On May 16, 2024, the Securities and Exchange Commission adopted amendments to Regulation S-P, the regulation that governs the treatment of nonpublic personal information about consumers by certain financial institutions. The amendments apply to broker-dealers, investment companies, and registered investment advisers (collectively, “covered institutions”) and are designed to modernize and enhance the protection of consumer financial information. Regulation S-P continues to require covered institutions to implement written polices and procedures to safeguard customer records and information (the “safeguards rule”), properly dispose of consumer information to protect against unauthorized use (the “disposal rule”), and implementation of a privacy policy notice containing an opt out option. Registered investment advisers with over $1.5 billion in assets under management will have until November 16, 2025 (18 months) to comply, those entities with less will have until May 16, 2026 (24 months) to comply.
Incident Response Program
Covered institutions will have to implement an Incident Response Program (the “Program”) to their written policies and procedures if they have not already done so. The Program must be designed to detect, respond to, and recover customer information from unauthorized third parties. The nature and scope of the incident must be documented with further steps taken to prevent additional unauthorized use. Covered institutions will also be responsible for adopting procedures regarding the oversight of third-party service providers that are receiving, maintaining, processing, or accessing their client’s data. The safeguard rule and disposal rule require that nonpublic personal information received from a third-party about their customers should be treated the same as if it were your own client.
Customer Notification Requirement
The amendments require covered institutions to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The amendments require a covered institution to provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The notices must include details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. A covered institution is not required to provide the notification if it determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. To the extent a covered institution will have a notification obligation under both the final amendments and a similar state law, a covered institution may be able to provide one notice to satisfy notification obligations under both the final amendments and the state law, provided that the notice includes all information required under both the final amendments and the state law, which may reduce the number of notices an individual receives.
Recordkeeping
Covered institutions will have to make and maintain the following in their books and records:
Written policies and procedures required to be adopted and implemented pursuant to the Safeguards Rule, including the incident response program;
Written documentation of any detected unauthorized access to or use of customer information, as well as any response to and recovery from such unauthorized access to or use of customer information required by the incident response program;
Written documentation of any investigation and determination made regarding whether notification to customers is required, including the basis for any determination made and any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination;
Written policies and procedures required as part of service provider oversight;
Written documentation of any contract entered into pursuant to the service provider oversight requirements; and
Written policies and procedures required to be adopted and implemented for the Disposal Rule.
Registered investment advisers will be required to preserve these records for five years, the first two in an easily accessible place.
On April 4, the SEC issued an order staying the implementation of the recently finalized climate disclosure rules (Final Rules) in response to the consolidated legal challenges in the US Court of Appeals for the Eighth Circuit. The SEC has discretion to stay its rules pending judicial review and the SEC stated that a stay would “allow the court of appeals to focus on deciding the merits [of the cases].” However, this voluntary stay should not be taken as a sign that the SEC intends to abandon the Final Rules, as the SEC said it will “continue vigorously defending the Final Rules’ validity in court and looks forward to expeditious resolution of the litigation.”
The Final Rules have faced a slew of legal challenges since adoption and the SEC also noted that the stay avoids potential uncertainty if registrants were to become subject to the Final Rules during the pendency of the legal challenges.
As we’ve said all along, there was nothing novel about this matter, and the jury agreed: this was insider trading, pure and simple. Defendant used highly confidential information about an impending announcement of the acquisition of biopharmaceutical company Medivation, Inc., the company where he worked, by Pfizer Inc. to trade ahead of the news for his own enrichment. Rather than buying the securities of Medivation, however, Panuwat used his employer’s confidential information to acquire a large stake in call options of another comparable public company, Incyte Corporation, whose share price increased materially on the important news.”
I disagree, many have described the SEC’s theory of shadow trading as “novel”. More importantly, you won’t find it in Section 10(b) or Rule 10b-5, the ostensible bases for insider trading prosecutions. I have long decried the “make it up as you go along” aspect of insider trading jurisprudence:
Notably, Rule 10b-5 itself doesn’t explicitly mention insider trading. It would be more than a half century before the SEC finally adopted a rule, Rule 10b5-1 defining just one element of insider trading – when a purchase or sale constitutes trading “on the basis of” material non public information. It is no surprise then that federal courts have struggled to define who can be guilty of insider trading and why. The result is that the crime of insider trading has a decidedly “make it up as you go along” quality. Individuals don’t know where the lines are until the courts draw them and then convict. Consequently, people have gone to prison even as courts have adopted the theories for their convictions. The fact that the U.S. Supreme Court is still defining the crime more than seven decades after Mr. Freeman cobbled together Rule 10b-5 suggests that the definition of insider trading has been too inchoate to support criminal convictions. However “well tuned to an animating principle” a theory might be, I simply don’t think due process exists when a crime is only defined after a conviction.
If Congress truly believes that insider trading should be a crime, it should define the exact elements of the crime rather than leave it to the courts to make up the rules as they send people to prison. The California legislature has in fact done just that in Corporations Code Section 25402. For more on Section 25402, see my article, California’s Unique Approach to Insider Trading Regulation, 17 Insights 21 (July 2003).
The willingness of federal courts to send people to prison based on a crime that isn’t expressed, much less defined, in any federal statute is at odds with the principle that only the people’s elected representatives in the legislature are authorized to make an act a crime. United States v. Hudson, 7 Cranch 32, 34, 11 U.S. 32, 3 L.Ed. 259 (1812). While the SEC’s case against Mr. Panuwat was civil, I expect that this novel theory will soon be applied in a criminal prosecution.
