Month: March 2022

SEC votes to propose new rules for cybersecurity disclosure and incident reporting

In remarks in January before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. (See this PubCo post.) Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. In addition, he said, it’s a national security issue. Gensler reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. (As reported by the NYT, that has been especially true in recent weeks, where “the war in Ukraine is stress-testing the system.”) And today, according to Corp Fin Director Renee Jones, in light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, that’s more true than ever, with escalating cybersecurity risk affecting just about all reporting companies. Given the recent consternation over hacks and ransomware, as well as the rising potential for cyberattacks worldwide, it should come as no surprise that the SEC voted today, by a vote of three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” While threats have increased in number and complexity, Jones said, currently, company disclosure is not always decision-useful and is often inconsistent, not timely and hard for investors to find. What’s more, some material incidents may not be reported at all. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.

SEC Commissioner Lee advocates new gatekeeper regulations for attorneys

In remarks at PLI’s Corporate Governance webcast last week, SEC Commissioner Allison Herren Lee advocated that, after 20 years, it’s time for the SEC to fulfill the mandate of SOX 307 by adopting rules to set minimum standards of professional conduct for attorneys appearing and practicing before the SEC in the representation of issuers. But didn’t the SEC adopt up-the-ladder attorney reporting provisions under SOX 307 many years ago? Yes, but, she contended, the SEC “did not adopt a broader set of rules as Congress directed, and quite significantly, even this single standard has not been enforced in the nearly 20 years since it was adopted.” Her suggestions for standards are sure to trigger some controversy. Will the SEC up the ante on regulations for attorneys as gatekeepers?  

California posts new report on board diversity— how much does it tell us?

It’s International Women’s Day! On March 1, the California Secretary of State, Dr. Shirley N. Weber issued the Secretary’s 2022 report required by SB 826, California’s board gender diversity law, and by AB 979, California’s law related to underrepresented communities on boards, on the status of compliance with these laws.  The report counts 716 publicly held corporations listed on major exchanges that identified principal executive offices in California in their 2021 10-Ks, and indicates that 358 (compared to 318 last year) of these “impacted corporations” filed a 2021 California Publicly Traded Corporate Disclosure Statement reflecting their compliance (or lack thereof) with the board diversity requirements. Of the 358 companies that filed, only 186 reported that they were in compliance with the board gender diversity mandate, a significant decline from the 311 reported last year.  Undoubtedly, the decline reflects the higher thresholds for compliance that applied at the end of 2021. The report also shows that 301 companies reported being in compliance with the phase-one requirements of the 2020 law related to underrepresented communities on boards. But is any of this data from the report really meaningful?

In most recent comments on climate disclosure, SEC drills down on materiality

In September last year, Corp Fin posted a sample letter to companies containing illustrative comments regarding climate change disclosures, presumably designed to help companies think about and craft their climate-related disclosure. (See this PubCo post.) Corp Fin began by noting that, under its 2010 guidance (see this PubCo post), depending on the facts and circumstances, climate change disclosure could be elicited in a company’s SEC filings in connection with the description of business, legal proceedings, risk factors and MD&A. Still, right now, there is little in the way of prescriptive climate disclosure requirements, although a proposal for climate disclosure regulation is high on the SEC’s agenda. (See this PubCo post.) Instead, companies have instead looked largely to standards of materiality to determine whether climate disclosure is required in their SEC filings. However, many companies provide climate disclosure in corporate social responsibility reports that are not filed with the SEC, but instead typically posted on company websites.  As reported in a recent analysis by Audit Analytics, in the SEC’s most recent round of comment letters about climate last month, the climate disclosure on which the SEC is commenting is primarily contained in these CSR reports. And the SEC wants companies to justify—in some detail—why that disclosure isn’t also in companies’ SEC filings.

With the Court decision still to come, what happened in the first trial of California’s board gender diversity statute?

You might remember that the first legal challenge to SB 826, California’s board gender diversity statute, Crest v. Alex Padilla, was a complaint filed in 2019 in California state court by three California taxpayers seeking to prevent implementation and enforcement of the law. Framed as a “taxpayer suit,” the litigation sought a judgment declaring the expenditure of taxpayer funds to enforce or implement SB 826 to be illegal and an injunction preventing the California Secretary of State from expending taxpayer funds and taxpayer-financed resources for those purposes, alleging that the law’s mandate is an unconstitutional gender-based quota and violates the California constitution.  A bench trial began in December in Los Angeles County Superior Court that was supposed to last six or seven days, but you know, one thing and another, closing arguments were just completed and the case has now been submitted. As we await the Court’s decision—and in anticipation of International Women’s Day—it might be interesting to review some of the testimony from the trial.