In a recent move aimed at enhancing trust between investors and public companies, the Securities and Exchange Commission (SEC) has imposed a directive for listed entities, inclusive of cryptocurrency enterprises, to publish annual accounts on their “cybersecurity risk, management strategy and governance.” One area of ambiguity remains as to how firms will ascertain the financial impact of security breaches.
The initiative compels companies to reveal any substantial cybersecurity incidents within a four-day window, complete with detailed reports on the nature of the attack and its timing. SEC Chair Gary Gensler suggested the importance of such disclosures when he drew a comparison between a company losing a factory in a fire and an entity suffering the loss of millions of files in a cybersecurity incident, stating that both could be significantly material to investors.
It’s worth noting that prior to this, although most listed corporations included cybersecurity risks in their investor documents, the SEC did not enlist any disclosure directives. As part of the fresh guidelines, public firms and foreign private issuers are now also required to shed light on the role of their board in overseeing cybersecurity threats along with “management’s role and expertise in assessing and managing material risks from cybersecurity incidents.”
The implementation timeframe for these regulations ranges from 30 to 180 days post the publication of the new financial report in the Federal Register, with the latter end of the spectrum meant for smaller companies. The provisions do permit postponement of immediate reports if the U.S. Attorney General determines that it risks national security or public safety.
The recent cash-in transit attack on Coinbase revealed the unprecedented consequences of these security infringements, as it directly led to a sharp decline in its stock price. Setting Coinbase as an admonition, it’s only evident how such breaches can have a grave impact on not only a company’s stock but also its reputation among investors.
The decision by the SEC, though warranted with its potential in securing investor interests, also puts companies on edge. It inevitably pushes them towards taking stringent cybersecurity measures or risk losing investor trust along with their share value.
Source: Coindesk