Earlier this month, eighty Democrats from the U.S. House of Representatives sent a letter to SEC Chair Gary Gensler, urging him to “finalize and adopt a credible mandatory disclosure rule as quickly as possible.” The letter notes:
The proposed rule is squarely within the Commission’s authority and mission to protect investors; maintain fair, orderly, and efficient markets; and facilitate the formation of capital. The SEC has “longstanding and indisputable authority to regulate the disclosure practices of public traded companies” to protect markets and market participants. It “has exercised its disclosure authority consistently—and without legislative override” for over ninety years, and “has now done so once more with the Proposal on climate-related disclosure.”
Increasingly frequent and severe extreme weather events have affirmed that climate change poses a significant financial risk, and developments in the past year have strengthened the case for finalizing a strong rule. Physical risk is scaling rapidly, accelerating direct damages and supply chain disruptions that impact public companies’ bottom lines. Last year, the cost of climate and weather disasters in the United States totaled more than $165 billion—the third most costly year on record. 2These events can materially affect the financial and operational wellbeing of companies around the world, including SEC registrants. The current patchwork of voluntary reporting requirements is inadequate and lacks rigor, consistency, and verifiability.
The letter also cites the European Union’s implementation of its Corporate Sustainability Reporting Directive, “which will increase climate-related reporting requirements on companies within the EU and those that have substantial activity within the EU.” The letter indicates that “recent estimates show that thousands of U.S. companies will be required to comply with these CSRD standards.”
By my count, this letter joins a dozen other letters from members of the U.S. House Representatives in the SEC’s comment file for the climate change disclosure proposal. Thirteen letters have also been sent from U.S. Senators. This rulemaking has certainly generated a significant amount of interest from Capitol Hill in the almost year and half that the proposal has been outstanding. I cannot recall a rulemaking that prompted so many letters from members of Congress.
This week, I am highlighting some of the topics that I will be speaking about at our September Conferences, and next on the line-up is climate disclosure. On Thursday, September 21, during the 2023 Proxy Disclosure Conference, I will be joined by an outstanding group of speakers to discuss “Climate Disclosures: Requirements & Risks.” Joining me for the program will be my Morrison & Foerster colleague Jina Choi, Mark Kronforst from Ernst & Young and Arden Phillips from Constellation Energy Corporation.
We plan to address the practical steps that you need to take to prepare for mandatory GHG emissions and climate risk reporting – and the new risks that mandatory disclosure creates for you, your company and your board. The focus of my remarks will be on describing the state of the SEC’s rulemaking, addressing the applicability and status of non-US standards (such as CSRD), and describing the gap analysis and compliance roadmap that companies should now be considering. My co-panelists will delve into issues around potential litigation, working with external auditors and the in-house perspective on implementing the new rules. This discussion will build on topics addressed at our “2023 Practical ESG Conference” – which is taking place on Tuesday, September 19th and can be bundled with the “Proxy Disclosure & 20th Annual Executive Compensation Conferences.” Don’t hesitate – register online today through our membership center, email sales@ccrcorp.com or call 1-800-737-1271 – so you will be able to hear all of the latest insights on this very important topic.
This summer, Meredith has been covering the decision in SEC v. Ripple Labs, (SDNY 7/23), which attracted quite a lot of attention in the crypto community given the outcome of the case with respect to programmatic sales of tokens. As Meredith more recently noted, the plot recently thickened with the outcome in the SEC v. Terraform Labs, (SDNY 8/23) case. Late last week, the Ripple Labs case took yet another interesting turn as U.S. District Judge Analisa Torres said that she would allow the SEC to move forward with a request for an interlocutory appeal of the July decision, setting up the potential for a review of the decision by the Court of Appeals for the Second Circuit. A WSJ article regarding the potential appeal notes:
Interlocutory appeals allow for part of a case to be reviewed before a court renders its final judgment and are relatively rare. If Judge Torres grants the SEC permission to seek review by the U.S. Court of Appeals for the Second Circuit, it could be a year or more before a final decision is rendered. Both Ripple and its co-defendants, Chief Executive Brad Garlinghouse and co-founder Christian Larsen, opposed the SEC’s request.
