SEC Poised to Implement Complex Disclosure Obligations (Part I of II)
The Securities and Exchange Commission is quickly raising the stakes for global companies. Along with these new regulatory requirements, the risk of enforcement multiply, especially when it comes to corporate disclosure requirements. The risks in these areas will become complex and require a comprehensive system for identifying and escalating issues for consistent review and disclosure decisions.
Climate Change Disclosures
Let’s start with the new climate change disclosure requirements. While the regulations have not been finalized, one thing is for sure — companies will face increased risks and will need to implement robust disclosure controls surrounding climate-related risks, greenhouse gas emissions and related financial regulations. The SEC is planning to implement a comprehensive set of disclosure rules prescribing the information that companies will have to disclose initially and in the future. Every covered company will have to design and embed controls to ensure that issues are identified, escalated and resolved for disclosure purposes.
Under the climate change rules, companies will have to provide quantitative and qualitative disclosures, including (1) climate-related risks; (2) greenhouse gas emissions; and (3) climate governance. With respect to financial statements, the new rules would require specific disclosures in footnotes relating to severe weather events and natural conditions, the financial impact of transition activities, expenditures to mitigate risks of severe weather events and natural conditions, and key assumptions incorporated in the analysis.
These new regulations may require detailed explanations of the impact of climate change, all the way to a line-item calculation triggered by a 1 percent immaterial threshold. For climate-related risks, companies would have to make comprehensive disclosures, whether the risks occurred in physical or transitional periods, and were reasonably likely to occur over the short, medium and long term. Further, the SEC may require reporting of targets and goals for greenhouse gas reduction and any other climate-related measures. Companies would provide data to confirm any progress toward reaching a goal or objective, including the amount of carbon offsets and credits that may be applied.
Before announcing proposed rules for climate change disclosures, the SEC proposed cyber-incident disclosure rules. Public companies will face a new era of accountability on cyber risks and disclosure of these incidents. Corporate boards, senior management and employees have to educated on these new requirements, and companies will have to build extensive internal controls surrounding disclosure obligations and management of cyber risks.
The new rules broadly address current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risks; the board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.
The SEC is proposing to require companies to report cyber incidents by filing a Form 8-K within four days of the incident occurring. This is a significant burden and requirement. A material cybersecurity event has been added to the list of typical 8-K reportable events.
The new rule also provides a comprehensive listing of what information should be included in the Form 8-K filing, including: (1) When the incident was discovered and whether it is ongoing; (2) a brief description of the nature and scope of the incident; (3) whether any data was stolen, altered, accessed or used for any other unauthorized purpose; (4) the effect of the incident on the company’s operations; and (5) whether the registrant had remediated the incident or is in the process of doing so. Under the new rule, the four-day reporting requirement begins from the date the incident occurred, a significant change requiring robust monitoring and tracking of a company’s cyber status.
Companies will have to establish a rapid but fulsome process for assessing materiality of a cyber incident. Cyber risks have a long list of potential consequences, including reputational damage, litigation costs, remediation and fines and penalties. In serious cases, the continued viability of the business may be threatened.