“Highly anticipated” is surely an understatement for the hyperventilation that has accompanied the wait for the SEC’s new proposal on climate disclosure regulation. The proposed rulemaking has been a subject of conjecture for many months, and internal squabbles about where the proposal should land have leaked to the press. (See this PubCo post.) As one of those hyperventilators, I’ve been speculating for months about what it might include, what it might exclude. Would it require disclosure of Scope 3 GHG emissions? Would a particular framework be selected or endorsed? Would the framework sync up with international standards or, if not, how would they overlap or conflict? Would the framework be industry-specific? Would scenario analyses be mandated? Would companies be required to obtain third-party attestation or other independent assurance? Would reporting be scaled? There were a lot of questions. Now, we finally know at least some of the preliminary answers: yesterday, the SEC voted, three to one, to propose new rules requiring public companies to disclose information about the material impact of climate on their businesses, as well as information about companies’ governance, risk management and strategy related to climate risk. The disclosure, which would be included in registration statements and periodic reports, would draw, in part, on disclosures provided for under the Task Force on Climate-Related Financial Disclosures and the Greenhouse Gas Protocol. Compliance would be phased in, with reporting for large accelerated filers due in 2024 (assuming an—optimistic—effective date at the end of this year). The proposal would also mandate disclosure of a company’s Scopes 1 and 2 greenhouse gas emissions, and, for larger companies, Scope 3 GHG emissions if material (or included in the company’s emissions reduction target), with a phased-in attestation requirement for Scopes 1 and 2 for large accelerated filers and accelerated filers. The proposal would also require disclosure of certain climate-related financial metrics in a note to the audited financial statements. For some, a sigh of relief, for others, not so much.
According to exclusive reporting from Bloomberg, the SEC’s new proposal for climate disclosure regulation—scheduled for a vote and release on Monday—will include a requirement to disclose some Scope 3 emissions, that is “greenhouse gases that are generated by other firms in [a company’s] supply chain or by customers using [its] products.” It’s widely believed that Scope 3 emissions “make up the bulk” of most companies’ emissions. It’s unclear whether the proposed requirement would apply to all public companies or just larger ones, or whether the requirement might be phased in. As discussed below, whether or not to require disclosure of Scope 3 emissions has been a subject of heated internal debate at the SEC, and, the article suggests, the proposal appears to reflect some compromise.
In remarks earlier this month to the Council of Institutional Investors, Corp Fin director Renee Jones discussed Corp Fin’s reevaluation of the no-action process for shareholder proposals under Rule 14a-8. In particular, she provided some insight into the staff’s issuance, in November 2021, of new Staff Legal Bulletin No. 14L, which outlined Corp Fin’s most recent interpretations of Rule 14a-8(i)(7), the ordinary business exception, and Rule 14a-8(i)(5), the economic relevance exception, and rescinded three earlier SLBs—SLBs 14I, 14J and 14K—following a “review of staff experience applying the guidance in them.” Generally, new SLB 14L presented its approach as a return to the perspective that historically prevailed prior to the issuance of the three rescinded SLBs. (See this PubCo post.) The effect of SLB 14L was to make exclusion of shareholder proposals—particularly proposals related to environmental and social issues—more of a challenge for companies, smoothing the glide path for inclusion of proposals submitted by climate and other activists. Jones explains why Corp Fin believed that SLB 14L was advisable. She also shares some statistics about the current proxy season.
In this statement from the SEC’s Office of the Chief Accountant, Acting Chief Accountant Paul Munter discusses materiality assessments in the context of errors in financial statements. As he summarizes the issue, the “determination of whether an error is material is an objective assessment focused on whether there is a substantial likelihood it is important to the reasonable investor.” And when an error in historical financial statements is determined to be material, a “Big R” restatement of the prior period financial statements is required. On the other hand, if the error is not material, “but either correcting the error or leaving the error uncorrected would be material to the current period financial statements, a registrant must still correct the error, but is not precluded from doing so in the current period comparative financial statements by restating the prior period information and disclosing the error,” known as a revision or “little r” restatement. In either case, Munter observes, “both of these methods—reissuance and revision, or ‘Big R’ and ‘little r’—constitute restatements to correct errors in previously-issued financial statements as those terms are defined in U.S. GAAP.” According to a review by Audit Analytics, “while the total number of restatements by registrants declined each year from 2013 to 2020, ‘little r’ restatements as a percentage of total restatements rose to nearly 76% in 2020, up from approximately 35% in 2005.” Should we attribute this change to improvements in audit quality or internal control over financial reporting, or could it be that some companies are not being entirely objective in making their materiality determinations? In the event of error in the financial statements, Munter emphasizes, companies, auditors and audit committees must “carefully assess whether the error is material by applying a well-reasoned, holistic, objective approach from a reasonable investor’s perspective based on the total mix of information.”
[This post revises and updates my earlier post primarily to reflect the contents of the proposing release.]