In its letter to Judge Torres, the SEC noted that another judge in the Second Circuit—Jed Rakoff, ruling in a separate case earlier this month—questioned the idea that one asset could be either a security or a non-security depending on the purchaser.
The prospect for an interlocutory appeal is perhaps good news in terms of bringing some clarity to a situation where too much attention was paid to the outcome. However, the amount of time needed for an appeal to be considered and decided in the Second Circuit is no doubt far too long in the crypto community, which continues to clamor for “clarity” on the application of the Howey test to digital assets.
At the end of last month, in remarks before the Financial Stability Oversight Council, SEC Chair Gary Gensler bid a not-so-fond farewell to LIBOR, the rate that I envisioned guys in bowler hats setting each business day morning in London. In fact, Gensler compared LIBOR to the Hans Christian Andersen folktale “The Emperor’s New Clothes,” in which of course the emperor had no clothes. Gensler noted in his remarks:
Policymakers worldwide, from central banks, including the Federal Reserve; to FSOC and the Financial Stability Board; to market regulators, including the SEC and CFTC; to Congress, came together to end LIBOR. In essence, we all knew we needed an emperor who was properly clothed.
It took a lot of work, but 15 years later, as of June 30, 2023, it finally ceased. In the United States, the main replacement for LIBOR is the Secured Overnight Financing Rate. We cannot, however, stop here.
There will be some pretenders, as there often are in the history of emperors.
It is important that any rate used to replace LIBOR be robust and not ill clad. Certain alternatives being considered in the markets, however, present many of the same flaws as LIBOR: thin markets—in times of stress scantily-clad—with few underlying transactions, creating a system vulnerable to collapse and manipulation.
Gensler reiterated his concerns with so-called “credit sensitive rates,” such as the Bloomberg Short-Term Bank Yield Index rate, which he believes “have infirmities that will not stand the test of time—and will not be good for financial stability or for future FSOC members.” He noted that IOSCO recently conducted a review of some alternatives to USD LIBOR, and the credit sensitive rates that IOSCO reviewed were not found to meet the organization’s principles for stable and reliable benchmarks in the areas of benchmark design, data sufficiency, and transparency.
Gensler closed his remarks noting that “the LIBOR story is a cautionary tale not to just trust something because it’s popular or ubiquitous.”
The upcoming proxy season promises to be yet another year of change. We have so many SEC rulemakings to take into consideration as we prepare annual reports and proxy statements, while also paying attention to evolving investor concerns. With all of this brewing for 2024, you definitely do not want to miss our September Conferences.
I look forward to joining the SEC All-Stars for our hour-long Proxy Season Insights panel on Wednesday, September 20. The All-Stars joining me on this panel are Sonia Barros, Meredith Cross, Alan Dye and Lona Nallengara. We will be covering a wide range of topics, including:
– Use of Rule 10b5-1 plans and insider trading policy updates
– Share repurchase programs
– Cyber disclosures & governance
– Board diversity requirements & disclosures
– Beneficial ownership modernization and Section 16/Form 144 developments
I plan to address the topic of share repurchase programs, where the implementation of the SEC’s new daily repurchase disclosure rules will be a significant consideration for many companies as we go into the annual reporting season.
This SEC All-Stars panel, along with the rest of the panels at the “Proxy Disclosure & 20th Annual Executive Compensation Conferences” will provide you with the guidance that you need to successfully navigate the proxy season, so I encourage you to register today. Here is the full agenda – and here is more information about our expert speakers. In addition, be sure to check out the agenda for our “2023 Practical ESG Conference” – which is happening virtually on Tuesday, September 19th. This event will help you avoid ESG landmines and anticipate opportunities. You can bundle the Conferences together for a discount.