During the opening remarks of the two-day SEC Speaks Conference, Chairman Gensler failed to express any statement of support in connection with the SEC’s recently promulgated rule on mandatory climate disclosures. (Instead, his speech focused on a number of other topics, including clearinghouse rules and proposed regulations.) In contrast, Republican SEC Commissioner Uyeda devoted the entirety of his speech to offering critiques of the SEC’s newly enacted mandatory climate disclosure rule.
While most of Commissioner Uyeda’s criticisms had been previously voiced on other occasions, certain legal arguments achieved greater prominence in these remarks. In particular, Commissioner Uyeda emphasized the concept of materiality, noting that “[t]he significant changes in the final rule reflect a recognition that no disclosure rule that veers from materiality is likely to survive a court challenge,” and opining that “changes to selected portions of the rule text intended to mitigate legal risk do not necessarily convert a climate change activism rule to a material risk disclosure rule.” There was also a focus on procedural concerns, including a potential violation of the Administrative Procedure Act due to “the failure to repropose the rule” since “the changes were so significant,” and that “the fail[ure] to consider [the] rule’s economic consequences [renders] the adoption of the rule arbitrary and capricious.” Finally, Commissioner Uyeda compared the climate disclosure rule to the previously enacted conflict minerals rule (which was mandated by Congress), stating that “public companies and investors are stuck with a mandatory disclosure rule that deviates from financial materiality but fails to resolve the social purpose for which it was adopted.” Each of these arguments should be expected to feature in the upcoming litigation in the Eighth Circuit concerning the legality of the SEC’s climate disclosure rule.
Still, the failure by Chairman Gensler and his fellow Democratic Commissioners to offer a robust public defense of the climate disclosure rule may simply reflect a shifting of priorities now that the rule has been enacted. Notably, just a few days ago–on March 22, 2024–Chairman Gensler forcefully defended the SEC’s climate disclosure rule at a conference hosted by Columbia Law School, where his entire speech advocated the concept of mandatory disclosures and stated that the SEC’s climate disclosure rule “enhance[d] the consistency, comparability, and reliability of [climate-related] disclosures.” Moreover, it is altogether possible that a speech on the second day of the conference might offer a rejoinder to the varied critiques of the climate disclosure rule.
Unlike the conflict minerals rule, which was mandated by Congress, the Commission has acted on its own volition to adopt a climate disclosure rule that seeks to exert societal pressure on companies to change their behavior. It is the Commission that determined to delve into matters beyond its jurisdiction and expertise. In my view, this action deviates from the Commission’s mission and contravenes established law.
Last year, California became the first state to pass laws requiring companies to make disclosures about their greenhouse gas (“GHG”) emissions as well as the risks that climate change poses for their businesses and their plans for addressing those risks. These new laws now face funding and legal hurdles that are delaying their implementation.
While California’s new laws navigate these challenges, the U.S. Securities and Exchange Commission (“SEC”) adopted its own final climate disclosure rule on March 6. Formally entitled The Enhancement and Standardization of Climate-Related Disclosures for Investors (“SEC Rule”), it requires public companies to make disclosures about the climate-related risks that have materially impacted, or are reasonably likely to have a material impact on, a registrant’s business strategy, operations, or financial condition, and also to disclose their Scope 1 and Scope 2 GHG emissions. The SEC Rule is significantly scaled-back from what the SEC originally proposed in March 2022; most notably, it does not require disclosure of Scope 3 GHG emissions. It too faces legal challenges.
California’s New Laws[1]
On October 7, 2023, California Governor Gavin Newsom signed into law two sweeping climate disclosure bills, Senate Bill 253 (“SB 253”), the Climate Corporate Data Accountability Act, and Senate Bill 261 (“SB 261”), the Climate-Related Risk Act.
Under SB 253, companies that do business in California and have more than $1 billion in annual revenue will be required to disclose emissions data to the California Air Resources Board (“CARB”) each year, starting in 2026. The new law will affect more than 5,400 companies. Under the new law, CARB can levy fines of up to $500,000 per year for violations thereunder. The new reporting requirements apply to both public and private companies, unlike the SEC Rule, which applies only to certain public companies.
Under SB 261, companies with more than $500 million in annual revenue will be required to disclose on a biennial basis how climate change impacts their business, including reporting certain climate-related financial risks and their plans for addressing those risks. These disclosures also begin in 2026 and will affect roughly 10,000 companies.
Funding Hurdles
Funding is necessary for CARB to develop and implement regulations for both climate disclosure laws, as well as to review, administer, and enforce the new laws. To implement SB 253, CARB estimated that it required $9 million in the 2024-25 fiscal year and $2 million in the 2025-26 fiscal year. For SB 261, CARB estimated that it needed an aggregate of $13.7 million over the 2024-25 and 2025-26 fiscal years to identify covered entities, establish regulations, and develop a verification program.
Governor Newsom’s $291.5 billion budget proposal for the 2024-25 fiscal year did not allocate any funding for the implementation of the new laws. The sponsors of the two laws, SB 253’s Senator Scott Wiener and SB 261’s Senator Henry Stern, immediately released a statement sharply critical of this aspect of the Governor’s budget proposal.[2] With limited exceptions, the budget proposal defers all new discretionary spending decisions to the spring, pending input from the legislature, with a final spending plan expected in July of 2024.
The budget process in California can be a lengthy negotiation. The Governor proposes a budget, but then must work with the Legislature to develop the final budget. In this regard, it is important to note that Senator Wiener was appointed to chair the Senate Budget Committee earlier this year. Thus, it’s possible that funding will be provided to implement the laws, though CARB already faced an aggressive set of deadlines for developing the regulations.
