- Registered cryptocurrency companies are among those that must report.
- These include exchange Coinbase and mining firms Marathon Digital and Riot Blockchain.
- The rules will go into effect 30 days after the release is published in the Federal Register.
The U.S. Securities and Exchange Commission (SEC) has adopted new cyberattack disclosure rules.
The document says public companies, including registered crypto firms, must disclose any major cybersecurity incident within the first four days of the event. The exceptions are those situations where disclosure of the data could pose a threat to national security or public safety.
Organizations are also required to submit information related to their cybersecurity, strategy and risk management every year.
SEC Chairman Gary Gensler said the rules should be helpful to investors and companies alike:
“Whether a company loses a factory to a fire or millions of files to a cybersecurity incident, it can be significant to investors. Many publicly traded firms are now providing cybersecurity information to investors. In my view, companies and investors alike will only benefit when this disclosure is more systematic, understandable, and conducive to informed decision-making.”
The rules were adopted on July 26, but will not take effect until 30 days after the relevant release is published in the Federal Register.
Recently, Gensler supported the Biden administration’s plan to allocate $2.4 billion for SEC work. In addition, it has requested $72 million from the U.S. Senate to expand the state to protect investors from a “Wild West” in the cryptoasset market: