Developments in Securities Regulation, Corporate Governance, Capital Markets, M&A and Other Topics of Interest. MORE

The SEC brought an enforcement action against The Brink’s Company for using confidentiality agreements that the SEC alleged violated Exchange Act Rule 21F-17. That rule prohibits any person from taking any action to impede an individual from communicating directly with the Commission, including by “enforcing, or threatening to enforce, a confidentiality agreement….” The SEC has brought at least nine other similar enforcement actions in the past.

One of Brinks’ forms prohibited employees from divulging confidential information about the company to any third party without the prior written authorization of a Brinks, Inc. executive officer. The agreement defined “Confidential Information” broadly to include information about “current and potential customers, . . . prices, costs, business plans, market research, sales, marketing, . . . operational processes and techniques, [and] financial information including financial information set forth in internal records, files and ledgers or incorporated in profit and loss statements, financial reports and business plans. . . ,” The SEC notes that the reference to financial records often are components of whistleblower complaints.

The SEC stated that Brinks in-house attorneys received general client bulletins, legal alerts, and case summaries from various private law firms discussing the Commission’s enforcement actions charging violations of Rule 21F-17(a).  According to the SEC,  a partner at Brinks U.S.’s outside employment counsel, sent an email to the company’s General Counsels and other lawyer attaching a “Client Memo” that described the Commission’s initial Rule 21F-17 enforcement action, cited key findings from the Commission’s order, predicted that the Commission would be bringing more cases enforcing Rule 21F-17, and recommended that public companies consider incorporating into their employment agreements certain whistleblower carve-out language apparently copied verbatim from the order.

While Brinks eventually adopted whistleblower carve-outs into its severance agreements, the general confidentiality agreement was not modified.

Brinks agreed to pay a $400,000 civil monetary penalty to the SEC and agreed to certain injunctive relief.  Brinks did not admit or deny the SEC’s findings.

SEC Commissioner Hester M. Peirce issued a statement stating she believed the settlement exceeded the SEC’s authority.  Ms. Peirce objected to the requirement that Brinks’ employment agreement include the following provision:

Protected Rights. Employee understands that nothing contained in this Agreement limits Employee’s ability to file a charge or complaint with the Securities and Exchange Commission, or any other federal, state, or local governmental regulatory or law enforcement agency (“Government Agencies”). Employee further understands that nothing in this Agreement limits Employee’s ability to communicate with any Government Agencies or otherwise participate in or fully cooperate with any investigation or proceeding that may be conducted by any Government Agency [sic], including providing documents or other information, without notice to or approval from the Company. Employee can provide confidential information to Government Agencies without risk of being held liable by Brinks for liquidated damages or other financial penalties. This Agreement does not limit Employee’s right to receive an award for information provided to any Government Agencies.

Ms. Peirce objects to the text which expands the whistleblower protection beyond the SEC rules to include other government agencies.  She stated the Commission’s authority to adopt and enforce Rule 21F-17 necessarily is limited to the scope and purpose of Exchange Act Section 21F, which is to ensure the free flow of information to the Commission.

Ms. Peirce noted that even though Brinks agreed to this provision of the settlement that should not be misconstrued as an indication that other companies are under any obligation to use the same or similar language to avoid running afoul of Rule 21F-17.

The Securities and Exchange Commission adopted rules and form amendments to:

  • Mandate the electronic filing or submission of certain documents that currently are permitted to be filed or submitted in paper; and
  • Mandate the use of Inline eXtensible Business Reporting Language (“Inline XBRL”) for the filing of the financial statements and accompanying schedules to the financial statements required by Form 11-K.

The amended rules apply to various issuers, affiliates, and national securities exchanges that file or submit reports to the SEC and will require the electronic filing or submission of:

  • Documents that currently are permitted to be submitted electronically under Rule 101(b) of Regulation S-T, including notices of exempt solicitations and exempt preliminary roll-up communications, the “glossy” annual report to security holders, Form 144 for sales of securities of issuers subject to the reporting requirements of Section 13 or 15(d) of the Exchange Act, filings on Form 6-K, and filings made by multilateral development banks;
  • Certifications made pursuant to Section 12(d) of the Exchange Act and Exchange Act Rule 12d1-3 that a security has been approved by an exchange for listing and registration; and
  • Certain foreign language documents.

The amended rules also will require the use of Inline XBRL for the filing of the financial statements and accompanying notes to the financial statements required by Form 11-K and make technical updates to Form F-10, Form F-X, and Form CB to remove outdated references.

The Commission is providing the following transition periods to provide filers with adequate time to prepare to submit these documents electronically in accordance with the EDGAR Filer Manual, including applying for the necessary filer codes on EDGAR:

  • Six months after the effective date of the amendments for filers to submit their “glossy” annual reports to security holders electronically in accordance with the EDGAR Filer Manual and, other than for Form 144, for paper filers who would be first-time electronic filers;
  • Six Months after the date of publication in the Federal Register of the Commission release that adopts the version of the EDGAR Filer Manual addressing updates to Form 144 for filing Form 144 electronically on EDGAR; and
  • Three years after the effective date of the amendments for filers to submit the financial statements and accompanying schedules to the financial statements required by Form 11-K in the Inline XBRL structured data language.

The SEC has proposed amendments to rules and disclosure forms to promote consistent, comparable, and reliable information for investors concerning funds’ and advisers’ incorporation of environmental, social, and governance (“ESG”) factors.

The proposed changes would apply to registered investment companies, business development companies (together with registered investment companies, “funds”), registered investment advisers, and certain unregistered advisers (together with registered investment advisers, “advisers”). The rules and form amendments would enhance disclosure by:

  • Requiring additional specific disclosure requirements regarding ESG strategies in fund prospectuses, annual reports, and adviser brochures;
  • Implementing a layered, tabular disclosure approach for ESG funds to allow investors to compare ESG funds at a glance; and
  • Generally requiring certain environmentally focused funds to disclose the greenhouse gas (GHG) emissions associated with their portfolio investments.

ESG Strategy Disclosure for Funds and Advisers

The proposal would require funds that consider ESG factors in their investment process to disclose additional information regarding their strategy. The amount of required disclosure depends on how central ESG factors are to a fund’s strategy and follows a “layered” framework, with a concise overview in the prospectus supplemented by more detailed information in other sections of the prospectus or in other disclosure documents, all of which would be reported in a structured data language. The proposal identifies the following three types of ESG funds:

  • Integration Funds. Funds that integrate ESG factors alongside non-ESG factors in investment decisions would be required to describe how ESG factors are incorporated into their investment process.
  • ESG-Focused Funds. Funds for which ESG factors are a significant or main consideration would be required to provide detailed disclosure, including a standardized ESG strategy overview table.
  • Impact Funds. A subset of ESG-Focused Funds that seek to achieve a particular ESG impact would be required to disclose how it measures progress on its objective. Advisers that consider ESG factors would be required to make generally similar disclosures in their brochures with respect to their consideration of ESG factors in the significant investment strategies or methods of analysis they pursue and report certain ESG information in their annual filings with the SEC.

Additional Disclosure Regarding Impacts and Proxy Voting or Engagements

Certain ESG-Focused Funds would be required to provide additional information about their strategies, including information about the impacts they seek to achieve and key metrics to assess their progress. The proposal would require funds that use proxy voting or engagement with issuers as a significant means of implementing their ESG strategy to provide additional information about their proxy voting or ESG engagements, as applicable.

GHG Emissions Reporting

The proposal generally would require ESG-Focused Funds that consider environmental factors in their investment strategies to disclose additional information regarding the GHG emissions associated with their investments. These funds would be required to disclose the carbon footprint and the weighted average carbon intensity of their portfolio. The requirements are designed to meet demand from investors seeking environmentally focused fund investments for consistent and comparable quantitative information regarding the GHG emissions associated with their portfolios and to allow investors to make decisions in line with their own ESG goals and expectations. Funds that disclose that they do not consider GHG emissions as part of their ESG strategy would not be required to report this information. Integration funds that consider GHG emissions would be required to disclose additional information about how the fund considers GHG emissions, including the methodology and data sources the fund may use as part of its consideration of GHG emissions.

The SEC announced settled charges against technology company NVIDIA Corporation for inadequate disclosures concerning the impact of cryptomining on the company’s gaming business.

The SEC’s order finds that, during consecutive quarters in NVIDIA’s fiscal year 2018, the company failed to disclose that cryptomining was a significant element of its material revenue growth from the sale of its graphics processing units (GPUs) designed and marketed for gaming. Cryptomining is the process of obtaining crypto rewards in exchange for verifying crypto transactions on distributed ledgers. As demand for and interest in crypto rose in 2017, NVIDIA customers increasingly used its gaming GPUs for cryptomining.