Legal Challenges
Some companies, including tech giants like Apple and Salesforce, want the new rules implemented quickly. Large businesses may have an interest in implementing the legislation expeditiously for the benefit of operational certainty and because they have the resources to absorb costs that their smaller competitors cannot. Other companies view the new rules as needlessly burdensome and are committed to halting the legislation in its tracks.
In January, the U.S. Chamber of Commerce joined the American Farm Bureau Federation, California Chamber of Commerce, Central Valley Business Federation, Los Angeles County Business Federation and Western Growers Association in filing a lawsuit[3]in federal district court challenging the climate disclosure laws under the theory that they violate the First Amendment of the U.S. Constitution and are preempted by federal law.
According to the complaint, the climate disclosure requirements violate the First Amendment of the U.S. Constitution by “forc[ing] thousands of companies to engage in controversial speech that they do not wish to make, untethered to any commercial purpose or transaction…for the explicit purpose of placing political and economic pressure on companies to “encourage” them to conform their behavior to the political wishes of the State.” The plaintiffs argue that, in the event that the State seeks to compel a business to speak noncommercially on controversial political matters, such action shall be presumed by a reviewing court to be unconstitutional unless the government proves that it is narrowly tailored to serve a compelling state interest. The plaintiffs also allege that the new climate disclosure laws are not narrowly tailored to further any legitimate interest of the state, let alone a compelling one.
The lawsuit also contends that the federal Clean Air Act preempts California’s ability to regulate GHG emissions beyond its jurisdictional borders. According to the plaintiffs, the new laws seek to regulate out-of-state emissions “through a novel program of speech regulation.” The complaint further argues that, because the new disclosure requirements operate as de facto regulations of GHG emissions nationwide, they “run headlong” into the Dormant Commerce Clause and broader principles of federalism. The plaintiffs ask the court to enjoin California from implementing or enforcing the new rules, thereby making them null and void.
A more serious preemption challenge may be that the California climate disclosure laws are preempted by the SEC Rule. The issue was addressed during the March 6 SEC hearing (discussed below), and it’s been reported that SEC General Counsel Megan Barbero answered that “nothing” in the Rule “expressly preempts any state law.” However, she added that the issue could arise as a question of “implied preemption,” which “would be determined by a court in a future judicial proceeding.” The question would be whether the SEC has “occupied the field” to such an extent that it preempts state rules in the space. Those would be questions of fact largely turning on how the climate laws are being applied and enforced, and thus any such challenge is likely to await CARB’s implementation of the laws.
The SEC Rule
On March 6, 2024, the SEC adopted the final SEC Rule which will require public companies to include certain climate-related disclosures in registration statements and annual reports. The final SEC Rule requires registrants to disclose material climate-related risks, activities undertaken to mitigate or adapt to such risks, information regarding the board of directors’ oversight of climate-related risks and management of material climate-related risks, and information about climate-related targets or goals that are material to the company’s business, operations, or financial condition.
To add transparency to investors’ assessments of certain climate-related risks, the SEC Rule also requires disclosure of material Scope 1 and Scope 2 GHG emissions, the filing of an attestation report in connection thereof, and disclosure of impacts that severe weather events and other climate-related conditions have on financial statements, including costs and losses. The final SEC Rule includes a phased-in compliance period for all registrants, with compliance dates ranging from fiscal year 2025-26 to 2031-32, depending on the registrant’s filer status and the content of the disclosure. In general, the SEC Rule requires less than the California climate disclosure laws, as Senator Wiener observed[4].
Key Takeaways
Implementation and/or enforcement of SB 253 and SB 261 is delayed for the time being due to a lack of funding, and thus the roll-out of the regulatory regime for the two laws appears likely to slip, such that the laws’ 2026 compliance deadlines may also slip.
The lawsuit challenging SB 253 and SB 261 adds some uncertainty to the process of ensuring compliance with climate disclosure requirements, and may cause further delay.
The delayed implementation of the new laws affords companies additional time to develop a compliance strategy. Due to the lessened scope of the SEC Rule, companies that are prepared to comply with the California laws are likely to be prepared to comply with the SEC Rule. And implementation of the SEC Rule may be delayed by legal challenges as well, thereby creating more time for companies to develop a compliance strategy.
FOOTNOTES
[1] A prior article describing these laws in more detail is here.
[3] Chamber of Commerce of the United States of America, et al. v. Cal. Air Resources Board, et al. (Cal. Central Dist., Western Div.) (Case No. 2:24-cv-00801).
On March 6, 2024, by unanimous vote, the Securities and Exchange Commission (SEC) adopted changes to Rule 605 under Regulation NMS, the provision that previously required only entities defined as “market centers” to publish detailed statistics on the quality of execution of “covered orders” in NMS stocks. Amended Rule 605 expands the reporting requirement in many ways:
by reporting party, to (a) broker-dealers with over 100,000 customer accounts (not just “market centers”); (b) Single Dealer Platforms; and (c) Automated Trading Systems (as a stand-alone reporter, separate from any reports by the broker-dealer operator the ATS);
by expanding the scope of “covered orders” to include: (a) non-marketable limit orders received outside market hours and executed during market hours; (b) stop orders; and (c) short sale orders not marked short exempt and not subject to price test restrictions under Reg SHO.
by revising time and size categories to include odd-lot and fractional share orders and measure execution time in microseconds and milliseconds. Timestamps must also contain millisecond granularity.
by expanding execution quality metrics. This expansion is wide-ranging and, among other things, (a) adds effective over quoted spread (“E/Q”) as a reporting metric; (b) requires reporting of average realized spread at multiple periods from 50 milliseconds to five minutes after execution; (c) measures price improvement not only relative to the NBBO, but also relative to the “best available displayed price,” a new baseline that includes available odd-lot liquidity; (d) adds measures of size improvement; and (e) includes fill rate information for non-marketable limit orders.
