Last month, I blogged about the SEC’s recent focus on “AI Washing,” or the practice of making potentially false and misleading statements about artificial intelligence as the frenzy continues regarding the impact of the evolving technology. SEC Enforcement Director Gurbir Grewal has now weighed in on how companies can use “proactive compliance” to avoid AI washing problems, in a speech at the Program on Corporate Compliance and Enforcement Spring Conference 2024.
Building on the concepts from a speech last year that articulated his concept of “proactive compliance,” Director Grewal noted that the practice requires three things: education, engagement, and execution. He explained:
First, educate yourselves about emerging and heightened AI risk areas as they relate to your businesses. That means reading the AI-related enforcement actions I mentioned. It means reviewing any future enforcement actions that may follow in this space.
It also means reviewing speeches like Chair Gensler’s recent speech on AI, which highlighted multiple other ways in which a firm’s AI use may heighten risk or implicate the federal securities laws. He specifically discussed the conflicts of interests raised by AI for advisers, the problems presented by AI hallucinations, and the threat that AI could pose to the stability of our markets.
And it means staying abreast of how potential AI-related issues are actually impacting companies in the real world. Take for example, the recent reporting around an airline’s chatbot offering a customer incorrect information about its refund policy.
Second, take what you’ve learned from our orders and public pronouncements, and your own research, and engage with personnel inside your company’s different business units to learn how AI intersects with their activities, strategies, risks, financial incentives, and so on.
Ask: what public statements are we making about our incorporation of AI into our business operations? Are they accurate, or are they aspirational? Does AI present a material risk to our business operations in some way?
Now, is the time to engage.
And third, execute. Does your use of AI require updating policies and procedures and internal controls? If so, are those policies and procedures bespoke to your company? And here, let me be clear: it’s not enough to go to ChatGPT or a similar tool and ask it to produce an AI policy for you.
And then, have you taken the steps necessary to implement those policies and procedures? As we have seen time and again, adoption is only part of the battle; effective execution is equally important and that’s where many firms fall short.
With respect to potential personal liability in connection with AI greenwashing, Director Grewal noted:
Here, I would look to our approach to cybersecurity disclosure failures generally: we look at what a person actually knew or should have known; what the person actually did or did not do; and how that measures up to the standards of our statutes, rules, and regulations. And as I’ve said before in the context of CCO and CISO liability, and I will say it again in the context of AI-related risk disclosures: folks who operate in good faith and take reasonable steps are unlikely to hear from us.
Director Grewal’s speech provides some practical guidance that companies can follow in drafting their AI disclosures, which will no doubt continue to evolve as the technology develops and companies pursue a variety of ways in which to deploy the technology.
Zach Barlow recently noted in the PracticalESG.com blog that the U.S. Chamber of Commerce has moved to intervene in The Sierra Club’s challenge to the SEC’s climate disclosures rules. Zach notes:
If the intervention is allowed by the court, this would mean that the Chamber of Commerce is both challenging the rule and defending it in the consolidated litigation. Cooley explains the confusion stating:
“The Chamber of Commerce has moved for leave to intervene in the cases brought by the Sierra Club and the NRDC ‘to defend those portions of the final rule that refrained from imposing the additional disclosure requirements the environmental groups would have this Court require the SEC to impose. ‘The Sierra Club, the motion contends, ‘intends to argue that the SEC should have required public companies to disclose not only their own greenhouse-gas emissions, but also the emissions from the ‘use of [their] products’ and across their ‘supply chains’’; that is, that the SEC failed to impose a requirement to disclose Scope 3 GHG emissions.”
The Chamber of Commerce isn’t exactly pro-disclosure – they are just arguing against the Sierra Club’s position that the rule didn’t go far enough. The memo goes on to say that the Chamber of Commerce is attempting to intervene because they do not believe that the SEC adequately represents their interests in the litigation. The litigation is becoming increasingly complicated as large cases often do. Understanding where the battle lines are drawn and who is on whose side can be difficult in a case like this and just points to the size and complexity of the knot the 8th Circuit must untie. With moves like these abounding, it is unlikely that we’ll get any sort of resolution on the salient questions of the litigation anytime soon.
I think this development is just the beginning of how this messy litigation situation is going to play out, so grab your popcorn, it will no doubt be quite a show!
I was in San Francisco this week, and that got me thinking about our upcoming 2024 Proxy Disclosure & 21st Annual Executive Compensation Conferences, which are coming up on October 14-15. While October seems like a long time from now, it will be here before you know it and you will definitely want to be part of our big return to in-person conferences!
If you act now, you can take advantage of our early bird pricing. You can register now by one of two methods: by visiting our online store or by calling us at 800-737-1271.
