Meet the Top 101 in Crypto
News
3 min read

SEC Cybersecurity: Is Agency Following Its Own New Rules On Reporting, Disclosure of Breaches?

Published 10 January 2024
James Morales
Authors

Key Takeaways

  • The official SEC X account was compromised on Tuesday, January 9, leading many to question the agency’s competence.
  • Ironically, last year the SEC enforced new disclosure rules requiring companies to report cybersecurity incidents.
  • Following the logic of its own rulemaking, the regulator owes the American public an explanation.

Since adopting new cybersecurity disclosure rules in 2023, the Securities and Exchange Commission (SEC) has required publicly listed US companies to report incidents within four days. But does the regulator follow its own rules?

After its official X account was compromised on Tuesday, January 9, the SEC’s credibility as a cybersecurity authority has certainly been damaged. 

Security Breach Undermines SEC Credibility

Having gained control of the regulator’s social media profile, the SEC hacker falsely announced the approval of spot Bitcoin ETFs in the US, causing the cryptocurrency’s price to temporarily spike before the statement was retracted. 

Responding to the incident, X reported that an unidentified individual obtained control of a phone number associated with the official SEC  account through a third party. It added that the account didn’t have 2-factor authentication (2FA) enabled when it was compromised.

In the wake of the security breach, the SEC has been condemned by senators and ridiculed by the consumers it is charged with protecting, with many questioning how an agency that doesn’t even implement basic security measures like 2FA can be trusted to regulate the cybersecurity strategies of some of the world’s largest businesses.

What Are the SEC’s Cybersecurity Disclosure Rules?

According to the SEC’s disclosure rules, applicable organizations must report all “material cybersecurity incidents,” i.e. those that are likely to affect their operational performance or financial condition. 

Were it bound by the rules itself, the SEC would therefore be required to report any security breaches that threaten its ability to protect investors, maintain market stability or facilitate capital formation. Given the market-moving consequences of Tuesday’s X hack, it’s fair to say the regulator failed on all 3 fronts.

As well as reporting incidents, US businesses must also publish information regarding their cybersecurity risk management strategy annually. 

The logic behind the policy is that investors should be able to assess companies’ security practices to identify potential investment risks. In theory, the inclusion of cybersecurity disclosure under the umbrella of SEC bureaucracy allows for the side-by-side comparison of different firms’ strategies. 

Presumably, the SEC also has its own cybersecurity framework. But unfortunately, the agency doesn’t follow its own rules. Of course, Lawmakers will surely demand an explanation from the SEC’s leadership, but a brief telling-off on Capitol Hill is unlikely to assuage anyone’s concerns.

James Morales

James Morales is CCN’s blockchain and crypto policy reporter. He has been working in the news media since 2020, writing about topics such as payments, banking and financial technology. These days, he likes to explore the latest blockchain innovations and the evolving landscape of global crypto regulation.

With an educational background in social anthropology and media studies, James uses his platform as a journalist to explore how new technologies work, why they matter and how they might shape our future.

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status