In two of its Forms 10-Q for its fiscal year 2018, NVIDIA reported material growth in revenue within its gaming business according to the SEC. NVIDIA had information, however, that this increase in gaming sales was driven in significant part by cryptomining. Despite this, NVIDIA did not disclose in its Forms 10-Q, as it was required to do, these significant earnings and cash flow fluctuations related to a volatile business for investors to ascertain the likelihood that past performance was indicative of future performance. The SEC’s order also finds that NVIDIA’s omissions of material information about the growth of its gaming business were misleading given that NVIDIA did make statements about how other parts of the company’s business were driven by demand for crypto, creating the impression that the company’s gaming business was not significantly affected by cryptomining.

Specifically, the SEC alleged that NVIDIA’s analysts and investors were interested in understanding the extent to which the company’s Gaming revenue was impacted by cryptomining, and routinely asked senior management about the extent to which increases in Gaming revenue during this time frame were driven by cryptomining. In light of the volatility of certain crypto asset prices during this time frame, investors and analysts probed the significance of cryptomining to NVIDIA’s Gaming business to determine how sustainable the contributions to the company’s largest specialized market would be going forward.

The SEC also addressed disclosure controls and procedures.  Even though NVIDIA had information indicating that cryptomining was a significant factor in the year-over-year growth in revenue for the company’s GPUs for Gaming in its GPU business segment during the relevant period, NVIDIA failed to maintain disclosure controls or procedures designed to ensure that information required to be disclosed in NVIDIA’s results of operations was reported as required by the MD&A provisions of Regulation S-K, Item 303.

NVIDIA did not admit or deny the SEC’s findings.

The SEC has released an illustrative letter that contains sample comments that the Division of Corporation Finance may issue to companies based on their specific facts and circumstances related to Russia’s invasion of Ukraine and related supply chain issues.

The SEC notes companies may have disclosure obligations under the federal securities laws related to the direct or indirect impact that Russia’s invasion of Ukraine and the international response have had or may have on their business. To satisfy these obligations, the Division of Corporation Finance believes that companies should provide detailed disclosure, to the extent material or otherwise required, regarding:

  • direct or indirect exposure to Russia, Belarus, or Ukraine through their operations, employee base, investments in Russia, Belarus, or Ukraine, securities traded in Russia, sanctions against Russian or Belarusian individuals or entities, or legal or regulatory uncertainty associated with operating in or exiting Russia or Belarus,
  • direct or indirect reliance on goods or services sourced in Russia or Ukraine or, in some cases, in countries supportive of Russia,
  • actual or potential disruptions in the company’s supply chain, or
  • business relationships, connections to, or assets in, Russia, Belarus, or Ukraine.

The SEC also notes financial statements may also need to reflect and disclose the impairment of assets, changes in inventory valuation, deferred tax asset valuation allowance, disposal or exiting of a business, de-consolidation, changes in exchange rates, and changes in contracts with customers or the ability to collect contract considerations. In addition, since Russia’s invasion of Ukraine, many companies have experienced heightened cybersecurity risks, increased or ongoing supply chain challenges, and volatility related to the trading prices of commodities regardless of whether they have operations in Russia, Belarus, or Ukraine that warrant disclosure.

The SEC urges companies to consider how these matters affect management’s evaluation of disclosure controls and procedures, management’s assessment of the effectiveness of internal control over financial reporting, and the role of the board of directors in risk oversight of any action or inaction related to Russia’s invasion of Ukraine, including consideration of whether to continue or to halt operations or investments in Russia and/or Belarus.

In Knight v. Miller et al the Delaware Court of Chancery considered, among other things, whether the acceptance of an equity grant violated fiduciary duties. The case was before the Court on a motion to dismiss.

The case deals with grants of equity compensation made to directors and officers of Universal Health Services, Inc. (“UHS” or the “Company”) during the market volatility taking place in March 2020 at the beginning of the COVID-19 pandemic. UHS stock reached its lowest point on March 18, 2020, closing at $67.69 per share. After announcement of federal COVID-19 relief legislation, the Company’s stock price had rebounded to a closing price of $100.13 per share by March 30, 2020.

The grants in question were made at a meeting of the Compensation Committee on March 18, 2020.  The relevant meeting had been scheduled at least six months in advance of that date. The Defendants stated in their opening brief that the Company’s stock option grants, since 2014, have almost always been made at a meeting held in March, except for one meeting held in April.

The Plaintiff asserted that each of the Defendants named in this case had violated the duty of loyalty “by accepting the March 2020 Awards despite knowing that the March 2020 Awards were issued at strike prices that did not reflect the real value of the Company.”  The Plaintiff cited two cases for the proposition that a director or officer “can breach fiduciary duties . . . by accepting compensation that is clearly improper.” The Court noted there appeared to be a relative lack of case law fleshing out what might constitute “clearly improper.”