It has been four months since new Item 1.05 of Form 8-K went into effect, requiring current disclosure of material cybersecurity incidents. Item 1.05 of Form 8-K specifies that, if a company experiences a cybersecurity incident that is determined by the company to be material, the company must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. An Item 1.05 Form 8-K must be filed within four business days of determining that an incident is material, subject to limited exceptions.
The experience with Item 1.05 of Form 8-K in its very short life has been somewhat confusing. As this very helpful Debevoise memo notes, a few clear takeaways have emerged in the first 100 days of current reporting of material cybersecurity incidents:
– On December 18, 2023, the SEC’s rule requiring disclosure of material cybersecurity incidents became effective. To date, 11 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K and in this article we examine the early results of the SEC’s new disclosure requirement.
– A clear trend toward rapid disclosure has emerged, outpacing the analysis of financial impacts that the SEC believed most companies would include when determining materiality.
– Notwithstanding this trend toward speed, companies experiencing a cybersecurity incident would be well advised to exercise caution before disclosing in the early innings of incident response.
Now, granted, eleven Form 8-K filings is not a particularly robust sample size from which to draw conclusions, but the early compliance experience with a new disclosure requirement often sets the trends for future reporting, so the early filers certainly cannot be ignored. What has left a lot of observers scratching their head is the nature of the cybersecurity incidents that have been reported, given that on their face the incidents do not strike anyone as the sort of material cybersecurity incident that we were all expecting to be reported. The Debevoise memo notes:
Of the 11 companies that have filed Forms 8-K to report a cybersecurity incident under Item 1.05, one identified a material operational disruption in its initial filing, and another identified a material impact on its results of operations in an amended filing made three weeks after the initial filing. The other nine companies did not expressly identify a material impact. They generally included an affirmative statement that the incident had not materially impacted operations, and they typically stated that they had not determined the incident was reasonably likely to materially impact the Company’s financial conditions or results of operations. The latter statement tracks Item 1.05’s line-item requirement to disclose whether the incident materially impacts the company’s financial condition and results of operations.
This trend has led to speculation that companies are voluntarily reporting immaterial cybersecurity incidents under Item 1.05 of Form 8-K or failing to adequately respond to Item 1.05’s requirements. Alternatively, these nine companies may believe that the combined characteristics of the incident—such as operational disruption, data loss or scope and length of intrusion—comprise the material impacts, in that these or other factors considered together render the cybersecurity incident material, even where no one impact is considered independently material. It is also possible that the SEC’s mandatory disclosure rule has caused a reassessment of when a cybersecurity incident could be considered material—especially incidents with possible qualitative material impact (e.g., reputational or legal) but no quantitative material impact—potentially lowering the bar for disclosure.
Another striking aspect of the early cybersecurity incident reporting experience is the speed with which companies have filed their Form 8-Ks. For this first batch of 11 filers, the average number of days between discovery and filing was 5.45 days, which I think everyone would agree is a very short time in which to identify, investigate and evaluate the materiality of a cybersecurity incident. In this regard, the Debevoise memo notes:
Item 1.05 requires an issuer to file a Form 8-K disclosing specified information about a cybersecurity incident within four business days of determining that the cybersecurity incident is material. This four-business-day deadline runs from the materiality determination, rather than the occurrence or detection of the incident, and the SEC has acknowledged that “[i]n the majority of cases, the registrant will likely be unable to determine materiality the same day the incident is discovered.” In practice, however, companies have disclosed incidents more quickly than the SEC may have anticipated. In the first 100 days, the average time from detection of a cybersecurity incident to the disclosure of the incident on a Form 8-K under Item 1.05 has been 5.45 business days. Eight companies (i.e., over 70% of the sample) have filed Forms 8-K under Item 1.05 within four business days of detecting the cybersecurity incident.
While all disclosure decisions will necessarily be driven by the facts and circumstances surrounding the incident, including regulatory or contractual notification requirements, companies should take care not to rush disclosure in the “fog of war.” In adopting Item 1.05, the SEC acknowledged that registrants will need to “develop information after discovery until it is sufficient to facilitate a materiality analysis.” The Rule, therefore, allows companies to undertake a reasonable investigation and an informed and deliberative materiality analysis, provided companies do not “unreasonabl[y] delay” the required determination. In most instances, we believe companies are well-advised to exercise caution before rushing to disclose early in the course of an incident investigation. Still, sometimes the incident will have public ramifications which may merit very quick disclosure.
My take on these early trends reflects the fact that I am a “traditionalist” on these kind of disclosure matters, even when approaching a new Form 8-K disclosure item. I advise companies that they should only file an Item 1.05 Form 8-K when the have to, because the incident is material as contemplated by the rule. Disclosing a material cybersecurity incident is very likely to attract attention from the SEC and others who are looking at this new disclosure frontier as an opportunity for Enforcement and litigation actions, so discretion is the better part of valor in these situations. In terms of speed, I do think that, in most cybersecurity incidents, it takes time to investigate the incident and to make a materiality determination, so companies should take that time and avoid jumping the gun on an SEC disclosure decision.
