In remarks delivered to the Financial Stability Oversight Council on Friday, SEC Chair Gary Gensler addressed the status of the agency’s proposed climate change disclosure rules. He didn’t tip his hand as to the timing of any action by the SEC, but he did defend the agency’s authority to adopt rules mandating disclosures concerning the impact of climate change. Here’s an excerpt:
In response to the Great Depression and fraudulent practices of the time, President Roosevelt and Congress came together to enact the federal securities laws in which they established a basic bargain in our markets. Investors get to decide which risks to take, so long as public companies raising money from the public make what Roosevelt called “complete and truthful disclosure.”
The SEC was assigned an important role regarding that basic bargain and public disclosure. Under the securities laws, though, the SEC is merit neutral. Investors get to decide what investments they make and risks they take based upon those disclosures. The SEC focuses on the disclosures about, not the merits of, the investment.
The SEC has no role as to climate risk itself. But we do have an important role in helping to ensure that public companies make full, fair, and truthful disclosure about the material risks they face.
Already today, issuers are making climate risk disclosures, and investors are making investment decisions based on those disclosures. Indeed, a majority of the top thousand issuers by market cap already make such disclosures, including what’s known as Scope 1 and Scope 2 greenhouse emissions. Further, investors representing tens of trillions of dollars in assets are making decisions relying on those disclosures.
I’m not very good at reading tea leaves, so I’ll leave it to you to decide whether to there’s any significance to Chair Gensler’s decision not to refer to Scope 3 disclosures – the most controversial part of the SEC’s rule proposal – in his remarks. The closest he came to discussing the timing of Commission action on the proposal in his comments was when he said that the SEC was “considering carefully” the 15,000+ comments received on the proposal and that it would consider adjustments that the Staff and the Commissioners consider appropriate.
Chair Gensler’s remarks before the FSOC weren’t the only place where the SEC’s rulemaking power was defended last week. In fact, I couldn’t resist channeling my inner Eric Cartman this morning after reading the SEC’s spirited defense of its broad authority to adopt disclosure rules that begins on p. 97 of the Cybersecurity Disclosure Rules Adopting Release. Here’s an excerpt:
Disclosure to investors is a central pillar of the Federal securities laws. The Securities Act of 1933 “was designed to provide investors with full disclosure of material information concerning public offerings of securities.” In addition, the Securities Exchange Act of 1934 imposes “regular reporting requirements on companies whose stock is listed on national securities exchanges.” Together, the provisions of the Federal securities laws mandating release of information to the market—and authorizing the Commission to require additional disclosures—have prompted the Supreme Court to “repeatedly” describe “the fundamental purpose” of the securities laws as substituting “a philosophy of full disclosure for the philosophy of caveat emptor.”
This bedrock principle of “[d]isclosure, and not paternalistic withholding of accurate information, is the policy chosen and expressed by Congress.”362 Moreover, “[u]nderlying the adoption of extensive disclosure requirements was a legislative philosophy: ‘There cannot be honest markets without honest publicity. Manipulation and dishonest practices of the market place thrive upon mystery and secrecy.’”
The discussion goes on to identify specific statutory provisions granting the SEC broad disclosure authority, and also provides numerous examples of where the agency has exercised that authority.
The SEC’s claim to broad rulemaking authority has been challenged by conservatives in recent years, and I suspect that the arguments the agency makes in the 10 pages that it devotes to this topic in the release are likely to resurface in much expanded form in the lawsuits that are likely to arise challenging many of the rules on its current agenda.
Think long and hard before clicking “send” on an email or text message in which you’ve embedded an emoji, because this recent Foley blog says that if you opt to add this little bit of fun to your message, you might have just created a binding contract:
In this age of digital communication, it was only a matter of time before emojis found their way into legally binding documents. Emojis are now being used as a means of expression and communication in various spheres of life, including the discussion of contracts. In fact, a Canadian court recently ruled that a thumbs-up emoji counted as a contractual agreement (read more here).
Whether or not the sender meant “message received” or they were actually agreed to the contract terms, the recipient assumed the thumbs up was a green light to move forward, and the court agreed. Startup founders deal with contracts on a regular basis, from investors to vendors to outside service providers, and one wrong thumbs-up could potentially spell trouble.
The blog goes on to address the factors which might result in the creation of a binding contract through the use of an emoji, but a better alternative may be to just act like a grownup and steer clear of their use in any setting where creating a binding contract is even a remote possibility. Or, if you can’t bring yourself to do that, then at least use my man Shruggie here ¯\_(ツ)_/¯ as your default emoji option.
