Subject: File No. S7-09-22
From: Tom Cornelius
Affiliation: Sr Partner, ComplianceForge, LLC

April 5, 2022

The proposed cybersecurity rule contains multiple references to disclosing content pertaining to an organizations policies and procedures. It must be made clear to the SEC that disclosing the actual policies and procedures of an organization is misguided, since it would divulge Intellectual Property (IP) and enable the weaponization of the content by nefarious parties.

The final rule must focus on disclosing pertinent information about an organizations cybersecurity policies and standards, while not disclosing the actual content of the policies and procedures. For example, The registrant has a cybersecurity risk assessment program and if so, provide a description of such program from within the proposed rule is wording that meets the intent of disclosing information about the cybersecurity policies and standards, without divulging IP or information that could be used to attack and bypass the cybersecurity defenses of the organization.

Many organizations within scope of this SEC rule have used third-parties to help craft cybersecurity policies and procedures, where those organizations are contractually obligated to protect the IP associated with the documentation. Therefore, an SEC rule that requires the public disclosure of complete cybersecurity policies and standards would compel organizations into violating legally-binding contracts for non-disclosure. Do not weaken the security or expose organizations to enhanced liability from forcing the disclosure an organization's policies and procedures.