The Court noted Delaware courts have found that actions for breach of fiduciary duty for accepting compensation can survive a motion to dismiss where:

  • The compensation awarded was ultra vires, and the recipients knew it, or
  • Where compensation was repriced advantageously in light of confidential and sensitive business information which the recipients knew, and which they accordingly used to the company’s detriment.

The Court concluded that that in this circumstance that the Plaintiff must plead bad faith with respect to Defendant’s knowingly wrongful acceptance of compensation.  In other words, there must be a sufficient pleading of scienter to support a bad faith claim, which serves as a claim based on breach of the duty of loyalty.

The Court found there was an insufficient record to sustain even a claim that the Compensation Committee Defendants making the awards acted in bad faith, much less that the recipients’ acceptance violated that standard. All that was alleged was that option awards were made at what proved to be the bottom of the market.

The Court also noted the Plaintiff did not plead nonpublic facts known to the Company and the Defendants that gave rise to an inference of “clearly improper” compensation in the form of the March 2020 awards.

The SEC charged Vale S.A., a publicly traded Brazilian mining company and one of the world’s largest iron ore producers, with making false and misleading claims about the safety of its dams prior to the January 2019 collapse of its Brumadinho dam.

According to the SEC complaint, Vale:

  • improperly obtained stability declarations for the dam by knowingly using unreliable laboratory data;
  • concealed material information from its dam safety auditors;
  • disregarded accepted best practices and minimum safety standards;
  • removed auditors and firms who threatened Vale’s ability to obtain dam stability declarations; and
  • made false and misleading statements to investors.

The SEC complaint states Vale knowingly or recklessly suppressed the findings of its own retained experts. The Vale executives and employees who were responsible for monitoring the stability of Vale’s dams deceptively manipulated the processes that they supposedly safeguarded. Rather than confront the high reputational and economic costs arising from the unacceptable safety risks posed by its Brumadinho and other dams, Vale engaged in a pattern of deceptive acts designed to skirt the applicable regulatory requirements related to dam safety. Over a period of more than two years, from February 2016 through October 2018, Vale knowingly or recklessly obtained eight fraudulent and deceptive stability declarations in connection with corrupted audits of the Brumadinho dam.

At the time it obtained these stability declarations, the SEC alleges Vale knew they were based on unreliable and flawed laboratory data or a flagrant disregard for minimum standards of safety that Vale purported to follow. Vale knew that assessments of the Brumadinho dam, based on best engineering practices, had revealed that the dam did not even meet Vale’s own safety standards much less international standards for dam safety.

Vale obtained these fraudulent stability declarations through a pattern of deceptive acts. For example, Vale removed auditors when they refused to bend to Vale’s will and utilized “blackmail” to coerce other auditors to comply with Vale’s demands. Vale cut backroom deals with one of its auditors, which promised to issue stability declarations in exchange for lucrative contracts from Vale, so long as Vale agreed to undertake certain long-term corrective actions onthe dam – even though both Vale and the auditor knew that those corrective actions could not resolve the near-term safety risks posed by the Brumadinho dam.

According to the SEC, Vale’s deceit misled investors regarding several material issues: the stability of Vale’s dams; the nature of Vale’s safety practices in the wake of the Mariana dam disaster; and the actual risk of catastrophic financial consequences should any of its high-risk dams, like the Brumadinho dam, collapse.

Vale’s President and CEO perpetuated Vale’s false and misleading narrative when he falsely told investors at a meeting in Sao Paulo that Vale’s tailing dams are in a state of “impressive” quality. As reported in an April 10, 2018 article in Valor Econômico entitled, “The state of the dams today is ‘impeccable’, says Vale’s president,” the CEO stated, “As soon as I started as president, I thought about the state of the dams. If there was another accident like Mariana’s, my management would be short.” He continued, “I don’t know if this work was done after Mariana or if it was already like that, but today the dams are impeccable.”

The SEC’s allegations are from a recently filed complaint. No court has found the SEC’s allegations are true.

The SEC proposed rules and amendments regarding special purpose acquisition companies (SPACs), shell companies, and projections disclosure. The proposed new rules and amendments would, among other things:

  • Enhance disclosures and provide additional investor protections in SPAC initial public offerings and in business combination transactions between SPACs and private operating companies (de-SPAC transactions);
  • Address the treatment under the Securities Act of 1933 of business combination transactions involving a reporting shell company and amend the financial statement requirements applicable to transactions involving shell companies;
  • Provide additional guidance on the use of projections in SEC filings to address concerns about their reliability; and
  • Assist SPACs in assessing when they may be subject to regulation under the Investment Company Act of 1940.

