Coinbase, Marathon Digital and Riot Blockchain are among the SEC-registered cryptocurrency firms that would need to comply with the rules.
Public companies in the United States, including listed crypto firms, will be required to disclose any major cybersecurity incidents within a four-day time limit, under new rules adopted by the United States securities regulator.
The rules from the United States Securities and Exchange Commission require any public company to disclose a cyberattack within four days of it being deemed “material,” except in cases where such disclosure is deemed a possible national security or public safety risk.
Today we adopted rules to ensure that investors receive consistent information from public companies about material cybersecurity incidents as well as companies' cybersecurity risk management, strategy, and governance.
— U.S. Securities and Exchange Commission (@SECGov) July 26, 2023
The rules have been adopted as of July 26, and will become effective 30 days following the publication of the adopting release in the Federal Register, said the SEC.
It will also require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks and give periodic updates about previously reported cybersecurity incidents.
The incoming rules are intended to benefit investors by strengthening cybersecurity risk management measures, according to the SEC’s July 26 statement.
“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them,” explained SEC Chair Gary Gensler.
The new rules will apply to any publicly listed company in the United States. In the crypto industry, publicly-listed crypto firms include Coinbase (COIN), Marathon Digital (MARA), Riot Blockchain (RIOT) and Hive Digital Technologies (HIVE).
The SEC explained that an increase in digital payments and digitzed operations in the workforce combined with the ability of criminals to monetize cybersecurity incidents made the new rules a necessity to protect investors.
Cryptocurrencies have been a prime target for North Korea state-backed Lazarus Group and other cybercriminals looking to pull off a high-value exploit. Lazarus Group has hacked cryptocurrency platforms well over $850 million across several high-profile exploits.
The cybersecurity rules were first proposed by the SEC in March 2022.