In the past, Rule 605 reports were practically unreadable for retail investors. They were data-heavy rather than in “plain English” and were reported at the security level, requiring significant data analysis to draw meaningful conclusions. The revised Rule seeks to remedy this deficiency, requiring covered broker-dealers and market centers to provide a Summary Report broken out by S&P 500 and non-S&P 500 securities, by order type (market and marketable limit) and order size, with columns for: average order size (shares and notional), average midpoint, percentage of orders executed at the quote or better, percentage receiving price improvement (both absolute and as a percentage of midpoint); average effective spread; average quoted spread; average effective over quoted spread (or “E/Q” percentage); average realized spread 15 seconds and one minute after execution; and average execution speed, in milliseconds.
While the rule revisions are comprehensive and will require significant programming (or vendor) expense, particularly for broker-dealers newly subject to the rule, many of the changes are welcome. Rule 605 had previously been subject to many increasingly outdated metrics, and firms that route orders will welcome more comprehensive and granular data elements. It remains to be seen whether retail and institutional customers will use the data to demand better execution quality from their broker-dealers or manage order-entry decisions based on the data.
What is meaningful, however, is the timing of this rule revision. These revisions were proposed in December 2022 as part of a package of significant market structure changes, including a proposed Order Competition Rule, a proposed far-reaching SEC best execution requirement known as Regulation Best Execution, and proposals to revise the pricing increments for quoting and trading equity securities and the minimum fees to access that liquidity. These other proposals were very controversial and subject to strong pushback from many parts of the securities industry. Many argued that the SEC should first adopt the proposed amendments to Rule 605 and then use the data from revised Rule 605 reporting to evaluate the other rule proposals. This approach would, of course, delay consideration of the other rule proposals while data were generated under revised Rule 605. The SEC’s adoption of just the Rule 605 revisions does not preclude further consideration of the other rules, but it is a welcome development and a step in the right direction.
The Rule 605 amendments will become effective 60 days after the release is published in the Federal Register. The compliance date is currently set for 18 months after that effective date.
On March 6, 2024, the Securities and Exchange Commission (the “SEC”) adopted regulations[1] that will require public companies to file mandatory climate-related disclosures with the SEC beginning in 2026. First proposed in March 2022, the climate-related disclosure rules were finalized after consideration of over 24,000 comment letters and active lobbying of the SEC by business and public interest groups alike. These new rules are aimed at eliciting more consistent, comparable, and reliable information for investors to make informed decisions related to climate-related risks on current and potential investments.
The new rules require a registrant to disclose material climate-related risks and activities to mitigate or adapt to those risks; information about the registrant’s oversight of climate-related risks and management of those risks; and information on any climate-related targets or goals that are material to the registrant’s business, results of operations, or financial condition. In addition, these new rules require disclosure of Scope 1 and/or Scope 2 greenhouse gas (“GHG”) emissions with attestation by certain registrants when emissions are material; and disclosure of the financial effects of extreme weather events.
Unlike the initial proposal, the EU Climate Sustainability Reporting Directive (“CSRD”) and the California Climate Data Accountability Act, the new rules do not require disclosure of Scope 3 GHG emissions. The new rules require reporting based upon financial materiality, not the double-materiality (impact and financial) standard utilized by the EU under the CSRD. Whether registrants will ultimately be required to comply with the new rules depend upon the outcome of anticipated challenges, such as the challenge to the SEC’s authority to promulgate the rule filed in the Eleventh Circuit on March 6th by a coalition of ten states.
Highlights of the New Rule
In the adopting release, the SEC notes that companies are increasingly disclosing climate-related risks, whether in their SEC filings or via company websites, sustainability reports, or elsewhere; however, the content and location of such disclosures have been varied and inconsistent.[2] The new rules not only specify the content of required climate-related disclosures but also the presentation of such disclosures.
The new rules amend the SEC rules under the Securities Act of 1933 (“Securities Act”) and Securities Exchange Act of 1934 (“Exchange Act”), creating a new subpart 1500 of Regulation S-K and Article 14 of Regulation S-X. As a result, registrants, companies that are registered under the Exchange Act, will need to:
File climate-related disclosures with the SEC in their registration statements and Exchange Act annual reports;
Provide the required climate-related disclosures in either a separately captioned section of the registration statement or annual report, within another appropriate section of the filing, or the disclosures may be included by reference from another SEC filing so long as the disclosure meets the electronic tagging requirements; and
Electronically tag climate-related disclosures in Inline XBRL.