SPAC Transactions

The proposed rules would require enhanced disclosure and provide additional investor protections in initial public offerings by SPACs and in de-SPAC transactions, including:

  • Enhanced disclosures regarding, among other things, SPAC sponsors, conflicts of interest, and dilution;
  • Additional disclosures on de-SPAC transactions, including with respect to the fairness of the transactions to the SPAC investors;
  • A requirement that the private operating company would be a co-registrant when a SPAC files a registration statement on Form S-4 or Form F-4 for a de-SPAC transaction;
  • A re-determination of smaller reporting company status within four days following the consummation of a de-SPAC transaction;
  • An amended definition of “blank check company” to make the liability safe harbor in the Private Securities Litigation Reform Act of 1995 for forward-looking statements, such as projections, unavailable in filings by SPACs and certain other blank check companies; and
  • A rule that deems underwriters in a SPAC initial public offering to be underwriters in a subsequent de-SPAC transaction when certain conditions are met.

Business Combinations Involving Shell Companies

The proposed rules applicable to business combination transactions involving shell companies, including SPACs, would:

  • Deem by rule that a business combination transaction involving a reporting shell company and another entity that is not a shell company constitutes a sale of securities to the reporting shell company’s shareholders for purposes of the Securities Act; and
  • Better align the required financial statements of private operating companies in transactions involving shell companies with those required in registration statements for initial public offerings.

Projections Disclosure

The proposed amendments to Item 10(b) of Regulation S-K would expand and update the Commission’s guidance on the presentation of projections of future economic performance in Commission filings to allow investors to better assess the reliability of the projections and whether they have a reasonable basis. The Commission proposed additional disclosure requirements to allow investors to better assess the basis of projections when they are used in SPAC business combination transactions.

Status of SPACs under the Investment Company Act of 1940

The proposed rule would address the status of SPACs as “investment companies” under the Investment Company Act. If the proposal is adopted, a SPAC that fully complies with the rule’s conditions would not need to register as an investment company under the Investment Company Act.

The proposed conditions include, among other things, that a SPAC must:

  • Maintain assets comprising only cash items, government securities, and certain money market funds;
  • Seek to complete a de-SPAC transaction after which the surviving entity will be primarily engaged in the business of the target company; and
  • Enter into an agreement with a target company to engage in a de-SPAC transaction within 18 months after its initial public offering and complete its de-SPAC transaction within 24 months of such offering.

While a SPAC would not be required to rely on the proposed rule, the proposed conditions are intended to align with the structures and practices that the SEC preliminarily believes would distinguish a SPAC that is likely to raise serious questions as to its status as an investment company from one that does not.

The SEC has proposed rules that would require registrants to provide certain climate-related information in their registration statements and annual reports. The proposed rules would require information about a registrant’s climate-related risks that are reasonably likely to have a material impact on its business, results of operations, or financial condition.

Content of the Proposed Disclosures

The proposed climate-related disclosure framework is modeled in part on the Task Force on Climate-Related Financial Disclosures (“TCFD”) recommendations, and also draws upon the Greenhouse Gas Protocol (“GHG Protocol”). In particular, the proposed rules would require a registrant to disclose information about:

  • The oversight and governance of climate-related risks by the registrant’s board and management;
  • How any climate-related risks identified by the registrant have had or are likely to have a material impact on its business and consolidated financial statements, which may manifest over the short-, medium-, or long-term;
  • How any identified climate-related risks have affected or are likely to affect the registrant’s strategy, business model, and outlook;
  • The registrant’s processes for identifying, assessing, and managing climate-related risks and whether any such processes are integrated into the registrant’s overall risk management system or processes;
  • The impact of climate-related events (severe weather events and other natural conditions as well as physical risks identified by the registrant) and transition activities (including transition risks identified by the registrant) on the line items of a registrant’s consolidated financial statements and related expenditures, and disclosure of financial estimates and assumptions impacted by such climate-related events and transition activities.
  • Scopes 1 and 2 greenhouse gas (“GHG”) emissions metrics, separately disclosed, expressed: o Both by disaggregated constituent greenhouse gases and in the aggregate, and o In absolute and intensity terms;
  • Scope 3 GHG emissions and intensity, if material, or if the registrant has set a GHG emissions reduction target or goal that includes its Scope 3 emissions; and
  • The registrant’s climate-related targets or goals, and transition plan, if any.

