessed, and updates on whether the company has remediated the situation. All of this will be included in a new item, dubbed 1.05, included on 8K forms.
Public companies will also have to “describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents” on Regulation S-K.
8K forms give investors updates on big changes at listed companies.
The change comes as the SEC’s chief accountant warned that accounting firms working as auditors for the crypto industry need to be mindful of anti-fraud laws.
SEC Commissioner Hester Peirce, who has shown support for crypto in the past, tweeted that “crypto platforms [and] their accountants should be clear about what proof of reserves is and isn’t,” but she warned against discouraging “good-faith efforts to provide more transparency.”
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- 0xResearch: Alpha in your inbox. Think like an analyst.
- Empire: Crypto news and analysis to start your day.
- Forward Guidance: The intersection of crypto, macro and policy.
- The Drop: Apps, games, memes and more.
- Lightspeed: All things Solana.
- Supply Shock: Bitcoin, bitcoin, bitcoin.