The rules require a registrant to disclose:
Climate-related risks that have had or are reasonably likely to have a material impact on the registrant’s business strategy, results of operations, or financial condition;
The actual and potential material impacts of any identified climate-related risks on the registrant’s strategy, business model, and outlook;
Specified disclosures regarding a registrant’s activities, if any, to mitigate or adapt to a material climate-related risk including the use, if any, of transition plans, scenario analysis, or internal carbon prices;
Any oversight by the board of directors of climate-related risks and any role by management in assessing and managing the registrant’s material climate-related risks;
Any processes the registrant has for identifying, assessing, and managing material climate-related risks and, if the registrant is managing those risks, whether and how any such processes are integrated into the registrant’s overall risk management system or processes;
Information about a registrant’s climate-related targets or goals, if any, that have materially affected or are reasonably likely to materially affect the registrant’s business, results of operations, or financial condition. Disclosures would include material expenditures and material impacts on financial estimates and assumptions as a direct result of the target or goal or actions taken to make progress toward meeting such target or goal;
For large accelerated filers (“LAFs”) and accelerated filers (“AFs”) that are not otherwise exempted, information about material Scope 1 emissions and/or Scope 2 emissions;
For those required to disclose Scope 1 and/or Scope 2 emissions, an assurance report at the limited assurance level, which, for an LAF, following an additional transition period, will be at the reasonable assurance level;
The capitalized costs, expenditures expensed, charges, and losses incurred as a result of severe weather events and other natural conditions, such as hurricanes, tornadoes, flooding, drought, wildfires, extreme temperatures, and sea level rise, subject to applicable one percent and de minimis disclosure thresholds, disclosed in a note to the financial statements;
The capitalized costs, expenditures expensed, and losses related to carbon offsets and renewable energy credits or certificates (“RECs”) if used as a material component of a registrant’s plans to achieve its disclosed climate-related targets or goals, disclosed in a note to the financial statements; and
If the estimates and assumptions a registrant uses to produce the financial statements were materially impacted by risks and uncertainties associated with severe weather events and other natural conditions or any disclosed climate-related targets or transition plans, a qualitative description of how the development of such estimates and assumptions was impacted, disclosed in a note to the financial statements.
Highlights of what did not get adopted
In its adopting release, the SEC described various modifications it made to its March 2022 proposed rules. The SEC explained that it made many of these changes in response to various comment letters it received. Some of the proposed rules that did not get adopted are:[3]
The SEC eliminated the proposed requirement to provide Scope 3 emissions disclosure.
The adopted rules in many instances now qualify the requirements to provide certain climate-related disclosures based on materiality.
The SEC eliminated the proposed requirement for all registrants to disclose Scope 1 and Scope 2 emissions in favor of requiring such disclosure only by large accelerated filers and accelerated filers on a phased in basis and only when those emissions are material and with the option to provide the disclosure on a delayed basis.
The SEC also exempted emerging growth companies and smaller reporting companies from the Scope 1 and Scope 2 disclosure requirement.
The SEC modified the proposed assurance requirement covering Scope 1 and Scope 2 emissions for accelerated filers and large accelerated filers by extending the reasonable assurance phase in period for LAFs and requiring only limited assurance for AFs.
The SEC eliminated the proposed requirements for registrants to disclose their GHG emissions in terms of intensity.[4]
The SEC removed the requirement to disclose the impact of severe weather events and other natural conditions and transition activities on each line item of a registrant’s financial statements. The SEC now requires disclosure of financial statement effects on capitalized costs, expenditures, charges, and losses incurred as a result of severe weather events and other natural conditions in the notes to the financial statements.
The adopted rules are less prescriptive than certain of those that were proposed. For example, the former now exclude in Item 1502(a) of Regulation S-K negative climate-related impacts on a registrant’s value chain from the definition of climate-related risks required to be disclosed. Similarly, this definition no longer includes acute or chronic risks to the operations of companies with which a registrant does business. Also, Item 1501(a) as adopted omits the originally proposed requirement for registrants to disclose (a) the identity of board members responsible for climate-risk oversight, (b) any board expertise in climate-related risks, (c) the frequency of board briefings on such risks, and (d) the details on the board’s establishment of climate-related targets or goals. Along the same lines, Item 1503 as adopted requires disclosure of only those processes for the identification, assessment, and management of material climate-related risks as opposed to a broader universe of climate-related risks. The rule as adopted does not require disclosure of how the registrant (a) determines the significance of climate-related risks compared to other risks, (b) considers regulatory policies, such as GHG limits, when identifying climate-related risks, (c) considers changes to customers’ or counterparties’ preferences, technology, or market prices in assessing transition risk, and (d) determines the materiality of climate-related risks. In the same vein, the adopted rules, unlike the proposed rules, do not require disclosure of how the registrant determines how to mitigate any high priority risks. Nor do the new rules retain the proposed requirement for a registrant to disclose how any board or management committee responsible for assessing and managing climate-related risks interacts with the registrant’s board or management committee governing risks more generally.
The SEC eliminated the proposal to require a private company that is a party to a business combination transaction, as defined by Securities Act Rule 165(f), registered on Form S-4 or Form F-4, to provide the subpart 1500 and Article 14 disclosures.
Timing of Implementation
The new rules will become effective 60 days after publication in the Federal Register. Compliance with the rules will not be required until much later, however.
Consistent with its earlier proposal, and in response to comments that the SEC received concerning the timing of implementing the proposed rule, the new rules contain delayed and staggered compliance dates that vary according to the registrant’s filing status and the type of disclosure.
The below table from the SEC’s new release summarizes the phased-in implementation dates.[5]
FILING STATUS
Large Accelerated Filers (“LAFs”)—a group whom the SEC believed most likely to be already collecting and disclosing climate-related information—will be the first registrants required to comply with the rule. The earliest that an LAF would be required to comply with the climate-disclosure rules would be upon filing its Form 10-K for the fiscal year ended December 31, 2025, which would be due no later than March 2026.[6]
Accelerated Filers (“AFs”) are not required to comply with the new rules for yet another year after LAFs. Climate-related disclosures for AFs must be included upon filing a Form 10-K for the fiscal year ended December 31, 2026, due no later than March 2027. Smaller Reporting Companies (“SRCs”), Emerging Growth Companies (“EGCs”), and Non-Accelerated Filers (“NAFs”) have yet another year to meet the first compliance deadline for climate-related disclosures. These types of filers need not include their climate-related disclosures until filing their Form 10-Ks for the fiscal year ended December 31, 2027, which, again, would be due no later than March 2028.
