U.S.-Listed Crypto Firms Will Need to Report Cybersecurity Breaches

Companies are poised to begin reporting cybersecurity incidents and strategies to the SEC later this year.

AccessTimeIconJul 28, 2023 at 7:22 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The Securities and Exchange Commission (SEC) ordered listed companies, including crypto firms, to publish annual reports on their "cybersecurity risk management, strategy, and governance."

The new rule requires companies to disclose any "material" cybersecurity incidents within four business days in a bid to deepen trust between investors and public companies. Companies must detail how the cyberattack would impact their business, along with a report detailing the incident and the timing.

It remains unclear how companies will determine which security breaches have a potential financial impact. The SEC did not immediately reply to CoinDesk's request for further clarification.

“Whether a company loses a factory in a fire —  millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler.

Most listed companies already include cybersecurity risks in their investor documents, but, until now, the SEC did not mandate any disclosures from them. Public companies and foreign private issuers must also must describe how their board oversees cybersecurity risks and detail "management’s role and expertise in assessing and managing material risks from cybersecurity threats."

The new requirement will become effective 30 to 180 days after the publication of the new financial release in the Federal Register. Smaller companies will have the full 180 days to begin filing their disclosures.

Registrants can petition to postpone disclosures if the U.S. Attorney General determines that an immediate disclosure of cybersecurity threats would "pose a substantial risk to national security or public safety."

Hacks have been known to have devastating effects on companies' stocks. In February, Coinbase (COIN) revealed it had been compromised in an attack last year that also targeted tech behemoths like Cloudflare and DoorDash, sending its stock tumbling.

Edited by Parikshit Mishra.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Elizabeth Napolitano

Elizabeth Napolitano was a news reporter at CoinDesk.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.