At an open meeting last week, the SEC voted, three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” At the meeting, SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all. The SEC’s proposal is intended to provide meaningful and decision-useful information to help shareholders better understand cybersecurity risks and how companies are managing and responding to them. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” Notably, the proposal is quite prescriptive, with a number of multi-part bullet point disclosure requirements, just the sort of thing to elicit a dissent from Commissioner Hester Peirce. The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
In remarks in January before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, SEC Chair Gary Gensler addressed cybersecurity under the securities laws. (See this PubCo post.) Gensler suggested that the economic cost of cyberattacks could possibly be in the trillions of dollars, taking many forms, including denials-of-service, malware and ransomware. In addition, he said, it’s a national security issue. Gensler reminded us that “cybersecurity is a team sport,” and that the private sector is often on the front lines. (As reported by the NYT, that has been especially true in recent weeks, where “the war in Ukraine is stress-testing the system.”) And today, according to Corp Fin Director Renee Jones, in light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, that’s more true than ever, with escalating cybersecurity risk affecting just about all reporting companies. Given the recent consternation over hacks and ransomware, as well as the rising potential for cyberattacks worldwide, it should come as no surprise that the SEC voted today, by a vote of three to one, to propose regulations “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” While threats have increased in number and complexity, Jones said, currently, company disclosure is not always decision-useful and is often inconsistent, not timely and hard for investors to find. What’s more, some material incidents may not be reported at all. As described by Jones, the SEC approached the rulemaking from two perspectives: first, incident reporting and second, periodic disclosure regarding cybersecurity risk management, strategy and governance. According to SEC Chair Gary Gensler, “[o]ver the years, our disclosure regime has evolved to reflect evolving risks and investor needs….Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks….I am pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” The public comment period will be open for 60 days following publication of the proposing release on the SEC’s website or 30 days following publication of the proposing release in the Federal Register, whichever period is longer.
In remarks at PLI’s Corporate Governance webcast last week, SEC Commissioner Allison Herren Lee advocated that, after 20 years, it’s time for the SEC to fulfill the mandate of SOX 307 by adopting rules to set minimum standards of professional conduct for attorneys appearing and practicing before the SEC in the representation of issuers. But didn’t the SEC adopt up-the-ladder attorney reporting provisions under SOX 307 many years ago? Yes, but, she contended, the SEC “did not adopt a broader set of rules as Congress directed, and quite significantly, even this single standard has not been enforced in the nearly 20 years since it was adopted.” Her suggestions for standards are sure to trigger some controversy. Will the SEC up the ante on regulations for attorneys as gatekeepers?
In September last year, Corp Fin posted a sample letter to companies containing illustrative comments regarding climate change disclosures, presumably designed to help companies think about and craft their climate-related disclosure. (See this PubCo post.) Corp Fin began by noting that, under its 2010 guidance (see this PubCo post), depending on the facts and circumstances, climate change disclosure could be elicited in a company’s SEC filings in connection with the description of business, legal proceedings, risk factors and MD&A. Still, right now, there is little in the way of prescriptive climate disclosure requirements, although a proposal for climate disclosure regulation is high on the SEC’s agenda. (See this PubCo post.) Instead, companies have instead looked largely to standards of materiality to determine whether climate disclosure is required in their SEC filings. However, many companies provide climate disclosure in corporate social responsibility reports that are not filed with the SEC, but instead typically posted on company websites. As reported in a recent analysis by Audit Analytics, in the SEC’s most recent round of comment letters about climate last month, the climate disclosure on which the SEC is commenting is primarily contained in these CSR reports. And the SEC wants companies to justify—in some detail—why that disclosure isn’t also in companies’ SEC filings.
On Tuesday, the SEC announced settled charges against Baxter International Inc., its former Treasurer and Assistant Treasurer, for misconduct related to improper intra-company foreign exchange transactions that resulted in the misstatement of the company’s net income. From at least 1995 to 2019, the SEC alleged, Baxter converted foreign-currency-denominated transactions and assets and liabilities on its financial statements using its own “convention”—not in accordance with U.S. GAAP. Then, beginning around 2009, the SEC charged, Baxter leveraged the convention to devise a series of non-operating intra-company foreign exchange transactions “for the sole purpose of generating foreign exchange accounting gains or avoiding foreign exchange accounting losses.” In the order against Baxter, the SEC found that the company violated the negligence-based anti-fraud, public reporting, books and records, and internal accounting controls provisions of the federal securities laws and imposed an $18 million penalty. In this order and this order, the SEC found that the company’s Treasurer “did not take any steps to investigate how Baxter’s treasury department generated consistent gains or whether the transactions that generated the gains were permissible,” and that the Assistant Treasurer, working with others at his direction, was “primarily responsible for executing the transactions.” The Treasurer and Assistant Treasurer were determined to have violated the negligence-based anti-fraud provisions of the federal securities laws and to have caused Baxter’s public reporting and books and records violations.