The SEC Drives Expanded Disclosure Requirements and Boardroom Change: Proposed rules demand director action on cybersecurity and climate.

• Author: Raymond, Doug
• Position: LEGAL BRIEF

The SEC recently proposed new disclosure rules for climate-related and cybersecurity issues. These proposals reflect an expansion not only of the disclosure obligations of public companies but also of the SEC's involvement in the internal corporate governance of public companies. In part, the rules would require public companies to disclose the relevant expertise of their directors, as well as the boards role in oversight of these specific areas. While couched in terms of disclosure, the purpose of these proposed rules is to drive (by mandating disclosure of their actions or failures to act) public companies and their boards to actively account for climate-related and cybersecurity risks. The rationale for the proposed rules is that public investors are seeking this information and that disclosure of cybersecurity risks and climate-related information can have a material impact on public companies' financial performance or position. It also supposes that such information may be material to investors making investment or voting decisions. In any event, both sets of proposed rules will increase the cost and complexity of public reporting and help feed an army of lawyers and consulting "experts."

While the proposed rules may be modified before being finalized, most observers expect that, when adopted, they will include provisions applicable to boards that are similar to those in the proposals. For this reason, boards should begin to prepare for their possible adoption.

In its proposing release on cybersecurity risk management, the SEC set forth specific disclosure requirements about board and management expertise and about the board's approach to cybersecurity risk management policies. In the climate-risk rule proposal (more than 500 pages long), the SEC laid out an even more expansive set of disclosure and corporate governance requirements. These proposed rules would impose extensive, prescriptive and complex disclosure requirements on public companies to provide quantitative and qualitative information about climate-related risks, greenhouse gas emissions and climate-related financial measures. They also would require disclosure about the resilience of their business strategies in light of potential future changes in climate-related risks and descriptions of the analytical tools, including scenario analysis, that the company uses to assess the impact of climate-related risk.

In addition to the time and expense that the proposed disclosure...