On March 21, 2022, the SEC proposed rules to require new climate-related disclosures.  As you can read in this Press Release, the proposed rule would require new disclosures, including information about:

• “Governance of climate-related risks and relevant risk management processes
• How any climate-related risks identified by the registrant have had or are likely to have a material impact on its business and consolidated financial statements, which may manifest over the short-, medium-, or long-term
• How any identified climate-related risks have affected or are likely to affect the registrant’s strategy, business model, and outlook
• The impact of climate-related events (severe weather events and other natural conditions) and transition activities on the line items of a registrant’s consolidated financial statements, as well as on the financial estimates and assumptions used in the financial statements.”

The proposed rule would also require disclosure about greenhouse gas emissions.  All registrants would make disclosures about Scope 1 and Scope 2 emissions.  Scope 3 disclosures would be required if material or if the company has set a goal that includes Scope 3 emissions.  Accelerated and large accelerated filers would be required to include an attestation report regarding greenhouse gas emission disclosures.

You can read more in this Fact Sheet and find the proposed rule here.  The comment period for the proposed rule will be for 30 days after publication in the Federal Register or 60 days after the date of publication on sec.gov, whichever period is longer.

You can learn more in our One-Hour Briefing scheduled for April 8, 2022, “Climate Change – The SEC’s Proposed New Disclosures.”

As always, your thoughts and comments are welcome.

In this post we reviewed an SEC comment letter exchange focused on climate change issues, currently a major focus area in the SEC’s comment process.  On September 21, 2021, Meta Platforms, Inc. (“Meta”), formerly known as Facebook, received this comment letter with a number of climate-related questions.  One of the comments asked Meta about the physical impacts of climate change on its business:

6. You disclose that your business may be subject to interruptions, delays, or failures resulting from earthquakes, adverse weather conditions, or other natural disasters. If material, discuss the significant physical effects of climate change on your operations and results. This disclosure may include the following:

• severity of weather as a result of climate change, such as floods, hurricanes, sea levels, extreme fires, and water availability and quality;
• quantification of material weather-related damages to your property or operations;
• potential for indirect weather-related impacts that have affected or may affect your major customers or suppliers, and
• any weather-related impacts on the cost or availability of insurance.

After requesting more time than the regular 10 days to respond, Meta’s November 4, 2021, response letter addressed this comment with the following language:

Response

The Company respectfully advises the Staff that it regularly assesses its physical climate-related risks. Under the Applicable Disclosure Requirements, it has not experienced any material physical effects of climate change, including as related to the above listed events, on its operations and results that would be required to be disclosed under the Applicable Disclosure Requirements.

In a November 12, 2021, second comment letter, the staff included this follow-up comment:

5. Your response to prior comment 6 states that you have not experienced material physical effects of climate change. Please tell us about the physical effects of climate change you have experienced, such as effect on the severity of weather, and how you assessed the materiality of such effects. As requested in our prior comment, quantify weather-related damages to your property or operations, discuss how weather-related impacts have affected or may affect your customers or suppliers and discuss any weather-related impacts on the cost or availability of insurance.

Meta’s December 29, 2021, response to this follow-up comment provides interesting details and a more extensive discussion about how the company tracks the impact of factors such as weather on its business:

Response

As noted in response to comment 4, the Company generates substantially all of its revenue from selling advertisements, which are displayed on the Company’s online products – Facebook, Instagram and Messenger – as well as third-party applications and websites. Its material properties are its headquarters, its offices and its data centers, as disclosed under Part I, Item 2. Properties of the 2020 Form 10-K.

As part of the disclosure process described in response to comment 1, the Company assesses whether any events, including any adverse weather conditions, had a material effect on the Company, including as a result of any damage to the Company’s properties or operations. In particular, the Company’s finance team runs a financial statement line item fluctuation analysis each quarter to identify events, including weather events, that had a significant impact on financial results in the relevant reporting period. Members of the legal and finance teams then hold a meeting (the “Significant Events Meeting”) to review the results. For purposes of this review, the finance team reviews transactions or events where the aggregate, cumulative impact is or exceeds $100 million, which is approximately 0.3% of income before provision for income taxes for the year ended December 31, 2020. In that meeting, they assess whether any identified events had a material effect on the Company’s business, operating results or financial condition and whether to otherwise make any updates to the Company’s disclosures.

