Category: Corporate Governance

Audit Analytics reports on cybersecurity disclosure

These days, with our government warning regularly about the likelihood of breaches in cybersecurity, concerns about cyber threats have only multiplied.  Introducing the SEC’s new proposal for cybersecurity disclosure in March (see this PubCo post), SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all.  Audit Analytics has just posted a new report regarding trends in cybersecurity incident disclosures. The report indicates that, in 2021, there was a 44% increase in the number of breaches disclosed, from 131 in 2020 to 188 in 2021, the most breaches disclosed in a single year since 2011. And, since 2011, the number of cybersecurity incidents disclosed annually has increased nearly 600%. Interestingly, however, in 2021, only 43% of cybersecurity incidents were disclosed in SEC filings, the report said.

Board diversity statute for “underrepresented communities” held unconstitutional under California’s equal protection provisions

On April 1, the L.A. County Superior Court granted the plaintiffs’ motion for summary judgment in Crest v. Padilla, the taxpayer litigation challenging AB 979, California’s board diversity statute for “underrepresented communities.”  (See this PubCo post.)   Unfortunately, at the time, only a minute order was released, which did not offer any explanation of the Court’s reasoning.  Now, a new 24-page Court Order, which provides the Court’s reasoning, has been made available, and, in it, the Court concludes that the statute, Corporations Code § 301.4, violates the equal protection clause of the California Constitution on its face. Why? Because, in the Court’s view, § 301.4 treats similarly situated individuals differently based on suspect racial and other categories that are not justified by a compelling interest, nor is the statute narrowly tailored to address the interests identified. Will this case have a spillover effect on the decision currently pending of plaintiffs’ taxpayer challenge to California’s board gender diversity statute, SB 826? According to Reuters, the California State Senator who authored SB 826 said that “the case involved a ‘very different set of facts and distinctly different legal issues.’”

What’s happening with corporate political spending disclosure?

I have to admit I was surprised to read that, in the new $1.5 trillion budget bill, Congress has once again prohibited the SEC from using any funds for political spending disclosure regulation.  But there it is—Section 633—in black and white: “None of the funds made available by this Act shall be used by the Securities and Exchange Commission to finalize, issue, or implement any rule, regulation, or order regarding the disclosure of political contributions, contributions to tax exempt organizations, or dues paid to trade associations.”  That means that, for now anyway, private ordering—through shareholder proposals at individual companies and other forms of stakeholder pressure, including humiliation—will continue to be the pressure point for disclosure of corporate political contributions.  Those proposals have grown increasingly successful in the last couple of years. And, notably, it appears that the focus of many proposals has shifted recently, with more emphasis on apparent conflicts between stated company policies and values and the beneficiaries of those political contributions.

Court grants summary judgment to plaintiffs challenging California’s board diversity statute for “underrepresented communities”

As you may recall, SB 826, the California board gender diversity statute, is not the only California board diversity statute facing legal challenges.  In 2020, AB 979, California’s board diversity statute for “underrepresented communities,” patterned after the board gender diversity statute, was signed into law, and it too has been facing legal challenges—in fact litigation brought by the same plaintiffs on the same legal basis. (See this PubCo post.) Framed as a “taxpayer suit” much like Crest v. Padilla I, the sequel, Crest v. Padilla II, sought to enjoin Alex Padilla, the then-California Secretary of State, from expending taxpayer funds and taxpayer-financed resources to enforce or implement the law and a judgment declaring the diversity mandate to be unlawful in violation of the California constitution.  As Crest v. Padilla I is awaiting a court decision following a bench trial (see this PubCo post), what’s happening in the sequel? After a hearing on motions by both parties for summary judgment in March, the Los Angeles Superior Court took the matter under submission and, on April Fool’s Day, the Court issued its order.  But it was no joke—the Court granted plaintiff’s motion for summary judgment.  The state has not yet indicated whether it will appeal the decision. In a statement, the president of Judicial Watch, which represented the plaintiffs, said that “[t]his historic California court decision declared unconstitutional one of the most blatant and significant attacks in the modern era on constitutional prohibitions against discrimination.”

