Category: Corporate Governance
Nasdaq proposes to amend listing rules regarding waivers of code of conduct
Yesterday, the SEC posted, and declared immediately effective, a Nasdaq rule proposal that would modify the requirements related to waiver of the code of conduct in Listing Rules 5610 and IM-5610. Under current listing rules, all listed companies must adopt a code of conduct (which must meet the definition of a “code of ethics” in SOX 406(c)), applicable to all directors, officers and employees, and make that code publicly available. Each code of conduct must also contain an enforcement mechanism that ensures prompt and consistent enforcement of the code, protection for persons reporting questionable behavior, clear and objective standards for compliance, and a fair process by which to determine violations. Under current listing rules, waivers of the code for directors or executive officers must be approved by the Board and must be publicly disclosed. The proposal expands the approval authority for code waivers and adds new time deadlines for disclosure of code waivers by foreign private issuers. Companies may want to review their codes of conduct to make changes as appropriate.
SEC Chief Accountant warns against narrow focus in risk assessments
In this Statement, The Importance of a Comprehensive Risk Assessment by Auditors and Management, SEC Chief Accountant Paul Munter cautions auditors and company managements against conducting risk assessments that focus too narrowly “on information and risks that directly impact financial reporting, while disregarding broader, entity-level issues that may also impact financial reporting and internal controls.” Similarly, auditors and managements may sometimes dismiss isolated incidents, perhaps as a result of confirmation bias, without adequately analyzing whether these issues might be indicative of larger issues that require responsive action and disclosure. Munter warns that “[s]uch a narrow focus is detrimental to investors as it can result in material risks to the business going unaddressed and undisclosed, thereby diminishing the quality of financial information.” Management, Munter warns, must “take a holistic approach when assessing information about the business and avoid the potential bias toward evaluating problems as isolated incidents, in order to timely identify risks, including entity-level risks.” Managements and audit committees may want to take note.
New Cooley Alert: EU Adopts Long-Awaited Mandatory ESG Reporting Standards
As discussed in this excellent new Cooley Alert, EU Adopts Long-Awaited Mandatory ESG Reporting Standards, in January 2023, the European Union adopted the Corporate Sustainability Reporting Directive, which requires EU and non-EU companies that meet certain EU activity thresholds to file annual sustainability reports alongside their financial statements. These reports must be prepared in accordance with European Sustainability Reporting Standards, the first set of which were just adopted by the European Commission on July 31, 2023 and will soon become law and apply directly in all 27 EU member states (but not in the UK). Companies will need to report in compliance with these new ESRS as early as 2025 for the 2024 reporting period (and note that large EU subsidiaries of non-EU companies that meet certain criteria will need to report in 2026 for the 2025 reporting period).
Tackling ESG backlash
As ESG backlash escalated this past year, companies have often felt caught between Scylla and Charybdis, struggling to navigate between the company’s commitment to ESG issues that the company believes will contribute to its long-term performance and benefit investors and other stakeholders, and the opposition that has arisen to the corporate focus on ESG, particularly social and environmental matters. The Conference Board, however, suggests that we look at it differently: “Despite the negative connotations, ESG backlash can be a clarifying moment for companies. It can prompt companies to reevaluate their ESG strategy, priorities, and commitments,” providing an “opportunity to clarify their ESG strategy and communications.” In a recent TCB survey, half the companies indicated that they had experienced some form of ESG backlash, whether against their industry (26%), more generally (e.g., their state) (20%) or against the company specifically (18%). In addition, 61% thought that ESG backlash would “stay the same or increase over the next two years.” TCB posits that the increase will be driven largely by “emotionally charged topics, such as hot-button social issues and the transition to more sustainable forms of energy that raises fear of job losses.” With that in mind, this paper from TCB attempts to provide some analysis of the nature of ESG backlash and guidance on how companies can address it.