We would note that as part of this review in the first quarter of 2021, the Company’s finance team identified that the polar vortex wave impacting the United States in February 2021 caused the Company to incur increased energy costs of approximately just over 1% of the Company’s net income for the quarter. Although the impact of the polar vortex was therefore not material to the Company, the Company determined that it would be prudent to update its risk factors relating to adverse weather events in the Form 10-Q filed for the first quarter of 2021 to disclose that it had been, and may in the future be, subject to increased energy or other costs to maintain the availability or performance of its products in connection with adverse weather events. In connection with preparing the 2020 Form 10-K, however, the Company did not identify any potentially material weather-related impacts on its business or any weather-related events that caused potentially material damages to its properties or operations.

With respect to the Company’s customers and suppliers, as noted above, the Company generates substantially all of its revenue from selling advertisements, which are displayed on the Company’s online products – Facebook, Instagram and Messenger – as well as third-party applications and websites. The Company has a large and diversified base of advertisers in many countries around the world. As disclosed in the 2020 Form 10-K, no customer represented 10% or more of the Company’s revenue in 2020 and the Company generated revenue from advertisers located throughout the world, with approximately 45% generated in the United States and Canada, 24% generated in Europe, 23% generated in Asia-Pacific and 8% generated in the rest of the world. The Company believes that its diversified customer base, both by size and geography, helps mitigate the risk that any adverse weather event affecting any particular customer or any particular region where it has customers would have a material effect on the Company as a whole, and in preparing the 2020 Form 10-K, the Company did not identify weather-related impacts to its customers that had a potentially material effect on the Company’s business, operating results or financial condition. Weather-related impacts that have affected the Company’s suppliers include events such as the polar vortex in the United States in February 2021 that led to disruption in the business of the Company’s energy suppliers and increased energy costs for the Company as described above. However, in preparing the 2020 Form 10-K, the Company did not identify weather-related impacts to its suppliers that had a potentially material effect on the Company’s business, operating results or financial condition.

With respect to the cost or availability of insurance, the Company reviews events that had a significant impact on costs, including insurance costs, during the Significant Events Meeting. Members of the Company’s treasury team, which handles its insurance policies, participate in the Significant Events Meeting and in the disclosure process more generally. No potentially material increases in the cost or availability of insurance as a result of climate change were identified during the Significant Events Meeting or otherwise in connection with the preparation of the 2020 Form 10-K.

After this detailed response, the SEC sent Meta the regular closing letter for this comment process.

As always, your thoughts and comments are welcome!

On March 10, 2022, one day after the SEC formally proposed rules that would require new cybersecurity disclosures, the SEC set March 21, 2022, as the date the Commission will meet to consider proposing rules to “enhance and standardize registrant’s climate-related disclosures for investors.”  You can find the meeting notice and a link to the agenda here.

The meeting will begin at 11:00 AM ET and will be webcast on the SEC’s website, www.sec.gov.

As always, your thoughts and comments are welcome!

On March 9, 2022, as you can read in this Meeting Notice, the SEC is meeting to consider rule making about “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.”

As a bit of background, on January 24, 2022, Chair Gary Gensler delivered a speech titled “Cybersecurity and Securities Laws” at the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute.  He addressed cybersecurity from a variety of perspectives, including a discussion of what may be the very first “hack”, a telegraph scheme in France in 1834!  His remarks included this discussion of public company cybersecurity disclosures, which provides important insights for drafting risk factor and related cybersecurity disclosures in 34 Act reports:

Public Companies

Next, let me turn to public companies’ disclosure with respect to cyber risk and cyber events.

The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.

Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend.

Thus, I’ve asked staff to make recommendations for the Commission’s consideration around companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.

A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.

In addition, I’ve asked staff to make recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.

Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures. If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.

You can find links to discussions of cybersecurity enforcement cases listed in this post about SEC enforcement priorities.

As always, your thoughts and comments are welcome!

Climate change has been a major and well publicized part of the SEC’s agenda in the last year.  As you can read on the climate change section of the SEC’s webpage, CorpFin focused on climate change in the review process, the Enforcement Division formed a climate change task force, and the Commission issued an Invitation to Comment on climate change related matters.

CorpFin comment letters have addressed climate change.  On September 22, 2021, the staff issued this sample letter to companies providing examples of the types of comments it is issuing.

A recent comment letter to CarMax Auto Funding LLC regarding a registration statement disclosure provides an example of a climate change comment:

Risk Factors, page 38

1. To the extent that you believe investors in these asset-backed securities may be impacted by climate related events, including, but not limited to, existing or pending legislation or regulation that relates to climate change, please consider revising your disclosure to describe these risks. See the Commission’s Guidance Regarding Disclosure Related to Climate Change, Interpretive Release No. 33-9106 (February 8, 2010).

The Interpretive Release mentioned in this comment, also known as FR 82, can be found here.

