**This article originally appeared on Lawfare
As nation-state actors increase their malicious cyber capabilities toward companies, U.S. regulators such as the SEC have understandably increased their regulatory focus on cybersecurity. The SEC is of course a well-intended member of Team Cyber, and investors in public companies might benefit from some aspects of the SEC’s proposal: Increased knowledge of a company’s cybersecurity risks, experience, governance, and resiliency could be important to their decision-making. But the proposal is dangerous to the extent that it jeopardizes important safety, security, and geopolitical interests in the name of disclosure. Put simply, the SEC’s proposal must be revised to assure responsible (not reckless) public disclosure. The SEC should not force public companies to choose between SEC liability and effective collaboration with the government’s cybersecurity-focused agencies. As is, the proposed rule could increase the risk to the U.S.’s critical infrastructure, economy, homeland, and allies. The proposal should include deference for exigent law enforcement, national security, and judicial needs, and allow delay where appropriate for ongoing, unpatched incidents when premature disclosure could harm a broad swath of vulnerable companies and even government agencies.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.