Similar to the GHG Protocol, the proposed rules would define:

  • Scope 1 emissions as direct GHG emissions from operations that are owned or controlled by a registrant;
  • Scope 2 emissions as indirect GHG emissions from the generation of purchased or acquired electricity, steam, heat, or cooling that is consumed by operations owned or controlled by a registrant;
  • Scope 3 emissions as all indirect GHG emissions not otherwise included in a registrant’s Scope 2 emissions, which occur in the upstream and downstream activities of a registrant’s value chain. Upstream emissions include emissions attributable to goods and services that the registrant acquires, the transportation of goods (for example, to the registrant), and employee business travel and commuting. Downstream emissions include the use of the registrant’s products, transportation of products (for example, to the registrant’s customers), end of life treatment of sold products, and investments made by the registrant.

Presentation of the Proposed Disclosures

The proposed rules would require a registrant (both domestic and foreign private issuers):

  • To provide the climate-related disclosure in its registration statements and Exchange Act annual reports;
  • To provide the Regulation S-K mandated climate-related disclosure in a separate, appropriately captioned section of its registration statement or annual report, or alternatively to incorporate that information in the separate, appropriately captioned section by reference from another section, such as Risk Factors, Description of Business, or Management’s Discussion and Analysis (“MD&A”);
  • To provide the Regulation S-X mandated climate-related financial statement metrics and related disclosure in a note to the registrant’s audited financial statements;
  • To electronically tag both narrative and quantitative climate-related disclosures in Inline XBRL; and
  • To file rather than furnish the climate-related disclosure.

Attestation for Scope 1 and Scope 2 Emissions Disclosure

The proposed rules would require an accelerated filer or a large accelerated filer to include, in the relevant filing, an attestation report covering, at a minimum, the disclosure of its Scope 1 and Scope 2 emissions and to provide certain related disclosures about the service provider. As proposed, both accelerated filers and large accelerated filers would have time to transition to the minimum attestation requirements.

Phase-In Periods and Accommodations for the Proposed Disclosures

The proposed rules include:

  • A phase-in for all registrants, with the compliance date dependent on the registrant’s filer status;
  • An additional phase-in period for Scope 3 emissions disclosure;
  • A safe harbor for Scope 3 emissions disclosure;
  • An exemption from the Scope 3 emissions disclosure requirement for a registrant meeting the definition of a smaller reporting company (“SRC”); and
  • A provision permitting a registrant, if actual reported data is not reasonably available, to use a reasonable estimate of its GHG emissions for its fourth fiscal quarter, together with actual, determined GHG emissions data for the first three fiscal quarters, as long as the registrant promptly discloses in a subsequent filing any material difference between the estimate used and the actual, determined GHG emissions data for the fourth fiscal quarter.

The proposed rules would be phased in for all registrants, with the compliance date dependent upon the status of the registrant as a large accelerated filer, accelerated or nonaccelerated filer, or SRC, and the content of the item of disclosure. For example, assuming that the effective date of the proposed rules occurs in December 2022 and that the registrant has a December 31st fiscal year-end, the compliance date for the proposed disclosures in annual reports, other than the Scope 3 disclosure, would be:

  • For large accelerated filers, fiscal year 2023 (filed in 2024);
  • For accelerated and non-accelerated filers, fiscal year 2024 (filed in 2025); and
  • For SRCs, fiscal year 2025 (filed in 2026).

Registrants subject to the proposed Scope 3 disclosure requirements would have one additional year to comply with those disclosure requirements.

Governance Disclosure

Board Oversight

The proposed rules would require a registrant to disclose a number of board governance items, as applicable, including:

  • requiring a registrant to identify any board members or board committees responsible for the oversight of climate-related risks;
  • requiring disclosure of whether any member of a registrant’s board of directors has expertise in climate-related risks, with disclosure required in sufficient detail to fully describe the nature of the expertise:
  • requiring a description of the processes and frequency by which the board or board committee discusses climate-related risks;
  • disclosing how the board is informed about climate-related risks, and how frequently the board considers such risks;
  • requiring disclosure about whether and how the board or board committee considers climate-related risks as part of its business strategy, risk management, and financial oversight; and
  • requiring disclosure about whether and how the board sets climate-related targets or goals and how it oversees progress against those targets or goals, including the establishment of any interim targets or goals.

Management Oversight

The proposed rules would require a registrant to disclose a number of items, as applicable, about management’s role in assessing and managing any climate-related risks, including:

  • requiring disclosure regarding whether certain management positions or committees are responsible for assessing and managing climate-related risks and, if so, to identify such positions or committees and disclose the relevant expertise of the position holders or members in such detail as necessary to fully describe the nature of the expertise;
  • requiring disclosure about the processes by which the responsible managers or management committees are informed about and monitor climate-related risks; and
  • requiring disclosure about whether the responsible positions or committees report to the board or board committee on climate elated risks and how frequently this occurs.