The National Institute of Standards and Technology (NIST) recently released drafts of its Cybersecurity Framework (CSF) 2.0 for public comment. The NIST CSF consists of standards, guidelines, and best practices that help organizations improve their management of cybersecurity risk. In its announcement of the new CSF, NIST notes:
The world’s leading cybersecurity guidance is getting its first complete makeover since its release nearly a decade ago.
After considering more than a year’s worth of community feedback, the National Institute of Standards and Technology (NIST) has released a draft version of the Cybersecurity Framework (CSF) 2.0, a new version of a tool it first released in 2014 to help organizations understand, reduce and communicate about cybersecurity risk. The draft update, which NIST has released for public comment, reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice — for all organizations.
In February 2022, NIST released a request for information about the CSF. In response, commenters indicated that the framework remains an effective tool for reducing cybersecurity risk, but indicated “that an update could help users adjust to technological innovation as well as a rapidly evolving threat landscape.”
In its announcement of the updated draft, NIST notes the following key changes to the CSF:
• The framework’s scope has expanded — explicitly — from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in the CSF’s official title, which has changed to “The Cybersecurity Framework,” its colloquial name, from the more limiting “Framework for Improving Critical Infrastructure Cybersecurity.”
• Until now, the CSF has described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. To these, NIST now has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership.
• The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each function’s subcategories to help organizations, especially smaller firms, to use the framework effectively.
The CSF 2.0, while still in draft form, is a good resource to review as you are preparing for the new SEC disclosure requirements, as you evaluate whether your practices for managing cybersecurity risks are consistent with best practices.
The comment period for the draft CSF 2.0 runs until November 4, 2023.
One of the occupational hazards of being a securities lawyer is that you are often asked to predict what the SEC or the SEC Staff will do in a particular situation, and at times making such predictions can be difficult. The challenge can be particularly acute when it comes to SEC rulemaking, because so many variables are at play in any given rulemaking action. Sometimes I feel like Zoltar, the vending machine fortune teller from the movie Big.
The process of notice and comment rulemaking is very much a “give and take” process. Having been involved in this process at the SEC, I would say that rulemaking involves quite a bit of what we would always refer to as “horse trading,” particularly when the rulemaking is being considered at the Commission level. As a member of the Staff, sometimes the horse trading can be frustrating, because things can end up in proposed rules that do not necessarily make a lot of sense or are not consistent with what you were hoping to achieve. The process becomes even more complex once you have proposed the rules and are considering the input of commenters, particularly when you are dealing with a controversial rulemaking that is likely to be subject to legal challenge.
One thing that is important to not lose sight of is that while the final rules are not “negotiated” per se, the Commission will sometimes propose rule changes that may go farther than what the Commission actually expects to adopt as final rules, recognizing that some matters may be pared back or changed in response to comments. For this very reason, in the not-too-distant past, we did not always provide a whole lot of coverage in law firm client alerts and publications such as The Corporate Counsel on proposed rules, given the understanding that proposed rules may not necessarily be indicative of what the final rules will turn out to be, so it did not make much sense to dedicate scarce resources toward understanding the proposed rules. In recent years, there has been increased concern (whether warranted or not) that the Commission is proposing rules that it intends to adopt largely as proposed, without perhaps fully considering the concerns raised by commenters. The shifting sands have made things much harder to predict as the Commission tackles some very significant public disclosure issues through the rulemaking process.
Which brings us to the question that everyone is asking these days – what will the final climate change disclosure rules look like? In trying to answer this question like Zoltar, I am encouraged by the outcome we recently observed with the cybersecurity disclosure rules. In March 2022, the SEC originally proposed cybersecurity disclosure rules that included complex and highly detailed requirements that struck companies and their advisers as overly prescriptive and seeking too much detail. Consistent with other recent rulemakings, the Commission went down the path of proposing very prescriptive disclosure requirements on the topic of cybersecurity risk management and oversight for periodic reports and for the type of information that would be required to be disclosed when it is determined that a cybersecurity incident is material. The Commission also took what proved to be a controversial step of proposing that companies disclose information about the cybersecurity expertise of corporate directors.