As I mentioned in the blog yesterday, as part of the cybersecurity rulemaking, the SEC adopted new Item 1.05(a) of Form 8-K, which specifies that if an issuer experiences a cybersecurity incident that is determined by the company to be material, the company must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. The Item 1.05 Form 8-K must be filed within four business days of determining that an incident was material, subject to limited exceptions.
A number of commenters on the proposed rules had suggested that the SEC include a provision allowing for a delay in the filing of the Form 8-K when there is an active law enforcement investigation or the disclosure otherwise implicates national security or public safety. For example, Debevoise suggested in its comment letter that the Commission “delay reporting of a cybersecurity incident that is the subject of a bona fide investigation by law enforcement,” because such “delay in reporting may not only facilitate such an investigation, it may be critical to its success.”
The Commission decided to not adopt a broad law enforcement delay provision in the final rules, but it did provide for delays in the Form 8-K deadline for two specific circumstances that are worth drilling down on.
First, paragraph (d) of Item 1.05 indicates that if a company is subject to the FCC’s notification rule for breaches of customer proprietary network information (CNPI), the company may delay providing the disclosure required by Item 1.05 for such period that is applicable under the notification rule and in no event for more than seven business days after notification required under that provision has been made, so long as the company notifies the SEC in correspondence submitted via the EDGAR system no later than the date when the disclosure required by Item 1.05 was otherwise required to be provided. This notification requirement specifically relates telecommunications carriers and VoIP providers, so it will have fairly limited application.
Second, paragraph (c) of Item 1.05 provides a framework for delaying the filing of an Item 1.05 Form 8-K if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. Paragraph (c) specifies that if the Attorney General determines that disclosure required by paragraph (a) of Item 1.05 poses a substantial risk to national security or public safety, and notifies the SEC of such determination in writing, the company may delay providing the disclosure required by Item 1.05 for a time period specified by the Attorney General, up to 30 days following the date when the disclosure required by Item 1.05 was otherwise required to be provided. Disclosure may be delayed for an additional period of up to 30 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. In extraordinary circumstances, disclosure may be delayed for a final additional period of up to 60 days if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. If the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and may grant such relief through exemptive orders.
The SEC notes in the adopting release that it consulted with the Department of Justice to establish an interagency communication process to allow for the Attorney General’s determination to be communicated to the SEC in a timely manner. The SEC notes that the Department of Justice will notify the affected company that communication to the SEC has been made, so that the company may delay filing its Form 8-K.
The SEC indicates that the delay provision for substantial risk to national security or public safety is separate from Exchange Act Rule 0-6, which provides for the omission of information that has been classified by an appropriate department or agency of the Federal government for the protection of the interest of national defense or foreign policy. The SEC indicates that if the information a company would otherwise disclose on an Item 1.05 Form 8-K or pursuant to Item 106 of Regulation S-K or Item 16K of Form 20-F is classified, the company should comply with Exchange Act Rule 0-6.
It seems to me that the delay provision for substantial risk to national security or public safety will likely not often be invoked. While general disclosure about a cybersecurity breach is sometimes a concern from a law enforcement perspective, only rarely do circumstances occur where a breach would meet the threshold for constituting a substantial risk to national security or public safety. So while it is helpful that the Commission did listen to commenters concerns and adopt these two specific delay provisions, they are unlikely to be a factor in the disclosure decisions for a wide range of public companies facing cybersecurity breaches.
Recently, the PCAOB published a Staff report that shows a year-over-year increase in the number of audits with deficiencies at audit firms that the PCAOB inspected in 2022, which is in fact the second year in a row that the PCAOB has observed an increase in audits with deficiencies. In announcing the report, the PCAOB notes:
According to the report, PCAOB staff expects approximately 40% of the audits reviewed will have one or more deficiencies that will be included in Part I.A of the individual audit firm’s inspection report, up from 34% in 2021 and 29% in 2020.
Part I.A of the PCAOB’s inspection reports discusses deficiencies, if any, that were of such significance that PCAOB staff believes the audit firm, at the time it issued its audit report(s), had not obtained sufficient appropriate audit evidence to support its opinion on the public company’s financial statements and/or internal control over financial reporting.
The 2022 update and preview report also highlights questions that audit committees should consider in discussions with independent auditors in light of increased PCAOB inspection findings. These questions include the following:
– Has our audit engagement been inspected, and, if so, would you share the results? Were there any audit areas that required significant discussions with the PCAOB that did not result in a comment form?
– Has the engagement partner been inspected on other engagements? If so, what were the results of that inspection?
– What is the audit firm doing to address overall increased inspection findings?
– Are there any audit procedures that are unnecessarily complicated or not “straightforward” because management is not providing clear, supportable information?
PCAOB Chair Erica Williams released a statement on the Staff report, saying: “Let me be clear: a 40% Part I.A deficiency rate is completely unacceptable. The PCAOB will continue demanding firms do better and deliver the high-quality audits investors deserve.”