Risk Management Disclosure

The proposed rules would require a registrant to describe any processes the registrant has for identifying, assessing, and managing climate-related risks.  When describing the processes for identifying and assessing climate-related risks, the registrant would be required to disclose, as applicable:

  • How it determines the relative significance of climate-related risks compared to other risks;
  • How it considers existing or likely regulatory requirements or policies, such as GHG emissions limits, when identifying climate-related risks;
  • How it considers shifts in customer or counterparty preferences, technological changes, or changes in market prices in assessing potential transition risks; and
  • How it determines the materiality of climate-related risks, including how it assesses the potential size and scope of any identified climate-related risk.

When describing any processes for managing climate-related risks, a registrant would be required to disclose, as applicable:

  • How it decides whether to mitigate, accept, or adapt to a particular risk;
  • How it prioritizes addressing climate-related risks; and
  • How it determines how to mitigate a high priority risk.

Scope 3 Emissions Disclosure Safe Harbor

The SEC is proposing a targeted safe harbor for Scope 3 emissions data in light of the unique challenges associated with that information. The proposed safe harbor would provide that disclosure of Scope 3 emissions by or on behalf of the registrant would be deemed not to be a fraudulent statement unless it is shown that such statement was made or reaffirmed without a reasonable basis or was disclosed other than in good faith. The safe harbor would extend to any statement regarding Scope 3 emissions that is disclosed pursuant to proposed subpart 1500 of Regulation S-K and made in a document filed with the Commission.

Targets and Goals Disclosure

If a registrant has set climate-related targets or goals, the proposed rules would require it to disclose them, including, as applicable, a description of:

  • The scope of activities and emissions included in the target;
  • The unit of measurement, including whether the target is absolute or intensity based;
  • The defined time horizon by which the target is intended to be achieved, and whether the time horizon is consistent with one or more goals established by a climate-related treaty, law, regulation, policy, or organization;
  • The defined baseline time period and baseline emissions against which progress will be tracked with a consistent base year set for multiple targets;
  • Any interim targets set by the registrant; and
  • How the registrant intends to meet its climate-related targets or goals.

The SEC has issued proposed rules on disclosure of cybersecurity incidents.  Specifically, the SEC is proposing to:

  • Amend Form 8-K to add Item 1.05 to require registrants to disclose information about a cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident;
  • Amend Forms 10-Q and 10-K to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents, as specified in proposed Item 106(d) of Regulation S-K. We also propose to amend these forms to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate;
  • Amend Form 10-K to require disclosure specified in proposed Item 106 regarding:
    • A registrant’s policies and procedures, if any, for identifying and managing cybersecurity risks;
    • A registrant’s cybersecurity governance, including the board of directors’ oversight role regarding cybersecurity risks; and
    • Management’s role, and relevant expertise, in assessing and managing cybersecurity related risks and implementing related policies, procedures, and strategies.
  • Amend Item 407 of Regulation S-K to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise.
  • Amend Item 407 of Regulation S-K to require disclosure about if any member of the registrant’s board of directors has cybersecurity expertise.
  • Require that the proposed disclosures be provided in Inline XBRL.

Form 8-K Reporting

New Item 1.05 of Form 8-K will require a registrant to disclose the following information about a material cybersecurity incident, to the extent the information is known at the time of the Form 8-K filing:

  • When the incident was discovered and whether it is ongoing;
  • A brief description of the nature and scope of the incident;
  • Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
  • The effect of the incident on the registrant’s operations; and
  • Whether the registrant has remediated or is currently remediating the incident.

The SEC is proposing to amend General Instruction I.A.3.(b) of Form S-3 and General Instruction I.A.2 of Form SF-3 to provide that an untimely filing on Form 8-K regarding new Item 1.05 would not result in loss of Form S-3 or Form SF-3 eligibility.

The SEC is also proposing to amend Rules 13a-11(c) and 15d-11(c) under the Exchange Act to include new Item 1.05 in the list of Form 8-K items eligible for a limited safe harbor from liability under Section 10(b) or Rule 10b-5 under the Exchange Act. In 2004, when the Commission adopted the limited safe harbor, the Commission noted its view that the safe harbor is appropriate if the triggering event for the Form 8-K requires management to make a rapid materiality determination.

Disclosure about Cybersecurity Incidents in Periodic Reports

Proposed Item 106(d)(1) of Regulation S-K would require registrants to disclose any material changes, additions, or updates to information required to be disclosed pursuant to Item 1.05 of Form 8-K in the registrant’s quarterly report filed with the Commission on Form 10-Q or annual report filed with the Commission on Form 10-K for the period (the registrant’s fourth fiscal quarter in the case of an annual report) in which the material change, addition, or update occurred.