The company responded to this comment with modified risk factor disclosure.  You can find the modified risk factor and an example of a risk factor summary in the registration statement.

As always, your thoughts and comments are welcome.

The SEC was busy in the weeks before the holiday season, taking several significant actions.  Here is a summary you can use to explore each development.

Latest Reg Flex Agenda

The SEC published its latest regulatory agenda, which you can review here.  Key issues to be addressed in the near-term include climate change and human capital resources disclosures.  Cybersecurity risk governance is also on the agenda.

Proposed New Rules for 10b5-1 Plans

On December 15, 2021, the SEC proposed amendments to Rule 10b5-1 to “strengthen the affirmative defense to insider trading” provided by the rule.  Details are in this related Fact Sheet and the Proposed Rule.  One significant change would be a 120-day cooling-off period before trading could begin under a plan.

Proposed New Rules and Disclosures for Stock Buybacks

On December 15, 2021, the SEC proposed amendments to its rules requiring disclosure about repurchases of equity securities.  You can read more in this Fact Sheet and the Proposed Rule.  Companies would be required to provide a new Form SR before the end of the first business day following a buyback.  In addition, periodic disclosures would include disclosure of the objective of share repurchases and any related process.

CorpFin Announcement – Personally Identifiable Information in Rule 14a-8 Submissions

On December 17, 2021, CorpFin issued this Announcement requiring companies to redact all personally identifiable and any other related sensitive information from Rule 14a-8 submissions related to shareholder proposals.  The announcement also addresses how shareholder proponents should limit the amount of personally identifiable and sensitive information they include in correspondence to only information required to establish their eligibility to submit a proposal.

As always, your thoughts and comments are welcome!

On October 29, 2021, SEC Commissioner Elad L. Roisman delivered a speech to the Los Angeles County Bar titled “Cybersecurity: Meeting the Emerging Challenge.”  In this speech he addresses important cybersecurity matters, beginning with this introductory section – “Understanding that You May be a Victim.”

“Before I go further, it’s important to acknowledge a point that is sometimes overlooked in discussions about cybersecurity.  In the case of cyber-crimes, companies are the targets and victims.  The last thing a company wants is to suffer this kind of criminal and illegal attack.  But, today, the threat of a cyber-attack is so constant and significant for every market participant that it should be viewed as a substantial likelihood.

The SEC has imposed specific obligations on particular registrants relating to certain cybersecurity risks.  But it’s undeniable that our registrants, who have more general obligations under the securities laws—such as to serve the best interests of clients or to shareholders—also are accountable for taking measures to prevent and mitigate damage from these threats as part of their broader responsibilities.

Accordingly, it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyber-attacks before they happen—that is, devising a plan for monitoring for cyber threats, responding to potential breaches, and understanding when information must be reported outside the company and to whom.”

After this assertion that cyber-attack should be viewed as a risk with a “substantial likelihood” and that companies should take measures to address this risk, he discusses cybersecurity risk for a variety of entities that the SEC regulates, including exchanges, SRO’s, advisors, broker dealers and others.

In the section addressing public issuers, he reviews the SEC’s 2018 Release “Commission Statement and Guidance on Public Company Cybersecurity Disclosures.”  In a related footnote he mentions that the Division of Corporation Finance “blazed trail” for this release with Disclosure Guidance Topic 2.  He reminds issuers that disclosure requirements in areas including risk factors, description of the business and MD&A may create obligations to disclose cybersecurity-related matters.  He also mentions that the 2018 Release focuses on  the importance of disclosure controls and procedures.  (See this post for an enforcement case about cybersecurity-related disclosure controls and procedures.)

Commissioner Roisman also discusses internal accounting controls over cybersecurity risk, mentioning the SEC’s 2018 “21(a) Report” that focused on cases where companies had been victimized in cybersecurity-related fraud.  That report, which did not enforce against the victim companies, reminded companies that internal accounting controls should address these kinds of risks.

Commissioner Roisman notes that the SEC’s rulemaking agenda includes issuer cybersecurity matters, but that no formal rulemaking has taken place yet.  He provides these thoughts about possible rulemaking:

“But I will let you know some of the things that I would be looking for as I consider any additional rules in this area.  First, we need to define any new legal obligations clearly.  Second, we need to make sure that these obligations do not create inconsistencies with requirements established by our sister government agencies.  Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an entity.  And finally, because issuers’ businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule would likely work best.”

Commissioner Roisman’s thoughts provide helpful insights that can lead to action steps as we address cybersecurity risk going forward.

As always, your thoughts and comments are welcome!