Proposed rules demand director action on cybersecurity and climate.

The SEC recently proposed new disclosure rules for climate-related and cybersecurity issues. These proposals reflect an expansion not only of the disclosure obligations of public companies but also of the SEC’s involvement in the internal corporate governance of public companies. In part, the rules would require public companies to disclose the relevant expertise of their directors, as well as the board’s role in oversight of these specific areas. While couched in terms of disclosure, the purpose of these proposed rules is to drive (by mandating disclosure of their actions or failures to act) public companies and their boards to actively account for climate-related and cybersecurity risks. The rationale for the proposed rules is that public investors are seeking this information and that disclosure of cybersecurity risks and climate-related information can have a material impact on public companies’ financial performance or position. It also supposes that such information may be material to investors making investment or voting decisions. In any event, both sets of proposed rules will increase the cost and complexity of public reporting and help feed an army of lawyers and consulting “experts.”

While the proposed rules may be modified before being finalized, most observers expect that, when adopted, they will include provisions applicable to boards that are similar to those in the proposals. For this reason, boards should begin to prepare for their possible adoption.

In its proposing release on cybersecurity risk management, the SEC set forth specific disclosure requirements about board and management expertise and about the board’s approach to cybersecurity risk management policies. In the climate-risk rule proposal (more than 500 pages long), the SEC laid out an even more expansive set of disclosure and corporate governance requirements. These proposed rules would impose extensive, prescriptive and complex disclosure requirements on public companies to provide quantitative and qualitative information about climate-related risks, greenhouse gas emissions and climate-related financial measures. They also would require disclosure about the resilience of their business strategies in light of potential future changes in climate-related risks and descriptions of the analytical tools, including scenario analysis, that the company uses to assess the impact of climate-related risk.
 
In addition to the time and expense that the proposed disclosure requirements will require, the proposed rules also impose specific and new requirements onto corporate boards. Dictating board processes is an unusual expansion of federal securities regulations into state corporation law, but boards should take steps so they will be prepared to respond when these new rules become effective.
  
Boards will need to identify directors and board committees that should have responsibility for the oversight of climate-related and cybersecurity risks. Boards will then need to describe the process and frequency by which they become informed about these risks. Companies will also be required to disclose whether they have specific management positions responsible for overseeing these risks, such as a chief information security officer or a chief sustainability officer for cybersecurity and climate risks, respectively. If there is such a specific position or committee, the company will need to disclose how this person or committee reports to the board. In addition, similar to what the SEC has previously done for audit committees, companies will be required to identify whether any involved directors have expertise in assessing these issues. Boards should provide supporting information to fully describe the nature of the expertise. 

The climate-related risk proposal will require boards to disclose their processes for how, and how frequently, they discuss climate-related risks; how the board considers climate-related risks as part of its evaluation of business strategy, risk management and financial oversight; and how the board sets and oversees progress against climate-related targets or goals, including interim targets or goals. In the case of these risks, boards will be asked to explain not only what climate-related risks are material to the company, but also how they decide whether to mitigate, accept or adapt to particular climate-related risks.
 
In preparing for this, boards should note that the combined effect of the SEC proposals may be that boards are increasingly composed of directors with the specific expertise desired by the government, rather than an emphasis on wisdom, general business experience or acumen. Boards should consider how best to implement these requirements and how they might impact the way their board is constituted and how it functions. As boards consider how best to comply, they could initiate searches for cybersecurity and environmental experts, who will likely be in demand under the new regime. Boards could also try to enhance the knowledge of existing directors through training. Some boards may choose instead not to seek these specific technical skills, but to engage third-party experts who can assist the board in its oversight responsibilities.
 
Boards should also determine how to adjust their oversight responsibilities to accommodate the new mandates. They must consider whether additional meetings may be necessary (and, if so, how many) to do this work in an already crowded board calendar. Directors should consider creating specific management positions to assist them in formalizing climate and cyber risk analysis as part of the company’s overall business strategy.

The SEC’s proposed rules may certainly change before adoption, and may likely be challenged in court, but the impetus behind these proposals is real. Investors, both individual and institutional, have demonstrated significant and sustained interest in climate change, cybersecurity and other ESG-related issues. Although the proposals are framed as disclosure requirements, they are designed to impact corporate behavior, including that of board members. Boards and their advisors should plan now for how best to respond to the proposed rules and, in the case of the climate-related rules, to the broader social forces driving them.  

Doug Raymond is a partner at the law firm of Faegre Drinker Biddle & Reath LLP (www.faegredrinker.com). He can be reached at douglas.raymond@faegredrinker.com. Jason Tian assisted in preparing this column.