TYPES OF DISCLOSURES
The new rules also phase in the requirements to include certain disclosures over time. The requirements to provide quantitative and qualitative disclosures concerning material expenditures and material impacts to financial estimates or assumptions under Items 1502(d)(2), 1502(e)(2), and 1504(c)(2) are not applicable until the fiscal year immediately following the fiscal year in which the registrant’s initial compliance is required. LAFs, for example, are not required to report these qualitative and quantitative disclosures until filing a Form 10-K for the fiscal year ended December 31, 2026, due in March 2027. That should be one year after an LAF files its first Form 10-K with climate-related disclosures. The SEC adopted this phased-in approach to respond to commentators’ concerns regarding the availability (or current lack thereof) of policies, processes, controls, and system solutions necessary to support these types of disclosures.
Likewise, the new rules provide for a further phased-in compliance date for those registrants required to report their Scope 1 and Scope 2 GHG emissions and an even later date for those filers to obtain limited or reasonable assurance for those emissions disclosures. An LAF, for example, is not required to disclose its Scope 1 and Scope 2 emissions until filing its Form 10-K for the fiscal year ended December 31, 2026, due in March 2027. And those disclosures would not be required to be subject to the limited-assurance or reasonable-assurance requirements until filing the Form 10-K for the year ended December 31, 2029 or December 31, 2033, respectively.
In accordance with the table above, AFs, SRCs, EGCs, and NAFs have even more time to meet these additional disclosure requirements, if they are required to meet them at all.
It should be noted that the SEC recognized that registrants may have difficulty in obtaining GHG emission metrics by the date their 10-K report would be due. As a result, the rule contains an accommodation for registrants required to disclose Scope 1 and Scope 2 emissions, allowing domestic registrants, for example, to file those disclosures in the Form 10-Q for the second fiscal quarter in the fiscal year immediately following the year to which the GHG emissions disclosure relates. This disclosure deadline is permanent and not for a transition period.
Liability for Non-Compliance
In the introduction to the adopting release, the SEC explains that requiring registrants to provide certain climate-related disclosures in their filings will, among other things, “subject them to enhanced liability that provides important investor protections by promoting the reliability of the disclosures.”[7] This enhanced liability stems from the treatment of the disclosures as “filed” rather than “furnished” for purposes of Exchange Action Section 18 and, if included or otherwise incorporated by reference into a Securities Act registration statement, Securities Act Section 11.[8] According to the SEC, “climate-related disclosures should be subject to the same liability as other important business or financial information” that registrants include in registration statements and periodic reports and, therefore, should be treated as filed disclosures.[9]
In an attempt to balance concerns about the complexities and evolving nature of climate data methodologies and increased litigation risk, the SEC, in the adopting release, emphasizes certain modifications made in the new rules including:
limiting the scope of the GHG emissions disclosure requirement;
revising several provisions regarding the impacts of climate-related risks on strategy, targets and goals, and financial statement effects so that registrants will be required to provide the disclosures only in certain circumstances, such as when material to the registrant; and
adopting a provision stating that disclosures (other than historic facts) provided pursuant to certain of the new subpart 1500 provisions of Regulation S-K constitute “forward-looking statements” for the purposes of the PSLRA safe harbors.[10]
Registrants are subject to liability under Securities Act Section 17(a), Exchange Act Section 10(b), and/or Rule 10b-5 for false or misleading material statements in the information disclosed pursuant to the new rules.[11]
Observations
Consistent with its recent trajectory, the SEC continues to be a kinder, gentler regulator on climate disclosure requirements. Although the new rules will apply broadly to publicly traded companies, their scope is less demanding than the requirements under recent similar laws enacted in California or the EU. Under the California Climate Corporate Data Accountability Act (the “CCDA”), companies with annual revenues in excess of $1 billion and “doing business in California”[12] will be required to publicly disclose Scope 1 and Scope 2 emissions beginning in 2026, and Scope 3 emissions beginning in 2027. And because the California law applies to all companies, not just those that are publicly traded, it is also more broadly applicable and will trigger assessments and compliance for companies that are not subject to the SEC’s rule. The CCDA is currently the subject of legal challenge that includes questions of whether the required disclosures violate the First Amendment right to free speech, as well as possible federal preemption. As a result, there is a chance that the CCDA may yet be diluted or found unconstitutional. But in light of the imminent timeline for compliance, many companies subject to the CCDA are already developing programs to facilitate and ensure timely compliance with the requirements.
Similarly, the EU has broader reporting obligations under the CSRD than the SEC’s new rules. Compliance with the CSRD is required for both public and private EU companies as well as for non-EU companies with certain net annual turnovers, certain values of assets, and a certain number of employees. Under the CSRD, companies must publish information across a wide spectrum of subjects, including emissions, energy use, diversity, labor rights, and governance. Initial reporting under the CSRD begins to phase-in in 2025.
A key takeaway here is that although the SEC rules may have taken a lighter approach to climate disclosures, many large companies are likely to be subject to more stringent requirements under either the CCDA or the EU CSRD. And as some companies begin to comply to provide this information and data, the market may drive demand and an expectation that other companies, not otherwise subject to these various reporting regimes, follow suit. While the SEC rules may be a slimmed down version of what could have been, it is likely that the trend toward transparency and disclosure will continue to be driven by other regulatory bodies and market forces alike.
[1] Securities and Exchange Commission, Final Rule The Enhancement and Standardization of Climate-Related Disclosures for Investors, 17 CFR 210, 229, 230, 232, 239, and 249, adopting release available at https://www.sec.gov/files/rules/final/2024/33-11275.pdf.
[2] Id. at 48.
[3] Id. at 31-33.
[4] Id. at 225.
[5] Id. at 589.
