Securities Snapshot: 2nd Quarter 2024

SEC Slows Down Rulemaking

After a few years of proposing and adopting an unprecedented number of new rules, the Securities and Exchange Commission moderated its rule adoption activities in the second quarter of 2024. During the quarter, the SEC voluntarily stayed its climate-related disclosure rules and released a statement discussing what to disclose for cybersecurity incidents that have not yet been deemed material. We review these developments in this Snapshot and offer guidance on how companies can prepare for new climate rules when they take effect. We also review the implications of statements from the Division of Corporation Finance on cybersecurity incident disclosure.

Preparing for the SEC’s New Climate Rules: What to Do Now

On March 6, 2024, the SEC adopted new rules mandating climate-related disclosures in public companies’ annual reports and registration statements. As anticipated, the rules are facing multiple legal challenges, which have been consolidated in the U.S. Court of Appeals for the Eighth Circuit.

In light of these legal challenges, the SEC voluntarily stayed the effectiveness of the new rules while the rules are under judicial review. Under the compliance schedule as originally adopted, large accelerated filers would be required to comply beginning with their 2025 annual reports.

While the stay and litigation likely mean that companies have more time to comply with the rules, companies should still begin preparing so they are ready if and when the climate rules go into effect. Additionally, even if the SEC’s rules are scaled back or overturned, a growing number of states and other countries are requiring similar disclosures, which can include quantitative and qualitative measures of the climate impact of operations, projected climate-related risks, and progress toward sustainability goals.

What Should Companies Expect?
Since challenges to the rules in the courts face an uncertain outcome and an unpredictable timeframe, companies should turn their attention to developing compliance plans. Although the requirements are on hold, if the rules survive the challenge, in whole or in part, companies will be required to comply with the rules. Large accelerated filers will need to prepare in case they will need to begin to comply with the climate disclosure rules during their fiscal years beginning in 2025. Although it is likely the SEC will provide some transition period before companies have to comply, such transition period is also uncertain and will likely depend on the duration and result of the litigation.

Given the uncertainty, large accelerated filers in particular will need to have their compliance programs in place by the beginning of 2025 in order to ensure that they are in a position to provide the required disclosure following the end of 2025. 

What Should Companies Focus on Now?
The stay and litigation provide more time for companies to consider and evaluate what is needed to comply with the climate disclosure rules. Companies should evaluate the controls they have in place to support climate-related statements, as well as what would be needed to be put in place under the new rules.

Companies should consider whether they will be subject to climate disclosure rules proposed or adopted in other jurisdictions, and if so, begin the process of understanding such rules and their impacts. For companies subject to multiple climate-disclosure reporting obligations, the stay affords companies additional time to assess what disclosure obligations they are subject to, determine what additional rules may apply to them, and determine what information they need to comply with the SEC’s rules and those of other jurisdictions.

Under the SEC rules, climate-related disclosures in many cases will be required only if they are determined to be material, and companies will be required to disclose the processes they use to identify, assess and manage any material climate-related risks. In recent years, the SEC staff has indicated in the course of reviewing company filings that it may scrutinize companies’ materiality determinations for climate-related disclosures. As a result, companies will be expected to have robust processes to identify and assess climate-related risks.

To the extent companies have set climate-related targets and goals, whether publicly disclosed or not, companies should maintain focus on ensuring consistency and accuracy in such reporting. Companies should also assess on an ongoing basis their progress toward those targets and goals, and whether they need to be disclosed in SEC filings.

Companies may also want to evaluate current measures for board oversight and consider potential changes in board committee charters to modify or formalize the processes for board oversight of climate-related disclosures, particularly focusing on the disclosure of such oversight processes. 

Additionally, companies can use this time to become aware of the public disclosures being made by their peers and other similarly-situated companies in the same industry to use as benchmarking for current climate disclosures and the climate disclosure rules to come if the rules go into effect. Even if the climate disclosure rules are invalidated, this review can also help companies evaluate the investor and other stakeholder demands on such disclosures.