In the final rules, the Commission clearly considered the concerns of commenters on a number of important issues and modified the final rules as a result, including paring back the disclosure required on a current basis when an incident is determined to be material, pivoting to a more principles-based approach for the disclosure related to risk management, strategy, and governance and not adopting the proposed requirement to disclose board cybersecurity expertise.
While it is obviously difficult to draw too many conclusions from just this one rulemaking, this recent outcome with the cybersecurity disclosure rules may give us hope that the Commission will make some significant adjustments to the proposed climate change disclosure requirements that were also proposed back in March 2022, particularly with respect to the disclosure of Scope 3 emissions, the detailed disclosure requirements regarding risk management and governance and the financial statement footnote disclosure requirements. The horse trading on these and other points is undoubtedly going on as we speak. I think that maybe only Zoltar knows how it will all come out.
You can get all of the latest insights by joining me on Wednesday, September 20 for my interview with Erik Gerding, Director of the SEC’s Division of Corporation Finance. Erik will share his views on the latest developments and priorities for the Corp Fin Staff, and his expectations for the upcoming proxy season. We are very fortunate to have Erik joining us for the “2023 Proxy Disclosure Conference” given all that is going on at the SEC right now. My interview with Erik is a great way to kick off three days of drilling down on all of the things you need to know for your SEC disclosures and executive compensation matters in these turbulent times.
While the SEC’s adoption of cybersecurity disclosure requirements last month was a long time in the making, that actual adoption of the rules and the relatively short compliance deadlines seems to have prompted some level of panic at public companies. Based on how the final rules came out, I hope to offer some reassuring words that your path to compliance with these requirements can build on your pre-existing efforts rather than recreating the wheel. To that end, I ask and answer some of the questions that have been emerging about the new rules. Please read them and take a few deep breaths.
Do I need to create new disclosure controls for Item 1.05 of Form 8-K?
Companies will be required to disclose, within four business days after determining that an incident is material pursuant to new Item 1.05 of Form 8-K (subject to limited exceptions), any cybersecurity incident that a company experiences that is determined to be material, describing the material aspects of its: (i) nature, scope, and timing; and (ii) the impact or reasonably likely impact of the incident on the company, including on the company’s financial condition and results of operations.
The disclosure controls necessary to escalate cybersecurity incidents and evaluate whether they are material and must be disclosed should already be in place at public companies. The SEC’s 2018 interpretive release strongly encouraged the filing of a Form 8-K when a cybersecurity incident is determined to be material, and subsequent SEC enforcement cases focused on the timing of current disclosure about cybersecurity incidents and the disclosure controls that were in place to facilitate that disclosure. As a result of these developments, companies have implemented procedures to identify cybersecurity incidents, escalate them to management, and have management evaluate the materiality of those incidents to determine whether they must be disclosed. Item 1.05 of Form 8-K now formalizes the Form 8-K filing requirements and assigns a four-business-day deadline to the disclosure obligation.
For foreign private issuers, not much has changed in terms of the current disclosure framework. The SEC did amend General Instruction B of Form 6-K to reference material cybersecurity incidents in the list items that may trigger a current report on Form 6-K. The SEC notes in the adopting release that, “for a cybersecurity incident to trigger a disclosure obligation on Form 6-K, the registrant must determine that the incident is material, in addition to meeting the other criteria for required submission of the Form.”
The new disclosure obligation may require some fine tuning to pre-existing disclosure controls and procedures to reflect the disclosures that must be provided in response to the new Form 8-K item, as well as the process for tracking whether the Item 1.05 Form 8-K must be amended to reflect information that is not determined or is unavailable at the time of the required initial filing. Further, companies will need to assess whether the controls will facilitate a Form 8-K filing within four business days of determining that the incident is material.