SEC proposes new rules on climate disclosure [UPDATED—PART II—GHG emissions]

[This post is Part II of a revision and update of my earlier post that primarily reflects the contents of the proposing release. Part I (here) covered the background of the proposal and described the SEC’s proposed climate disclosure framework, including disclosure of climate-related risks, governance, risk management, targets and goals, financial statement metrics and general aspects of the proposal. This post covers GHG emissions disclosure and attestation.]

So, what are the GHG emissions for a mega roll of Charmin Ultra Soft toilet paper? That was the question I asked to open this PubCo post.  According to this article in the WSJ, the answer was 771 grams, a calculation performed by the Natural Resources Defense Council.  But how did they figure that out?  How public companies could be required to calculate and report on their GHG emissions is one of the major issues addressed by the SEC in its proposal on climate-related disclosure regulation issued last week. The proposal was designed to require disclosure of “consistent, comparable, and reliable—and therefore decision-useful—information to investors to enable them to make informed judgments about the impact of climate-related risks on current and potential investments.” Drawing on the Greenhouse Gas Protocol, the proposal would, in addition to the disclosure mandate discussed in Part I of this Update, require disclosure of a company’s Scopes 1 and 2 greenhouse gas emissions, and, for larger companies, Scope 3 GHG emissions if material (or included in the company’s emissions reduction target), with a phased-in attestation requirement for Scopes 1 and 2 data for large accelerated filers and accelerated filers. The disclosure would be included in registration statements and periodic reports in the section captioned “Climate-Related Disclosure.” At 510 pages, the proposal is certainly thoughtful, comprehensive and stunningly detailed—some might say overwhelmingly so. If adopted, it would certainly require a substantial undertaking for many companies to get their arms around the extensive and granular requirements and comply with the proposal’s mandates. How companies would manage this enormous effort remains to be seen.

SEC (finally) proposes new rules on climate disclosure [UPDATED—PART I]

[This post is Part I of a revision and update of my earlier post primarily reflecting the contents of the proposing release. This post covers background and describes various aspects of the proposal other than the sections on GHG emissions disclosure and attestation, which will be covered in a separate post early next week.]

The SEC describes it modestly as a proposal to “enhance and standardize registrants’ climate-related disclosures for investors.” The WSJ called it “the biggest potential expansion in corporate disclosure since the creation of the Depression-era rules over financial disclosures that underpin modern corporate statements,” and Fortune said it “could be the biggest change to corporate disclosures in the U.S. in decades.” But now you can judge for yourself, after the SEC voted earlier this week, three to one, to propose new rules on climate disclosure regulation. The proposal was designed to require disclosure of “consistent, comparable, and reliable—and therefore decision-useful—information to investors to enable them to make informed judgments about the impact of climate-related risks on current and potential investments.” The proposal would require public companies to disclose information about climate-related risks that are reasonably likely to have a material impact on their businesses, results of operations or financial condition, as well as information about the effect of climate risk on companies’ governance, risk management and strategy. The disclosure, which would be included in registration statements and periodic reports, would draw, in part, on disclosures provided for under the Task Force on Climate-Related Financial Disclosures and the Greenhouse Gas Protocol. Compliance would be phased in, with reporting for large accelerated filers due in 2024 (assuming an—optimistic—effective date at the end of this year). The proposal would also mandate disclosure of a company’s Scopes 1 and 2 greenhouse gas emissions, and, for larger companies, Scope 3 GHG emissions if material (or included in the company’s emissions reduction target), with a phased-in attestation requirement for Scopes 1 and 2 data for large accelerated filers and accelerated filers. The proposal would also require disclosure of certain climate-related financial metrics in a note to the audited financial statements. At 510 pages, the proposal is certainly thoughtful, comprehensive and stunningly detailed—some might say overwhelmingly so. If adopted, it would surely require a substantial undertaking for many companies to get their arms around the extensive and granular requirements and comply with the proposal’s mandates. How companies would manage this enormous effort remains to be seen.