With Form 10-K season for December 31 year-end filers now wrapped up, we can now get a sense of how things went with the cybersecurity disclosure required in Item 106 of Regulation S-K. I don’t know about you, but preparing these disclosures proved to be a hard slog over the past few months, as is often the case when preparing new and unfamiliar disclosures from scratch. A DLA memo from earlier this year identified some early filer trends in the Form 10-K cybersecurity disclosure:
A recent study by DLA Piper Corporate Data Analytics of Item 1C disclosures filed by Russell 3000 companies as of January 31, 2024 found:
– 85 percent of registrants disclosed that the company has a Chief Information Security Officer (CISO) or other role responsible for information security.
– 62 percent of registrants disclosed a CISO or similar role focused solely on information security.
– 23 percent disclosed a Vice President, Chief Technology Officer, or other employee with responsibility over information security and other technology-related matters.
– 69 percent of registrants discussed conducting employee training regarding cybersecurity as well as conducting internal tests or simulations.
– While no registrants discussed a specific cyber incident in Item 1C disclosures, 69 percent discussed past breaches generally and 62 percent discussed past threats generally.
In addition to the registrants who have disclosed new Item 1C, some registrants with fiscal year ends prior to December 15, 2023 have been voluntarily including cybersecurity-related disclosures in their recently filed Form 10-Ks. Generally, such registrants have included information related to individuals who manage the registrant’s security program and who provide periodic reports to the board of directors, CEO, and other senior management.
For example, filers in the technology sector have disclosed that:
– IT teams regularly monitor and generate reports regarding cyber risks and threats, the status of projects to strengthen information security systems, assessments of information security programs, the emerging threat landscape, and related matters
– Such cybersecurity-related reports are provided to the Chief Information Security Officer
– Overall cyber programs are regularly evaluated by internal and external experts
– The company conducts engagement with key vendors, industry participants, and intelligence and law enforcement communities as part of continuing efforts to evaluate and enhance the effectiveness of its information security policies and procedures
– The company maintains internal procedures, such as establishing a confidentiality framework, adhering to document management regulations, and all-employee confidentiality agreement requirements
Generally, my observations have been that the Form 10-K cybersecurity disclosures were shorter than I expected and tended to include less detail than one might have expected about the overall cybersecurity risk management approach. As we digest this year’s disclosure in anticipation of next year’s disclosures, I think companies will be revisiting their disclosure approach to get in line with their peers and general disclosure practices. We also may also get the benefit of the Staff’s observations on the new disclosure, either through the comment process or through further interpretive guidance.
The latest issue of The Corporate Counsel has been sent to the printer. It is also available now online to members of The CorporateCounsel.net who subscribe to the electronic format. The issue includes the following articles:
– SEC Adopts Climate Disclosure Rules – What Should You Do Now?
– The Presumptive Underwriter Doctrine Rears Its Ugly Head
Please email sales@ccrcorp.com to subscribe to this essential resource if you are not already receiving the important updates we provide in The Corporate Counsel newsletter.
I am sure that, at this point, your level of anticipation is off the charts for the rollout the new T+1 settlement timeframe, which will be implemented over the Memorial Day holiday weekend across securities markets. As of this morning, we are just 40 days away from the transition to T+1, and certainly nothing focuses the mind like an impending deadline. As questions inevitably arise regarding the transition to T+1, the Securities Industry and Financial Markets Association (SIFMA) has provided comprehensive resources for market participants.
In addition to a handy countdown clock for the U.S. and Canadian transition to T+1, SIFMA has posted the T+1 Securities Settlement Industry Implementation Playbook, which “outlines a detailed approach to identifying the impacts, implementation activities, implementation timelines, dependencies, and risk impacts, that market participants should consider in order to prepare for the impending transition to a shortened settlement cycle.” On April 8, 2024, SIFMA, ICI, DTCC and Deloitte hosted a virtual briefing to discuss what financial services organizations are focusing on between now and the upcoming deadlines, a replay of which is available on SIFMA’s website. I encourage you to check out the resources that SIFMA has made available and carefully consider the implications of the T+1 transition in anticipation of the end-of-May rollout.
The SEC’s Rule 10b5-1 and insider trading disclosure rulemaking from back in December 2022 included a long transition period for the periodic disclosures concerning insider trading policies and procedures and option grant timing practices, with much of the focus being on December 31 year-end companies that do not have to comply until their filings made in 2025. For companies (other than smaller reporting companies) with a fiscal year ending on or after March 31, 2024, the new requirements will be in effect for their upcoming annual report and proxy statement filings, so it is time to pay attention to what needs to be disclosed when.