While the SEC has stayed the climate disclosure rules, companies may take this opportunity to review their current climate-related disclosures, familiarize themselves with disclosure requirements to which they and their industry peers may become subject, and implement or update relevant controls and procedures.

Disclosure of Cybersecurity Incidents Determined To Be Material

The SEC’s Division of Corporation Finance Director Erik Gerding released a statement on May 21, 2024 addressing the disclosure of cybersecurity incidents determined to be material and other cybersecurity incidents under Item 1.05 of Form 8-K. In the statement, Director Gerding addressed how public companies can disclose cybersecurity incidents that have not yet been identified as “material” and emphasized the relevant factors that should be considered when making materiality determinations.

The SEC adopted new rules in July 2023 to enhance disclosures regarding cybersecurity procedures and processes and material cybersecurity incidents by public companies. Among other things, the cybersecurity rules require companies to disclose material cybersecurity incidents under the new Item 1.05 of Form 8-K. The trigger for the required disclosure is that the cybersecurity incident “is determined by the registrant to be material.” Companies must determine the materiality of an incident without “unreasonable delay” following discovery and, if the incident is determined to be material, file a Form 8-K under Item 1.05 providing required disclosure within four business days of such determination. A company is then required to file an amendment to its Form 8-K filing if certain required information was not available at the time of the initial filing. The new disclosure obligations became effective on December 18, 2023.

Since the effective date, seventeen companies have disclosed cybersecurity incidents under Item 1.05 of Form 8-K. Only one of these disclosures involved a cybersecurity incident that the company expressly disclosed was material and one company disclosed in an amendment to a previously filed Item 1.05 Form 8-K that the cybersecurity incident was identified as material. During this same period, five companies made voluntary disclosures of cybersecurity incidents under Items 7.01 or 8.01 of Form 8-K.

In the statement, Director Gerding encouraged companies to limit their disclosure of cybersecurity incidents under Item 1.05 of Form 8-K to those cybersecurity incidents that have been determined by the registrant to be material. If a company wishes to disclose a cybersecurity incident (i) that it has determined is not material, or (ii) for which it has not yet made a materiality determination, it is encouraged to do so under a different item of Form 8-K (e.g., Item 8.01).

Although voluntary reporting is not prohibited under Item 1.05, Director Gerding noted that disclosing material cybersecurity incidents separately from other cybersecurity incidents will allow investors to make better investment and voting decisions. If the cybersecurity incident reported under a different item of Form 8-K is later determined to be material, the company should file an Item 1.05 of Form 8-K within four business days of its materiality determination. The Item 1.05 Form 8-K must satisfy the requirements of Item 1.05, even if the company chooses to refer to the earlier Form 8-K in its subsequent filing.

Director Gerding also reminded companies to consider qualitative factors in addition to the quantitative factors of the cybersecurity’s impact on the company’s financial condition and operations. Companies should also consider the cybersecurity incident’s impact on harm to the company’s reputation, customer or vendor relationships, or competitiveness. The assessment should also account for potential litigation or regulatory actions arising from the incident.

It is important to note, however, that this statement was provided by Director Gerding in his official capacity, which does not necessarily reflect the views of the SEC, its Commissioners, or other members of the SEC staff. While materiality determinations will continue to be difficult and will often take time, Director Gerding’s statement clarifies that it is acceptable to provide disclosure under a different item of Form 8-K during this period.

Regulation FD and Material Cybersecurity Incidents
Director Gerding subsequently released a statement on June 20, 2024 addressing questions related to cybersecurity disclosure requirements and Regulation FD, which requires public disclosure of any material nonpublic information that has been selectively disclosed to securities market professionals and shareholders. Depending on the information disclosed, and the persons to whom that information is disclosed, discussions regarding a cybersecurity incident may implicate Regulation FD. Nothing in Item 1.05 alters Regulation FD or makes it apply any differently to communications regarding cybersecurity incidents according to Director Gerding. Director Gerding also provided several examples of ways that a public company can privately share information regarding a material cybersecurity incident beyond what was disclosed in its Form 8-K without implicating Regulation FD. These examples include information that is being privately shared about the incident when the incident is deemed to be immaterial, or the parties with whom the information is being shared may not be one of the persons exempted by Regulation FD. Further, even if the information being shared is material nonpublic information and the parties with whom the information is being shared are the types of persons covered by Regulation FD, an exclusion from the application of Regulation FD may apply. Despite this statement by Director Gerding, companies should carefully analyze their compliance with Regulation FD and Item 1.05 of Form 8-K when disclosing or discussing cybersecurity incidents.