Earlier this week, I delved into the new disclosure required under Item 5 of Part II of Form 10-Q that is responsive to Item 408(a)(1) of Regulation S-K, which requires issuers to disclose whether, during the issuer’s last fiscal quarter, any director or officer adopted or terminated: (i) any contract, instruction or written plan for the purchase or sale of securities of the issuer intended to satisfy the affirmative defense conditions of Rule 10b5–1(c); and/or (ii) any “non-Rule 10b5–1 trading arrangement.”
The questions just keep rolling in on this new disclosure requirement, and a member recently asked this question on our “Q&A Forum” (#11,757):
Pursuant to Item 408(a)(3), the disclosure provided pursuant to Item 408(a)(1) and (2) must be provided in an Interactive Data File as required by 17 CFR 232.405 (Rule 405 of Regulation S–T) in accordance with the EDGAR Filer Manual. When no director or officer has adopted or terminated a Rule 10b5-1 trading arrangement or a non-Rule 10b5-1 trading arrangement during the quarter and the issuer discloses “none” or includes “negative” disclosure in response to Item 5 of Part II of Form 10-Q, should this disclosure be tagged?
John responded “Yes” to this inquiry.
Why we need Inline XBRL tagging of this sort textual disclosure is beyond me, but that is a whole other debate there. I must admit that I have never been president of the XBRL fan club. Nevertheless, you will want to get this right so you can continue to check the “Yes” box on the cover page of your periodic reports in response to the question “Indicate by check mark whether the registrant has submitted electronically every Interactive Data File required to be submitted pursuant to Rule 405 of Regulation S-T (§232.405 of this chapter) during the preceding 12 months (or for such shorter period that the registrant was required to submit such files).”
Yesterday, the SEC adopted, by a 3-2 vote, amendments to its rules that will require periodic disclosures regarding cybersecurity risk management, strategy and governance, as well as current disclosure on Form 8-K of material cybersecurity incidents.
Specifically, under the amendments, issuers will be required to:
Disclose, on a current basis pursuant to new Item 1.05 of Form 8-K, any cybersecurity incident that an issuer experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) impact or reasonably likely impact;
Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, the issuer’s processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, and describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition;
Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, the board’s oversight of risks from cybersecurity threats; and
Describe, on a periodic basis pursuant to new Item 106 of Regulation S-K, management’s role in assessing and managing material risks from cybersecurity threats.
Similar disclosure requirements will apply to foreign private issuers.
The final rules will be effective 30 days following publication of the adopting release in the Federal Register. With respect to the periodic disclosures required by Item 106 of Regulation S-K, all issuers must provide such disclosures beginning with annual reports for fiscal years ending on or after December 15, 2023. With respect to compliance with the current disclosure requirements for material cybersecurity incidents required by Item 1.05 of Form 8-K, all issuers (other than smaller reporting companies) must begin complying 90 days after publication of the adopting release in the Federal Register or December 18, 2023, whichever is later. Smaller reporting companies have an additional 180 days from the non-smaller reporting company compliance date, so those issuers must begin complying with Item 1.05 of Form 8-K, on 270 days after publication of the adopting release in the Federal Register or June 15, 2024, whichever is later.
The SEC made several significant changes from the proposing release in response to comments. With respect to current reporting of cybersecurity incidents pursuant to Item 1.05 of Form 8-K, the SEC narrowed the scope of the disclosure, added a limited delay for disclosures that would pose a substantial risk to national security or public safety, required certain updated incident disclosure in an amended Form 8-K rather than in Forms 10-Q and 10-K and omitted the proposed aggregation of immaterial incidents for materiality analyses. The SEC also streamlined the proposed disclosure elements related to risk management, strategy and governance, and the SEC did not adopt the proposed requirement to disclose board cybersecurity expertise.
As I mentioned in the blog yesterday, current reporting of material cybersecurity incidents has been with us since at least the SEC’s 2018 interpretive guidance, but now new Item 1.05(a) of Form 8-K specifies that, if an issuer experiences a cybersecurity incident that is determined by the issuer to be material, the issuer must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the issuer, including its financial condition and results of operations. An Item 1.05 Form 8-K must be filed within four business days of determining that an incident was material, subject to limited exceptions described below. Issuers must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing.
Issuers may delay making a Form 8-K disclosure up to seven business days following notification of the Secret Service and FBI pursuant to an FCC notification rule for breaches of customer proprietary network information, with written notification to the SEC. The disclosure may also be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. If the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay and may grant such relief through exemptive orders.
The untimely filing of an Item 1.05 Form 8-K will not result in the loss of Form S-3 eligibility. Item 1.05 is also included in the list of Form 8-K items eligible for the limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act.
