May 9, 2022

Vanessa Countryman
Secretary, Securities and Exchange Commission
100 F Street NE
Washington, DC 20549-1090

RE: File No. S7-09-22; RIN 3235-AM89: SEC Proposed Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Dear Ms. Countryman,

The Securities Industry and Financial Markets Association (“SIFMA”)1 welcomes the opportunity to respond to the proposed rule issued by the Securities and Exchange Commission (the “Commission” or “SEC”) on March 9, 2022. The proposed rule concerns “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” with respect to public companies subject to the reporting requirements of the Securities Exchange Act of 1934 (the “Proposal”).2 The Commission further requested comments on best practices with respect to such cybersecurity disclosures.

SIFMA acknowledges the unquestioned importance of cybersecurity to our country and economy, and to all public companies3
and their investors.4 Accordingly, we applaud the Commission for its continuing attention to corporate cybersecurity risk management. the Commission should distinguish between its role as prudential5 regulator for regulated entities versus its role to assure that public filings under the Exchange Act meaningfully inform investors regarding their investment decisions. As the Proposal stands now, we respectfully submit that the SEC is calling for public disclosure of considerably too much, too sensitive, highly subjective information, at premature points in time, without requisite deference to the prudential regulators of public companies or relevant cybersecurity specialist agencies (like the Cybersecurity and Infrastructure Security Agency (“CISA”)). Essentially, such disclosures would benefit cyber attackers more than they would investors. Moreover, the Proposal could be improved by taking
into account public companies’ need to conduct essential internal cybersecurity investigations, coordinate with law enforcement, intelligence and national security agencies, and comply with court orders that may restrict the timing of permissible cybersecurity disclosures.

1 SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the
U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation,
regulation and business policy affecting retail and institutional investors, equity and fixed income markets and
related products and services. We serve as an industry coordinating body to promote fair and orderly markets,
informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for
industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S.
regional member of the Global Financial Markets Association (GFMA). For more information, visit
http://www.sifma.org.
2 See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11038; 34-
94382; RIN 3235-AM89 (proposed Mar. 9, 2022) (the “Proposal”).
3 Please note that references here to “public companies” or registrants concern companies that are subject to the
reporting requirements of the Securities Exchange Act of 1934.
4 See Cybersecurity Resources, SIFMA, available at https://www.sifma.org/resources/cybersecurity-resources/;
SIFMA Statement on Completion of Quantum Dawn VI Cybersecurity Exercise, SIFMA (Nov. 18, 2021), available
at https://www.sifma.org/resources/news/sifma-statement-on-completion-of-quantum-dawn-vi-cybersecurityexercise/; see also Kevin Eiden et al., Organizational cyber maturity: A survey of industries, MCKINSEY &
COMPANY (Aug. 4, 2021), available at https://www.mckinsey.com/business-functions/risk-and-resilience/ourinsights/organizational-cyber-maturity-a-survey-of-industries (finding that banking and healthcare the sectors with
the best overall cybersecurity-management profiles and that more profitable companies build stronger cybersecurity
capabilities).