SEC Cybersecurity Disclosures: Reporting Material Blockchain Exploits (Form 8-K)

Discovery (Day 0): You realize the bridge is drained. Determination (Day X): You conclude the loss is material to investors. The clock starts at Determination. However, "unreasonable delay" in determination is a violation.

Quantitative: Loss > 1-5% of assets. Qualitative: Loss of Admin Keys (God Mode), Logic Bug affecting core product, or reputational ruin. A small dollar loss can be material if it kills trust.

Required: Nature/Scope, Timing, and Financial Impact. Not Required: Technical details that would aid hackers (e.g., specific vulnerability code). Focus on the Balance Sheet impact.

No. Tweets and Etherscan links are "unstructured data." Expenses and liabilities must be filed formally. Relying on public knowledge creates liability for "Selective Disclosure."

If the hack is linked to a nation-state (e.g., Lazarus Group), the Attorney General can grant a 30-day delay for national security. Your counsel must apply for this immediately if suspected.

1. Materiality Committee (CEO, CFO, GC) meets every 12 hours. 2. Document the "Why" (if deciding not to file). 3. Automate "Funds at Risk" alerts to trigger the committee.

Offshore entities listed in the US must file Form 6-K if they disclose the hack locally. You cannot hide an offshore hack from US investors.

1. Detect Incident. 2. Convene Committee. 3. Assess Materiality (Quant/Qual). 4. Draft 8-K (No technical roadmaps). 5. File within 4 Days.