Public companies face broader disclosure obligations on climate and cyber risks

The journey from a private to public company is one of increased challenges, with multiple risks and evolving coverage needs to consider. Let us help you explore what’s possible.

The Securities Exchange Commission (SEC) announced two sets of proposals this month that could lead to broader disclosure obligations for public companies. On March 21, the commission outlined new rules that, if approved, would require companies to disclose information about their climate-related risks. And earlier this month, the SEC proposed a set of measures intended to “enhance and standardize” cyber-related disclosures.

The proposals are part of the SEC’s efforts to help investors access consistent information from the companies they plan to invest in, allowing them to make better-informed decisions. Since taking the commission’s helm in April 2021, SEC chairman Gary Gensler has made it a priority to increase scrutiny on public company reporting regarding cybersecurity and cyber readiness matters; environment, social, and governance (ESG) factors; and other topics of growing importance to investors.

Both proposals are now open for a public comment period — that ends either 30 days after each proposal is published in the Federal Register or 60 days after the date of issuance and publication on the SEC’s website. After considering all comments, and possibly allowing for further comments or replies, the commission will determine whether to adopt, update, or abandon the proposed rules.

What is being proposed?

While investors, companies, and other observers have anticipated these new rules, they have not, until now, received specific details. Both the climate disclosure and cybersecurity requirements present separate and discrete matters for public companies, but are part of the SEC’s broader initiative to offer greater transparency for investors as well as a wider class of stakeholders.

1. Proposed climate disclosures

According to Chairman Gensler, the SEC’s new climate disclosures are intended to “provide investors with consistent, comparable, and decision-useful information” and provide companies with “consistent and clear reporting obligations.”

If adopted, the rules will require greater attention to reporting on climate- and emission-related exposures, including on companies’ supply chains and customer bases. Specifically, the rules require companies to disclose information regarding: 

  • Their governance of climate-related risks and relevant risk management processes.
  • Any material impact that climate-related risks may have on the company’s business and consolidated financial statements over the short-, medium-, or long-term.
  • The actual or likely material impact of identified climate-related risks on the company’s business model, strategy, and outlook.
  • The impact that climate-related events and transition activities might have on consolidated financial statements, financial estimates, and assumptions used in financial statements.
  • Information about direct (Scope 1) and indirect (Scope 2) greenhouse gas emissions and any material emissions from upstream and downstream activities in the value chain (Scope 3).

Leading up to the release of the proposed rules, companies and investors had speculated on the degree to which the SEC would require disclosures of Scope 3 emissions. Companies generally consider Scope 3 emissions to be the most difficult to accurately report given the challenge of gathering emissions information across their supply chains and customer bases. The SEC’s proposals create a safe harbor of liability specific to Scope 3 emissions and will not require all companies to report these emissions right away.

The SEC has acknowledged that its proposed disclosures are similar to what some companies already provide in line with broadly accepted disclosure frameworks, including the recommendations by the Task Force on Climate-related Financial Disclosures.

2. Proposed cybersecurity rules

The SEC’s proposed cybersecurity rules are designed to “enhance and standardize” cyber-related disclosures. Over the last year, public companies have faced heightened SEC scrutiny over communications to investors about cybersecurity, including formal investigations and fines.

But the set of proposed rules released this month represent the commission’s first time outlining specific language since 2018. If adopted in their current format, following the ongoing public comment period, the proposed rules would require public companies to report any “material cybersecurity incidents” within four business days and provide periodic updates on these incidents. They would also be required to report about other issues, including:

  • A company’s policies and procedures intended to identify and manage cybersecurity risks.
  • Management’s role in implementing cybersecurity policies and procedures.
  • The board of directors’ expertise, if any, and its oversight of cybersecurity risk.

In a statement, Chairman Gensler recognized that many public companies already provide cybersecurity disclosures to investors but added that both the companies and investors would benefit from this information being required “in a consistent, comparable, and decision-useful manner.”

Increased scrutiny of risk management and governance capabilities

The SEC’s proposals, particularly the climate-related measures, go beyond just disclosing risks and also require greater transparency on how those risks are identified and assessed.

For instance, the climate proposal requires that if companies use scenario analysis to assess the resilience of their business strategy to climate-related risks, they should provide “a description of the scenarios used, as well as the parameters, assumptions, analytical choices, and projected principal financial impacts.” This means that investors and other stakeholders will have the ability to evaluate not only the risks but also the risk management processes and capabilities of companies making disclosures. Risk managers may not have climate and cyber specialization, but will be evaluated on how they assess those risks.

Further, the SEC’s proposals place greater emphasis on company leadership’s knowledge and oversight of climate- and cyber-related risk. Consequently, organizations will need to formally define board and senior management responsibilities. Transparency around the level of leadership expertise and involvement managing these risks will inform external stakeholder perceptions.

D&O insurance impacts

The insurance underwriting community and investors perceive the new disclosure rules as providing a roadmap for plaintiffs’ lawyers and short sellers to identify alleged failures. It is important for public companies, their boards, and C-suite executives to understand what is being proposed and to start preparing for the potential implementation of the disclosure obligations.

The landscape of potential directors and officers (D&O) claims has broadened significantly over the last decade, moving from primarily financial and accounting issues to more expansive “event driven” litigation. These new proposed rules could give rise to allegations by shareholders of company missteps on cyber and climate disclosure issues and result in class action litigation.

D&O underwriters will likely ask policyholders for more details on their cyber and climate-related initiatives and disclosure practices. It is important for companies to work with a qualified insurance broker that can assist in developing a thorough company risk profile, actively engage with underwriters, and help prepare management teams to effectively address any concerns that might impact terms, pricing, and capacity. Areas of importance include, but are not limited to: 

  • Outlining communications between cybersecurity professionals, the C-suite, and the board.
  • Describing the engagement of outside legal counsel to comply with proposed disclosure rules. 
  • Conveying a deep understanding of the potential impact these issues can have on a company’s bottom line.
  • Identifying an appropriate organizational structure and leadership to oversee cyber and climate matters.

More disclosure mandates possible

The climate and cyber disclosure requirements that are currently up for public discussion are only part of the SEC’s possible roadmap for this year. Companies and the investment community should prepare for additional rulemaking on a range of topics.

The commission may introduce rules governing special purpose acquisition companies (SPACs), which have seen a vast increase in popularity in recent years. Insider trading practices may also come under increased scrutiny. In December 2021, the commission proposed amendments to Rule 10b5-1 — now accepting comments through April 1 — to enhance disclosure requirements and investor protections against insider trading.

As new rules are introduced, companies and their directors and officers should examine how they might affect their risk management strategies and D&O insurance policies. These efforts may help reduce the risk of litigation, and may also lead to increased insurer interest and participation when building out their insurance programs during renewals.  

You’ve gone public, now what?

The journey from a private to public company is one of increased challenges, with multiple risks and evolving coverage needs to consider. Let us help you explore what’s possible.