In order to assist registrants in developing updated incident disclosure in its periodic reports, proposed Item 106(d)(1) provides the following non-exclusive examples of the type of disclosure that should be provided, if applicable:

  • Any material impact of the incident on the registrant’s operations and financial condition;
  • Any potential material future impacts on the registrant’s operations and financial condition;
  • Whether the registrant has remediated or is currently remediating the incident; and
  • Any changes in the registrant’s policies and procedures as a result of the cybersecurity incident, and how the incident may have informed such changes.

Disclosure of a Registrant’s Risk Management, Strategy and Governance Regarding Cybersecurity Risks

Risk Management and Strategy

Proposed Item 106(b) would require registrants to disclose its policies and procedures, if it has any, to identify and manage cybersecurity risks and threats, including: operational risk; intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk.

Specifically, proposed Item 106(b) of Regulation S-K would require disclosure, as applicable, of whether:

  • The registrant has a cybersecurity risk assessment program and if so, provide a description of such program;
  • The registrant engages assessors, consultants, auditors, or other third parties in connection with any cybersecurity risk assessment program;
  • The registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third party service provider (including, but not limited to, those providers that have access to the registrant’s customer and employee data), including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers;
  • The registrant undertakes activities to prevent, detect, and minimize effects of cybersecurity incidents;
  • The registrant has business continuity, contingency, and recovery plans in the event of a cybersecurity incident;
  • Previous cybersecurity incidents have informed changes in the registrant’s governance, policies and procedures, or technologies;
  • Cybersecurity related risk and incidents have affected or are reasonably likely to affect the registrant’s results of operations or financial condition and if so, how; and
  • Cybersecurity risks are considered as part of the registrant’s business strategy, financial planning, and capital allocation and if so, how.

Governance

Proposed Item 106(c) would require disclosure of a registrant’s cybersecurity governance, including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

Specifically, as it pertains to the board’s oversight of cybersecurity risk, disclosure required by proposed Item 106(c)(1) would include a discussion, as applicable, of the following:

  • Whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks;
  • The processes by which the board is informed about cybersecurity risks, and the frequency of its discussions on this topic; and
  • Whether and how the board or board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Proposed Item 106(c)(2) would require a description of management’s role in assessing and managing cybersecurity-related risks and in implementing the registrant’s cybersecurity policies, procedures, and strategies. This description would include, but not be limited to, the following information:

  • Whether certain management positions or committees are responsible for measuring and managing cybersecurity risk, specifically the prevention, mitigation, detection, and remediation of cybersecurity incidents, and the relevant expertise of such persons or members;
  • Whether the registrant has a designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the registrant’s organizational chart, and the relevant expertise of any such persons;
  • The processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents; and
  • Whether and how frequently such persons or committees report to the board of directors or a committee of the board of directors on cybersecurity risk.

Disclosure Regarding the Board of Directors’ Cybersecurity Expertise

The SEC proposes to amend Item 407 of Regulation S-K by adding paragraph (j) to require disclosure about the cybersecurity expertise of members of the board of directors of the registrant, if any. If any member of the board has cybersecurity expertise, the registrant would have to disclose the name(s) of any such director(s), and provide such detail as necessary to fully describe the nature of the expertise. The proposed Item 407(j) disclosure would be required in a registrant’s proxy or information statement when action is to be taken with respect to the election of directors, and in its Form 10-K.

Proposed Item 407(j) would not define what constitutes “cybersecurity expertise,” given that such expertise may cover different experiences, skills, and tasks. Proposed Item 407(j)(1)(ii) does, however, include the following non-exclusive list of criteria that a registrant should consider in reaching a determination on whether a director has expertise in cybersecurity:

  • Whether the director has prior work experience in cybersecurity, including, for example, prior experience as an information security officer, security policy analyst, security auditor, security architect or engineer, security operations or incident response manager, or business continuity planner;
  • Whether the director has obtained a certification or degree in cybersecurity; and
  • Whether the director has knowledge, skills, or other background in cybersecurity, including, for example, in the areas of security policy and governance, risk management, security assessment, control evaluation, security architecture and engineering, security operations, incident handling, or business continuity planning.

Proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j). This proposed safe harbor is intended to clarify that Item 407(j) would not impose on such person any duties, obligations, or liability that are greater than the duties, obligations, and liability imposed on such person as a member of the board of directors in the absence of such designation or identification.