The required information must be tagged using Inline XBRL.
Foreign private issuers must furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange, or to security holders.
Under a new “Item 1C. Cybersecurity” in Part I of Form 10-K, issuers will be required to disclose information regarding the issuer’s cybersecurity risk management, strategy and governance. The required information must be tagged using Inline XBRL.
With respect to risk management and strategy, an issuer must describe the issuer’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing this disclosure, an issuer should address, as applicable, the following non-exclusive list of disclosure items:
– Whether and how any such processes have been integrated into the issuer’s overall risk management system or processes;
– Whether the issuer engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
– Whether the issuer has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.
An issuer must also describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the issuer, including its business strategy, results of operations, or financial condition and, if so, how.
With respect to governance, an issuer must describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, the issuer must identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.
An issuer must also describe management’s role in assessing and managing the issuer’s material risks from cybersecurity threats. In providing such disclosure, an issuer should address, as applicable, the following non-exclusive list of disclosure items:
– Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
– The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
– Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.
Relevant expertise of management may include, for example, prior work experience in cybersecurity, any relevant degrees or certifications and any knowledge, skills, or other background in cybersecurity.
In their Form 20-F, foreign private issuers must provide similar disclosures regarding the issuer’s cybersecurity risk management, strategy and governance.
I don’t know about you, but the pace of SEC rulemaking these days has me worn out. Today, the SEC will consider final rules regarding cybersecurity disclosure, bringing to a conclusion a rulemaking that the SEC formally started with a proposal last year, but which actually started through Staff action over a dozen years ago. As the Commission is poised for action, I think it is a good time to look back on how we got here.
First, I will posit that cybersecurity is one of the principal risks that companies and individuals face today. If you speak with any of your cybersecurity colleagues on a regular basis, you are no doubt concerned about the security of your information every time you turn on your computer, or when you conduct an online transaction, or when you sleep at night for that matter. Information systems are under constant attack, and the threat actors are always devising new ways to take advantage of the weakest points of our systems, which often involves us very fallible humans. In fact, it is miracle that you are able to read this blog this morning. This threat environment has been ever present for many years, and it only seems to get worse. Against this backdrop, the only logical question is: why has it taken so long for the SEC to consider new cybersecurity disclosure rules?
The answer to that question is, of course, politics. Our representatives in Congress have tried to tackle the cyber threat over the decades, but as is often the case, they encountered the issue that the federal government does not directly regulate the conduct of most large companies, making it hard to tell them what to do. So, in their infinite wisdom, they of course turn to the tried-and-true strategy of trying to compel conduct by shaming companies through disclosure, and various proposed cybersecurity measures that have been advanced by members of Congress over the years have had some disclosure component. The SEC Staff, to its credit, tried to be proactive by advancing its own framework for disclosure of cybersecurity in the form of CF Disclosure Guidance Topic No. 2 – Cybersecurity (October 13, 2011), which generally reviewed the applicability of existing SEC disclosure requirements to cybersecurity concerns. Not surprisingly, the CF Disclosure Guidance looked very similar to the guidance provided regarding climate change risks, also against a backdrop of various legislative efforts to compel disclosure.
In the ensuing years, as one high profile cybersecurity incident after another hit the headlines, the SEC Staff (particularly the Division of Enforcement) seemed uncomfortable with the notion that we live in a world where U.S. public companies are subject to a periodic and current reporting system, a basic tenet of which is that unless a company has an affirmative disclosure obligation, it is not required to disclose material nonpublic information. While lacking any specific Form 8-K item that mandated current disclosure, the Staff (and the Commission through enforcement action) began to express concern with the delays that occurred between the discovery of a material cybersecurity breach and when investors ultimately learned about it.
One would have thought that this concern should have been addressed through rulemaking rather than through a “regulation through enforcement” approach, but surprisingly the Commission took a different turn in 2018 – by issuing an interpretive release. The interpretive release elevated the guidance from the CF Disclosure Guidance to Commission guidance, and strongly encouraged the filing of a Form 8-K when a cybersecurity event is material. The Commission noted in its guidance the importance of disclosure controls and procedures “that provide an appropriate method of discerning the impact that such matters may have on the issuer and its business, financial condition and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
And so we have lived in this regulatory grey area for the past five years, where a casual reader of Form 8-K would find no disclosure items that address cybersecurity, but yet the Commission brings action against companies that fail to timely disclose cybersecurity incidents. In some ways, having actual rules to work with rather than broad Commission interpretive musings may make things better for companies and practitioners, because at least the “rules of the road” are articulated and known.
One thing is for certain – the new disclosure regime that the Commission will consider today is not going to do anything to diffuse the threat environment that we operate in, so please don’t open those phishing email!