Spoiler alert: In the vast majority of cybersecurity incidents that I deal with in my practice, it is ultimately concluded that the cybersecurity incident is not material under established standards for evaluating materiality. As a result, I do not expect to see a flood of Item 1.05 Form 8-Ks streaming into the SEC after the December 18, 2023 compliance date.
Should my approach to determining whether a cybersecurity incident is material change?
The approach to materiality is the same as it has always been. The SEC did not adopt any bright lines to be applied in determining whether an incident is material and therefore must be disclosed under new Item 1.05 of Form 8-K, leaving it to us to apply established standards of materiality. Consistent with past pronouncements, the Commission has indicated that the materiality standard that companies should apply in evaluating whether a Form 8-K would be triggered under Item 1.05 would be consistent with the caselaw standards that we are familiar applying in this context.
For the purpose of evaluating whether a Form 8-K is required to be filed pursuant to Item 1.05 of Form 8-K, information about a cybersecurity incident is considered “material” if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would have been viewed by the reasonable investor as having significantly altered the “total mix” of information made available to the investor. As part of a materiality analysis, the company should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of company activity. No single fact or occurrence is determinative as to materiality, which requires an inherently fact-specific inquiry.
I advise that it is best to create your framework for evaluating the materiality of cybersecurity incidents ahead of time, and test that framework when you conduct tabletop exercises or otherwise evaluate your incident response plan. Once you have the framework sorted out and documented, then I don’t think it is necessary to document your specific evaluation of individual incidents, unless that is something that you would normally do in your Form 8-K process.
Do I need to change my board and management practices regarding cybersecurity?
While it is certainly always a good idea to evaluate your board and management practices around the oversight and management of cybersecurity risks to always put your best foot forward on this topic, nothing about the new disclosure requirements should necessarily drive a revamp of the company’s approach. In the adopting release, the SEC notes “that the purpose of the rules is, and was at proposal, to inform investors, not to influence whether and how companies manage their cybersecurity risk.” As originally proposed, the disclosure requirements could be read as normative standards for board oversight and management involvement, but in the final rules the SEC has taken a much more principles-based approach. Based on this pivot, one might expect to see a few paragraphs about cybersecurity risk management, strategy, and governance in upcoming Form 10-Ks rather than pages of disclosure. And those paragraphs are going to be pretty high level in terms of their description of the process, as even the SEC does not want companies to hand threat actors the “keys to the kingdom” through their Form 10-K disclosure. At this point, the best approach is to begin drafting the required disclosure so you can evaluate whether there are any areas that you want to shore up before going live in your Form 10-K.
Do the new rules supersede the SEC’s past guidance?
While some aspects of the 2018 interpretive guidance have now been incorporated into SEC’s rules (in particular the construct for current reporting on Form 8-K), companies still must consider that guidance in determining what to disclose under items that were not amended with this latest rulemaking effort, including: (i) risk factors; (ii) legal proceedings; (iii) MD&A; (iv) financial statements; (v) effectiveness of disclosure controls and procedures; and (vi) corporate governance (including disclosure in the proxy statement).
The SEC’s Division of Enforcement has conducted a lot of investigations of cybersecurity incidents in recent years, but it is important to keep in mind that there have been only four Enforcement actions brought against companies in the five years since the 2018 interpretative release.
Here are some of the notable takeaways from those actions:
1. The four actions focus on material misstatements and omissions regarding cyber incidents and deficiencies in cybersecurity disclosure controls and procedures.
2. Three of the four actions involve negligence charges stemming from materially misleading disclosures and omissions regarding cybersecurity incidents and risks, but not intentional or reckless fraud.
3. All four actions involve charges related to deficiencies in disclosure controls and procedures.
4. These actions all involve unauthorized access and/or theft of sensitive personally identifiable information.
5. The companies that were the subject of these actions settled to administrative charges on a “neither admit nor deny” basis.
The SEC does have ongoing investigations of cybersecurity incidents, including those related to the Solarwinds breach, and I do expect that we will continue to see the SEC bring actions based on the old interpretive guidance and pre-existing requirements even when the new rules go into effect.