New paragraph (x) of Item 402 of Regulation S-K is one of the disclosure items that March 31 companies will need to pay attention to now that the transition period has run. Item 402(x) requires disclosure of a company’s policies and practices on the timing of awards of options, stock appreciation rights and similar instruments with option-like features, as well as certain tabular disclosure of awards of options, SARs and instruments with option-like features to named executive officers that occur close in time to the company’s disclosure of material nonpublic information. The disclosure required by Item 402(x) of Regulation S-K must be tagged using Inline XBRL. Foreign private issuers are not required to provide this disclosure.
Companies will also need to comply with Item 408(b) of Regulation S-K, which requires companies to disclose whether they have adopted insider trading policies and procedures governing the purchase, sale and other dispositions of their securities by directors, officers and employees, or the issuer itself, that are reasonably designed to promote compliance with insider trading laws, rules and regulations, and any listing standards applicable to the issuer. If an issuer has not adopted such insider trading policies and procedures, it must explain why it has not done so. Domestic companies must provide this disclosure in both annual reports on Form 10-K pursuant and in proxy and information statements, while foreign private issuers will be required to provide the disclosure pursuant to Item 16J in Form 20-F. This disclosure also must be tagged using Inline XBRL.
Finally, companies with a March 31 fiscal year-end will need to file, as an exhibit to their annual report on Form 10-K or Form 20-F, any insider trading policies and procedures, or amendments thereto, that are the subject of the disclosure required by Item 408(b) of Regulation S-K. This exhibit is not required to be tagged using Inline XBRL.
Smaller reporting companies get some extra time to comply with these new disclosure requirements. They must begin complying in filings with respect the first full fiscal period that begins on or after October 1, 2023, so these disclosures will be required in annual reports and proxy statements for fiscal years ending on or after September 30, 2024.
We have posted the transcript for our recent webcast, “The SEC’s Climate Disclosure Rules: Preparing for the New Regime,” during which I was joined by J. T. Ho, Partner, Orrick, Herrington & Sutcliffe LLP, Rose Pierson, Assistant Secretary and Senior Counsel, Chevron and Kristina Wyatt, Deputy General Counsel and Chief Sustainability Officer, Persefoni for a discussion of the SEC’s new climate disclosure rules. The webcast covered the following topics:
– Overview of the SEC’s Final Rules and Key Changes from the Original Proposal
– Developing and Implementing an Effective Compliance Plan
– Navigating Multiple Climate Reporting Regimes
– Legal Challenges to the SEC’s Rules
This was a great webcast to be a part of – we covered a lot of ground and the panelists provided insights on a number of the key implementation challenges that companies will face with these new rules.
On Friday, the Supreme Court issued its decision in Macquarie Infrastructure Corp. v. Moab Partners, L.P., a case from the Second Circuit addressing the ability to rely on a failure to disclose certain information in accordance with the requirements of Item 303 of Regulation S-K as a basis to state a securities fraud claim under SEC Rule 10b-5. A unanimous Supreme Court held that “pure omissions” are not actionable under Rule 10b–5(b). The opinion, authored by Justice Sotomayor, states:
Securities and Exchange Commission (SEC) Rule 10b–5(b) makes it unlawful to omit material facts in connection with buying or selling securities when that omission renders “statements made” misleading. Separately, Item 303 of SEC Regulation S–K requires companies to disclose certain information in periodic filings with the SEC. The question in this case is whether the failure to disclose information required by Item 303 can support a private action under Rule 10b–5(b), even if the failure does not render any “statements made” misleading. The Court holds that it cannot. Pure omissions are not actionable under Rule 10b–5(b).
As a result of the Supreme Court’s decision, the judgment of the Court of Appeals for the Second Circuit is vacated, and the case is remanded for further proceedings consistent with the Supreme Court’s opinion.
The Court explained, “A pure omission occurs when a speaker says nothing, in circumstances that do not give any particular meaning to that silence.” By contrast, a half-truth occurs when a speaker says something, but “state[s] the truth only so far as it goes, while omitting critical qualifying information.” The Court held that Rule 10b-5(b) prohibits half-truths but not pure omissions, noting that the text of Rule 10b5-1(b) prohibits omitting information from a public disclosure that is “necessary in order to make the statements made … not misleading.” Liability under that provision turns on there being “statements made” that were misleading. While other provisions of the securities laws, such as Section 11 of the Securities Act, prohibit pure omissions, neither Rule 10b-5(b) nor Section 10(b) contains this express prohibition. The Court made clear that it was not opining on other issues not presented to it, such as “what constitutes ‘statements made’” and “when a statement is misleading as a half-truth.”