The U.S. Securities and Exchange Commission (SEC) has adopted enhanced cyber breach disclosure measures that require all public companies, including digital asset firms like Coinbase (NASDAQ: COIN), to reveal all cybersecurity incidents.
The new rules require all public companies to disclose any cybersecurity incident it deems material, including its nature, scope, and timing. They must also reveal the reasonably likely material impact the incident will have on the company’s operations.
Public companies will be granted four days to report the incident. However, it can be delayed or voided if the government determines that the incident would threaten national security or public safety.
While public companies have been reporting major breaches, the SEC says the current requirements are inconsistent. The new rules will result in “consistent, comparable, and decision-useful disclosures that would allow investors to evaluate registrants’ exposure to material cybersecurity risks and incidents.”
A cybersecurity breach can be just as damaging to a company as a fire that takes down an entire factory, and investors have a right to be informed, says SEC chairman Gary Gensler.
“Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way,” he commented.
The new rules will affect all public companies in the digital asset world. They include Coinbase, Riot Blockchain (NASDAQ: RIOT), Marathon Digital (NASDAQ: MARA), and Hive Digital Technologies (TSXV: HIVE | OTCQX: HVBTF | FSE: HBF).
While the industry is a constant target for hackers, public digital asset companies have not reported major incidents. Coinbase was targeted by the Oktapus hackers’ group in 2022, but they only accessed limited employee contact information.
Wall Street is fighting back against the SEC’s new rules, which they argue are too stringent.
“The SEC is calling for public disclosure of considerably too much, too sensitive, highly subjective information, at premature points in time, without requisite deference to the prudential regulators of public companies or relevant cybersecurity specialist agencies,” commented the Securities Industry and Financial Markets Association.
The NYSE’s general counsel, Hope Jarkowski, added that such premature disclosures could provide the hackers with useful information to expand their attack.
CoinGeek Weekly Livestream with Bryan Daugherty: BSV Provides Solutions for Cybersecurity & Fraud