IAASB proposes new assurance standard for climate disclosures
A 2021 article in the WSJ about carbon emissions identified “[o]ne problem facing regulators and companies: Some of the most important and widely used data is hard to both measure and verify.” According to an academic cited in the article, the “measurement, target-setting, and management of Scope 3 is a mess.” As a result—and as the term “greenwashing” brings to mind—investors and other stakeholders are frequently apprehensive about the reliability of corporate disclosures regarding sustainability. One approach to address this concern is to obtain assurance to verify the data. However, the WSJ suggested that, based on data regarding verification of climate information provided on a voluntary basis, audits are a challenge. For one reason, verification of ESG data “is generally less rigorous than the external audits required for financial reporting.” Moreover, there is “no set standard for how climate data should be verified, or by whom.” That may be about to change—internationally, that is. Will the U.S. follow suit?
Compliance dates for SEC cybersecurity disclosure rules
As you know, the SEC adopted final rules on cybersecurity disclosure on July 26, with compliance dates tied to publication in the Federal Register. (See this PubCo post.) Those rules were published on August 4 with compliance dates spelled out in the published release.
SEC adopts final rules on cybersecurity disclosure [UPDATED]
[This post revises and updates my earlier post primarily to provide a more detailed discussion of the contents of the adopting release.]
At an open meeting on Wednesday last week, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. In his statement at the open meeting, Commissioner Jaime Lizárraga shared the stunning statistics that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade and total costs across the U.S. economy could run as high as trillions of dollars per year. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. Although a number of changes to the proposal were made in the final rules in response to objections that the proposal was too prescriptive and could increase companies’ vulnerability to cyberattack, the basic structure remains the same, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
SEC adopts final rules on cybersecurity disclosure
In remarks to the audience at a Financial Times summit earlier this month, Gurbir Grewal, SEC Director of Enforcement, citing a recent poll from Deloitte, observed that over “a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year.” As threats increase, Grewal maintained, cybersecurity is “foundational to maintaining the integrity of not just our securities markets, but our economy as a whole.” (See this PubCo post.) Similarly, in remarks in January 2022, SEC Chair Gary Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. It’s also a national security issue. He reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. And, in his statement at the SEC open meeting yesterday morning, Commissioner Jaime Lizárraga shared the eye-opening stats that, last year, 83% of companies experienced more than one data breach, with an average cost of in the U.S. of $9.44 million; breaches increased 600% over the last decade. Given the ubiquity, frequency and complexity of these threats, in March last year, the SEC proposed cybersecurity disclosure rules intended to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. At an open meeting yesterday morning, the SEC voted, three to two, to adopt final rules on cybersecurity disclosure. Although a number of changes to the proposal were made in response to comments, the basic structure remains the same in the final rules, with requirements for both material incident reporting on Form 8-K and periodic disclosure of material information regarding cybersecurity risk management, strategy and governance. According to Gensler, “[w]hether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors….Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
GAO reports on conflict minerals compliance in 2022
The GAO has just issued its 2022 Report on Conflict Minerals, which examines companies’ conflict minerals compliance in 2022. As you probably know, the SEC’s conflict minerals rules were originally mandated by Congress in an attempt to limit the use of revenue from the trade in conflict minerals to fund the operations of armed groups in the DRC and adjoining countries. Under Dodd-Frank, the GAO is required to assess periodically the effectiveness of the SEC’s conflict minerals rules in promoting peace and security in the DRC region. Are the SEC’s rules having any impact? Based on this report, it seems that the violence in the DRC has not abated: “overall peace and security in the eastern DRC has not improved since 2014 because of persistent, interdependent factors that fuel violence by non-state armed groups.” In 2020, the GAO reports, about 122 armed groups operated in the region, using revenue from the trade in conflict minerals as one source of funding. Experts view corruption as a contributing factor. The GAO observes that, in 2022, “armed groups continue to raise revenue from various sources, such as illegal taxation on citizens and the exploitation of natural resources,” such as conflict minerals.
You must be logged in to post a comment.