You know companies face a new and aggressive enforcement regime when shorthand terms, such as “greenwashing,” are adopted prior to the implementation of comprehensive regulations governing disclosure of climate change issues and cyber-incidents.

When these new regulations are adopted, companies will have to develop robust procedures for identifying potential violations of internal reporting and disclosure controls.  This will be a difficult process.  Along with the new SEC regulations, companies face a steady drumbeat of pressure from stakeholders demanding transparency and accountability on these important issues.  Financial and reputational risks can be devastating to a company if violations occur.

Just take the term “greenwashing,” which is defined to include potential misrepresentations, omissions or false statements surrounding environmental social and governance (“ESG”) issues. Rebel investors, employees, shareholders or consumers are ready to jump at any corporate failure to provide accurate information in this high-profile area.  Class action lawsuits will be ready at a drop of a dime to challenge corporate leaders, managers and controls when greenwashing occurs.  A misstep on any of these issues could undermine a company’s ability to compete in the marketplace as a result of potential violations.

The SEC already has signaled its intention to aggressively pursue investigations in this area.  It is clear that once the regulations are issued the SEC will be ready to launch enforcement actions for potential violations. 

Companies have to prepare for this new enforcement environment by adopting robust internal incident management and investigation procedures.  The stakes will be high for companies subject to these new comprehensive regulations.  Luckily, companies already know how to do this — but they will have to up their internal procedures.

Companies already know how to investigate misconduct and then decide what to do about the issue.  Some companies are good at it — some are not.  Companies have faced serious allegations in the pasts — FCPA, antitrust, sanctions and False Claims Act allegations.  In the face of the new cyber and climate risks, companies have to refresh, reinvigorate and build a new and more comprehensive strategy to identify, triage, investigate and resolve potential cyber and climate reporting incidents. 

Companies will have new disclosure and reporting requirements — misconduct may stem from violation of such rules separate and apart from the underlying conduct that may itself involve violation of cyber and climate rules.  In the face of this, companies could end up investigating compliance with controls surrounding the identification, escalation and initial evaluation of a specific disclosure issue.

The internal investigation landscape is about to change in a big way — a new regulatory overlay will multiply risks, potential violations and the need for companies to quickly unearth potential violations, assess the scope of the violations and determine what actions to take.

When it comes to stakeholders interest, climate change issues may be raised by a variety of sources.  Right now, companies learn about potential misconduct from internal reporting sources, whistleblowers and government inquiries.  In the climate area, potential issues can come from these same sources, along with other interested parties — investors, shareholders, and public interest groups.  Stakeholder interest in these issues will require quick responses and transparency as to the process used to investigate and respond to claims.  As a result, companies will face difficult situations that may require greater transparency with the investigation process than in other “typical” situations — FCPA, antitrust, False Claims Act.

Corporate actors know what is required to complete an effective internal investigation, and sometimes rely on outside counsel and consultants to drive the process.  These same parties may be required to support corporate internal investigations of these new risks.