[6] The new rules’ compliance dates apply to annual reports and registration statements. But, in the case of registration statements, compliance is required beginning with any registration statement that is required to include financial information for the full fiscal year indicated in the table above.
[7] Id. at 13.
[8] Id. at 584. At a high level, Section 18 imposes liability for false and misleading statements with respect to any material fact in documents filed with the SEC under the Exchange Act and Section 11 imposes liability for material misstatements or omissions made in connection with registered offerings conducted under the Securities Act.
[9] Id.
[10] Id. at 803.
[11] Id.
[12] A term which is not defined in the law, but is likely intentionally very broad, and is expected to be interpreted in that way.
In recent years, the Department of Justice (DOJ) has rolled out a significant and increasing number of carrots and sticks aimed at deterring and punishing white collar crime. Speaking at the American Bar Association White Collar Conference in San Francisco on March 7, Deputy Attorney General Lisa Monaco announced the latest: a pilot program to provide financial incentives for whistleblowers.
While the program is not yet fully developed, the premise is simple: if an individual helps DOJ discover significant corporate or financial misconduct, she could qualify to receive a portion of the resulting forfeiture, consistent with the following predicates:
The information must be truthful and not already known to the government.
The whistleblower must not have been involved in the criminal activity itself.
Payments are available only in cases where there is not an existing financial disclosure incentive.
Payments will be made only after all victims have been properly compensated.
Money Motivates
Harkening back to the “Wanted” posters of the Old West, Monaco observed that law enforcement has long offered rewards to incentivize tipsters. Since the passage of Dodd Frank almost 15 years ago, the SEC and CFTC have relied on whistleblower programs that have been incredibly successful. In 2023, the SEC received more than 18,000 whistleblower tips (almost 50 percent more than the previous record set in FY2022), and awarded nearly $600 million — the highest annual total by dollar value in the program’s history. Over the course of 2022 and 2023, the CFTC received more than 3,000 whistleblower tips and paid nearly $350 million in awards — including a record-breaking $200 million award to a single whistleblower. Programs at IRS and FinCEN have been similarly fruitful, as are qui tam actions for fraud against the government. But, Monaco acknowledged, those programs are by their very nature limited. Accordingly, DOJ’s program will fill in the gaps and address the full range of corporate and financial misconduct that the Department prosecutes. And though only time will tell, it seems likely that this program will generate a similarly large number of tips.
The Attorney General already has authority to pay awards for “information or assistance leading to civil or criminal forfeitures,” but it has never used that power in any systematic way. Now, DOJ plans to leverage that authority to offer financial incentives to those who (1) disclose truthful and new information regarding misconduct (2) in which they were not involved (3) where there is no existing financial disclosure incentive and (4) after all victims have been compensated. The Department has begun a 90-day policy sprint to develop and implement the program, with a formal start date later this year. Acting Assistant Attorney General Nicole Argentieri explained that, because the statutory authority is tied to the department’s forfeiture program, the Department’s Money Laundering and Asset Recovery Section will play a leading role in designing the program’s nuts and bolts, in close coordination with US Attorneys, the FBI and other DOJ offices.
Monaco spoke directly to potential whistleblowers, saying that while the Department will accept information about violations of any federal law, it is especially interested in information regarding
Criminal abuses of the US financial system;
Foreign corruption cases outside the jurisdiction of the SEC, including FCPA violations by non-issuers and violations of the recently enacted Foreign Extortion Prevention Act; and
Domestic corruption cases, especially involving illegal corporate payments to government officials.
Like the SEC and CFTC whistleblower programs, DOJ’s program will allow whistleblower awards only in cases involving penalties above a certain monetary threshold, but that threshold has yet to be determined.
Prior to Monaco’s announcement, the United States Attorney’s Office for the Southern District of New York launched its own pilot “whistleblower” program, which became effective February 13, 2024. Both the Department-wide pilot and the SDNY policy require that the government have been previously unaware of the misconduct, but they are different in a critical way: the Department-wide policy under development will explicitly apply only to reports by individuals who did not participate in the misconduct, while SDNY’s program offers incentives to “individual participants in certain non-violent offenses.” Thus, it appears that SDNY’s program is actually more akin to a VSD program, while DOJ’s Department-wide pilot program will target a new audience of potential whistleblowers.
Companies with an international footprint should also pay attention to non-US prosecutors. The new Director of the UK Serious Fraud Office recently announced that he would like to set up a similar program, no doubt noticing the effectiveness of current US programs.
Corporate Considerations
Though directed at whistleblowers, the pilot program is equally about incentivizing companies to voluntarily self-disclose misconduct in a timely manner. Absent aggravating factors, a qualifying VSD will result in a much more favorable resolution, including possibly avoiding a guilty plea and receiving a reduced financial penalty. But because the benefits under both programs only go to those who provide DOJ with new information, every day that a company sits on knowledge about misconduct is another day that a whistleblower might beat them to reporting that misconduct, and reaping the reward for doing so.
“When everyone needs to be first in the door, no one wants to be second,” Monaco said. “With these announcements, our message to whistleblowers is clear: the Department of Justice wants to hear from you. And to those considering a voluntary self-disclosure, our message is equally clear: knock on our door before we knock on yours.”
By providing a cash reward for whistleblowing to DOJ, this program may present challenges for companies’ efforts to operate and maintain and effective compliance program. Such rewards may encourage employees to report misconduct to DOJ instead of via internal channels, such as a compliance hotline, which can lead to compliance issues going undiagnosed or untreated — such as in circumstances where the DOJ is the only entity to receive the report but does not take any further action. Companies must therefore ensure that internal compliance and whistleblower systems are clear, easy to use, and effective — actually addressing the employee’s concerns and, to the extent possible, following up with the whistleblower to make sure they understand the company’s response.
