The Securities and Exchange Commission (SEC) has issued a new rule requiring listed companies, including crypto firms, to publish annual reports on their cybersecurity risk management, strategy, and governance. Companies must disclose any material cybersecurity incidents within four business days, detailing how the cyberattack would impact their business, along with a report on the incident and the timing. SEC Chair Gary Gensler stated, Whether a company loses a factory in a fire — millions of files in a cybersecurity incident — it may be material to investors. Most listed companies already include cybersecurity risks in their investor documents, but the SEC is now mandating disclosures from them. Public companies and foreign private issuers must also describe how their board oversees cybersecurity risks and detail management’s role and expertise in assessing and managing material risks from cybersecurity threats. The new requirement will become effective 30 to 180 days after the publication of the new financial release in the Federal Register. Smaller companies will have the full 180 days to begin filing their disclosures. Registrants can petition to postpone disclosures if the U.S. Attorney General determines that an immediate disclosure of cybersecurity threats would pose a substantial risk to national security or public safety. Hacks have been known to have devastating effects on companies’ stocks, as seen in February when Coinbase (COIN) revealed it had been compromised in an attack last year, sending its stock tumbling.
SEC Mandates Annual Reports on Cybersecurity Risk Management for Listed Companies
