SEC’s update: Cyberattacks must be disclosed within four days
The Securities and Exchange Commission (SEC) recently introduced a critical update to its cybersecurity disclosure regulations for public companies in the United States. The rules state that any cyberattacks must be disclosed within four days of their discovery, except for cases where immediate disclosure could pose a risk to national security or public safety.
What are the implications of this update and how could it enhance transparency and protect investors and the public from potential threats?
The need for timely cybersecurity disclosure
An escalation in the frequency and sophistication of cyberattacks targeting businesses and organisations shows the critical importance of adopting a proactive approach to protecting investors’ assets through timely cybersecurity disclosure. Recent events, such as the attack on CoinsPaid by the notorious Lazarus group, resulting in a staggering $37.3 million loss, serve as important reminders that cyber threats persist and continue to impact the crypto landscape. In light of the alarming $1.0 billion worth of cryptocurrencies being reported as stolen in 2023, the need for transparent and prompt cybersecurity disclosure has never been more evident.
Strengthening investor confidence
Creating a safe ecosystem for investors to feel protected in the world of crypto plays a vital role in addressing the main barrier to mass adoption: trust. The SEC’s new rules will help build investor confidence through a more transparent approach. Companies are now required to disclose cyberattacks within the a four-day time frame, so investors will be made aware if their assets are ever vulnerable to attack. Instilling trust should help foster a healthier market environment in a number of ways:
- Increased investments: Investors may feel more confident when they’re protected to invest more of their money.
- Improved market stability: By instilling confidence and fostering investors' trust in the market, they may be less likely to sell their crypto assets when there are fluctuations in the market, reducing the volatility of the market.
- Fostering innovation: fostering an investor's trust could also give them the confidence to build and innovate.
- Enhanced regulation: Investors may start to support regulation in the market that would help protect them and promote fairness. This would in turn create a more stable and sustainable market environment.
Protecting public safety and national security
The SEC’s new rule for the U.S. stipulates that, unless a cyber attack’s disclosure poses potential risks to these critical aspects, companies are mandated to promptly disclose such incidents. The exception allows companies to have the necessary flexibility while unequivocally prioritising the protection of their users.
Implementing robust cybersecurity protocols
The introduction of new cybersecurity rules also serves as a catalyst for organisations to reevaluate their existing protocols, increase their defenses and adopt more proactive strategies to prevent cyberattacks from happening in the first place. Increasing protection could allow investors to feel more protected and help build the trust to adopt crypto.
In 2020, KuCoin encountered a significant challenge when it reported a $280 million loss due to a hack. In response, the company reported the hack to the SEC, who investigated the incident. Following the investigation, KuCoin implemented a series of security enhancements. They updated their entire security system and implements strict new security measures that aligned with the financial-level security compliance requirements.
Collaboration and information sharing
Increasing the transparency of cyberattacks will also help other companies in the crypto market increase their intelligence of the type of attacks happening. Sharing threat intelligence can help identify the best practices against the current cyber threats in the crypto landscape.
At the beginning of 2023, there were four cases of flash loan attacks. In February, Platypus Finance was the victim of an attack costing them $8.5 million worth of assets. Unfortunately, in March the largest flash loan attack was recorded against Euler Finance with the hacker stealing $197 million. By understanding the types of attacks that are frequently happening in the crypto market, businesses can be more aware of how to protect themselves against them. For example, following these attacks, protocols could limit the amount of assets that can be borrowed in a single flash loan.
SEC oversight and enforcement
In recent months, the SEC has intensified its scrutiny of custodians and exchanges within the cryptocurrency industry. The regulatory spotlight has been put on major players like Coinbase and Binance, as they faced legal action from the SEC. These developments have brought the importance of compliance to the forefront, creating a turbulent period for an industry that could benefit from embracing regulation.
What are the implications?
Companies that fall victim to cyberattacks and are required to report them to the SEC could experience a significant decline in their prices. The damage to their reputation may leave investors feeling skeptical about investing with companies that do fall victim to cyberattacks. For instance, when Euler Finance suffered their flash loan attack in March 2023, their token EUL plummeted by over 45% within just a few days.
Furthermore, there are potential repercussions for companies that fail to disclose cyberattacks. The SEC may impose penalties on those that choose to withhold crucial information from investors.
The SEC’s recent update to disclose all cybersecurity breaches, serves as a vital step towards promoting transparency, safeguarding investor interests, and protecting the public from cyber threats. Despite the fact there could be some implications for companies that are hacked, the update is overall a positive development for end-users.