Nasdaq Diversity Matrix Litigation: Update

 As discussed in last quarter’s Securities Snapshot, the Nasdaq board diversity disclosure requirements may be in jeopardy as we await the decision of the en banc Fifth Circuit following the oral argument in Alliance for Fair Board Recruitment and National Center for Public Policy v. SEC. Oral arguments were heard by the Court in June 2024, where the discussion seemed to be dominated by rule skeptics. We will continue to track this case and provide updates as they develop.

U.S. Court of Appeals Voids SEC Rollback of Proxy Voting Advice Rules

A federal appeals court voted 3-0 on June 26, 2024 to strike down part of the SEC’s 2022 rollback of rules that critics said impeded the independence of proxy advisory firms that help investors vote in corporate elections. The rollback covered requirements that firms such as Institutional Shareholder Services and Glass Lewis notify companies about their advice no later than when they notify clients, as well as provide clients a means to obtain companies’ written responses to that advice. SEC staff have said that the Commission is reviewing the decision and will determine its appropriate next steps.

United States Supreme Court Overturns Chevron Deference

In Loper Bright Enterprises v. Raimondo, the U.S. Supreme Court expressly overruled the doctrine of deferring to an agency’s interpretation of allegedly ambiguous statutory language initially articulated in Chevron U.S.A. Inc. v. Natural Resources Defense Council, Inc.

The Chevron doctrine was based on the idea that when Congress passes a statute ambiguous enough to have multiple interpretations, it implicitly delegates to agencies enforcing the statute the authority to resolve the ambiguity based on their expertise.

However, the Supreme Court’s recent decision on June 28, 2024 now requires courts to decide the meaning of ambiguous statutes without deferring to an agency’s interpretation. The majority opinion explains that the assumption that statutory ambiguities are implicit delegations “does not approximate reality.” That is because, in the Court’s view, “statutory ambiguity does not necessarily reflect a congressional intent that an agency, as opposed to a court, resolve the resulting interpretive question.”

The majority also rejected the idea that agencies are better positioned than courts to interpret statutes relevant to their expertise, observing that “agencies have no special competence in resolving statutory ambiguities. Courts do.” The majority also said it considered Chevron unworkable because determining whether statutory language is ambiguous was never simple.

As a result of the Supreme Court’s decision, a court will need to interpret statutory language it finds ambiguous without deferring to the agency’s view. However, the Court went out of its way to say that it is not calling into question prior cases that relied on the Chevron framework. Therefore, final decisions based on Chevron are not likely to be reopened. While the decision curtails deference to certain agency interpretations of statutes, the practical implications of the Loper Bright decision, particularly in the areas of environmental, energy and natural recourses regulation, will take time to evolve and may be less than many anticipate.

Division of Corporation Finance Director Statement: The State of Disclosure Review

The SEC released a statement from Division of Corporation Finance Director Erik Gerding on June 24, 2024 reflecting Gerding’s opening remarks and the matters discussed on a panel addressing the Division's Disclosure Review Program during the April 2024 SEC Speaks Conference in Washington, DC. The statement provides a comprehensive overview of recent developments in the Division and observations gleaned from the review of filings. Our blog regarding the statement is linked here and the related Division of Corporation Finance Statement is linked here.

Should you have any questions or need assistance, please contact us.

F. Mark Reuter
513.579.6469
freuter@kmklaw.com

Allison A. Westfall
513.579.6987
awestfall@kmklaw.com

Olivia M. King
513.579.6988
oking@kmklaw.com