SEC (finally) proposes new rules on climate disclosure

“Highly anticipated” is surely an understatement for the hyperventilation that has accompanied the wait for the SEC’s new proposal on climate disclosure regulation. The proposed rulemaking has been a subject of conjecture for many months, and internal squabbles about where the proposal should land have leaked to the press. (See this PubCo post.) As one of those hyperventilators, I’ve been speculating for months about what it might include, what it might exclude. Would it require disclosure of Scope 3 GHG emissions? Would a particular framework be selected or endorsed? Would the framework sync up with international standards or, if not, how would they overlap or conflict?  Would the framework be industry-specific? Would scenario analyses be mandated? Would companies be required to obtain third-party attestation or other independent assurance? Would reporting be scaled? There were a lot of questions.  Now, we finally know at least some of the preliminary answers: yesterday, the SEC voted, three to one, to propose new rules requiring public companies to disclose information about the material impact of climate on their businesses, as well as information about companies’ governance, risk management and strategy related to climate risk. The disclosure, which would be included in registration statements and periodic reports, would draw, in part, on disclosures provided for under the Task Force on Climate-Related Financial Disclosures and the Greenhouse Gas Protocol. Compliance would be phased in, with reporting for large accelerated filers due in 2024 (assuming an—optimistic—effective date at the end of this year). The proposal would also mandate disclosure of a company’s Scopes 1 and 2 greenhouse gas emissions, and, for larger companies, Scope 3 GHG emissions if material (or included in the company’s emissions reduction target), with a phased-in attestation requirement for Scopes 1 and 2 for large accelerated filers and accelerated filers. The proposal would also require disclosure of certain climate-related financial metrics in a note to the audited financial statements.  For some, a sigh of relief, for others, not so much.

Lee to leave SEC

SEC Commissioner Allison Herren Lee has announced her intention not to seek another term on the Commission when her current term ends in June. Here is Chair Gary Gensler’s statement on her departure.

SEC’s Acting Chief Accountant discusses materiality assessments in connection with restatements

In this statement from the SEC’s Office of the Chief Accountant, Acting Chief Accountant Paul Munter discusses materiality assessments in the context of errors in financial statements. As he summarizes the issue, the “determination of whether an error is material is an objective assessment focused on whether there is a substantial likelihood it is important to the reasonable investor.” And when an error in historical financial statements is determined to be material, a “Big R” restatement of the prior period financial statements is required. On the other hand, if the error is not material, “but either correcting the error or leaving the error uncorrected would be material to the current period financial statements, a registrant must still correct the error, but is not precluded from doing so in the current period comparative financial statements by restating the prior period information and disclosing the error,” known as a revision or “little r” restatement. In either case, Munter observes, “both of these methods—reissuance and revision, or ‘Big R’ and ‘little r’—constitute restatements to correct errors in previously-issued financial statements as those terms are defined in U.S. GAAP.” According to a review by Audit Analytics, “while the total number of restatements by registrants declined each year from 2013 to 2020, ‘little r’ restatements as a percentage of total restatements rose to nearly 76% in 2020, up from approximately 35% in 2005.” Should we attribute this change to improvements in audit quality or internal control over financial reporting, or could it be that some companies are not being entirely objective in making their materiality determinations? In the event of error in the financial statements, Munter emphasizes, companies, auditors and audit committees must “carefully assess whether the error is material by applying a well-reasoned, holistic, objective approach from a reasonable investor’s perspective based on the total mix of information.”

SEC votes to propose new rules for cybersecurity disclosure and incident reporting [UPDATED]

[This post revises and updates my earlier post primarily to reflect the contents of the proposing release.]

At an open meeting last week, the SEC voted, three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” At the meeting, SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all. The SEC’s proposal is intended to provide meaningful and decision-useful information to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” Notably, the proposal is quite prescriptive, with a number of multi-part bullet point disclosure requirements, just the sort of thing to elicit a dissent from Commissioner Hester Peirce. The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.