Public crypto companies in the U.S. may soon have the opportunity to showcase their cybersecurity capabilities in a transparent and timely manner, thanks to new disclosure requirements from the Securities and Exchange Commission (SEC). The new rules, which go into effect later this month, will require public companies to disclose material cybersecurity incidents within four business days after determining their materiality, as well as provide annual disclosure of information regarding cybersecurity risk management, strategy, and governance.
Erik Gerding, Director of the Division of Corporation Finance, emphasized the significance of the new requirements, noting that they will provide investors with timely, consistent, and comparable information about cybersecurity risks. The SEC’s decision to implement these rules comes as a response to concerns about compliance and the increasing cybersecurity risks faced by public companies.
The crypto industry, in particular, stands to be significantly affected by these new rules, as the increasing use of digital payments and economic activities dependent on electronic systems exposes the sector to cybersecurity risks. The SEC has acknowledged the growing cybersecurity risks associated with the industry, including the ability of criminals to monetize cybersecurity incidents, digital payments, and reliance on third-party service providers for information technology services.
While the rules directly impact publicly listed crypto companies, they could also indirectly influence how public crypto businesses approach cybersecurity in other arenas, such as the integration of technologies like artificial intelligence.
Public crypto companies like Coinbase and Riot Blockchain will need to adhere to the new rules by disclosing any cybersecurity incidents within four business days of determining their materiality. With the higher risk of cyber threats in the cryptocurrency sector, this could lead to more frequent public disclosures.
However, the requirement for these companies to report cybersecurity incidents and their strategies for managing such risks could either bolster or weaken investor confidence. Transparent disclosure of effective cybersecurity measures could increase investor trust, while the revelation of significant cybersecurity incidents could lead to a loss of investor confidence and potentially affect the companies’ stock prices.
Complying with the new SEC rules may also increase operational and compliance costs for public crypto companies, as they may need to invest in enhanced cybersecurity infrastructure, hire more cybersecurity personnel, and allocate resources for ongoing monitoring and reporting of cybersecurity incidents. Failure to adequately disclose cybersecurity incidents or provide sufficient information on risk management strategies could also subject these companies to further legal and regulatory scrutiny.
Overall, the industry will be hoping that further requirements are not increasingly seen as overreaching and stifling innovation within the digital asset space, as the implications of these developments may play a substantive role in any decision to go public in the U.S. The new SEC rules may provide public crypto companies with a chance to showcase their cybersecurity capabilities and set a new standard for security throughout the U.S. With the increasing intersection of the crypto sector with mainstream financial markets, the industry will need to navigate the implications of these developments to continue its growth and innovation.