If an employee does elect to provide information to DOJ, companies must ensure that they do not take any action that could be construed as interfering with the disclosure. Companies already face potential regulatory sanctions for restricting employees from reporting misconduct to the SEC. Though it is too early to know, it seems likely that DOJ will adopt a similar position, and a company’s interference with a whistleblower’s communications potentially could be deemed obstruction of justice.
This is likely to be one of the most consequential rulemakings of Chairman Gary Gensler’s tenure given the prioritization of addressing climate change as a key pillar for the Biden administration. However, given the significant controversy associated with this rulemaking effort, the final rules are likely to face legal challenges and congressional oversight in the coming months. As such, it remains unclear at this point whether the final rules will survive the forthcoming scrutiny.
WHAT IS IN THE RULE?
According to the SEC’s fact sheet:
“The final rules would require a registrant to disclose, among other things: material climate-related risks; activities to mitigate or adapt to such risks; information about the registrant’s board of directors’ oversight of climate-related risks and management’s role in managing material climate-related risks; and information on any climate-related targets or goals that are material to the registrant’s business, results of operations, or financial condition.
Further, to facilitate investors’ assessment of certain climate-related risks, the final rules would require disclosure of Scope 1 and/or Scope 2 greenhouse gas (GHG) emissions on a phased-in basis by certain larger registrants when those emissions are material; the filing of an attestation report covering the required disclosure of such registrants’ Scope 1 and/or Scope 2 emissions, also on a phased-in basis; and disclosure of the financial statement effects of severe weather events and other natural conditions including, for example, costs and losses.
The final rules would include a phased-in compliance period for all registrants, with the compliance date dependent on the registrant’s filer status and the content of the disclosure.”
NEXT STEPS
The final rules are likely to face significant opposition, including legal challenges and congressional oversight. It is expected that there will be various lawsuits brought against the final rules, which are likely to receive support from several industry groups, or potentially GOP-led state attorneys general who have been active in litigating against environmental, social and governance (ESG) policies and regulations. It is also possible that the final rules could face criticism from some climate advocates that the SEC did not go far enough in its disclosure requirements.
Further, it is expected that the House Financial Services Committee (HFSC) will conduct oversight hearings, as well as introduce a resolution under the Congressional Review Act (CRA), to attempt to block the regulations from taking effect. HFSC Chairman Patrick McHenry (R-NC) indicated that the Oversight and Investigations Subcommittee will hold a field hearing on March 18 and the full Committee will convene a hearing on April 10 to discuss the potential implications of the rules. If a CRA resolution were to pass the House and garner sufficient support from moderate Democrats in the Senate to pass, it would likely be vetoed by President Biden.
Ultimately, the SEC climate risk disclosure rules are unlikely to significantly change the trajectory of corporate disclosures made by multinational companies based in the U.S., most of whom have already been making sustainability disclosures in accordance with the Financial Stability Board’s Task Force on Climate-Related Financial Disclosures. The ongoing problem for investors is that such disclosures are not standardized and therefore are not comparable. Consequently, many of these large issuers may continue to enhance their sustainability disclosures in accordance with standards issued by the International Sustainability Standards Board and the Global Reporting Initiative as an investor relations imperative notwithstanding the SEC’s timetable for implementation of these final rules.
A more detailed analysis of the SEC rules is forthcoming from our Corporate and Asset Management and Investment Funds practices in the coming days.
Six companies have now made Item 1.05 Form 8-K filings. Three of these companies also have amended their first Form 8-K filings to provide additional detail regarding subsequent events. The remainder of the filings seem self-contained such that no amendment is necessary, but these companies may amend at a later date. In general, the descriptions of the cybersecurity incidents have been written at a high level and track the requirements of the new rules without much elaboration. It is interesting, but perhaps coincidental, that the filings seem limited to two broad industry groups: technology and financial services. In particular, two of the companies are bank holding companies.
Although several companies have now made reports under the new rules, the sample space may still be too small to draw any firm conclusions or decree what is “market.” That said, several of the companies that have filed an 8-K under Item 1.05 have described incidents and circumstances that do not seem to be financially material to the particular companies. We are aware of companies that have made materiality determinations in the past on the basis of non-financial qualitative factors when impacts of a cyber incident are otherwise quantitatively immaterial, but these situations are more the exception than the rule.
There is also a great deal of variability among the forward-looking statement disclaimers that the companies have included in the filings in terms of specificity and detail. Such a disclaimer is not required in a Form 8-K, but every company to file under Item 1.05 to date has included one. We believe this practice will continue.
Since the effectiveness of the new rules, a handful of companies have filed Form 8-K filings to describe cybersecurity incidents under Item 8.01 (“Other Events”) instead of Item 1.05. These filings have approximated the detail of what is required under Item 1.05. It is not immediately evident why these companies chose Item 8.01, but presumably the companies determined that the events were immaterial such that no filing under Item 1.05 was necessary at the time of filing. Of course, the SEC filing is one piece of a much larger puzzle when a company is working through a cyber incident and related remediation. It remains to be seen how widespread this practice will become. To date, the SEC staff has not publicly released any comment letters critiquing any Form 8-K cyber filing under the new rules, but it is still early in the process. The SEC staff usually (but not always) makes its comment letters and company responses to those comment letters public on the SEC’s EDGAR website no sooner than 20 business days after it has completed its review. With many public companies now also making the new Form 10-K disclosure on cybersecurity, we anticipate the staff will be active in providing guidance and commentary on cybersecurity disclosures in the coming year.