In this blog feature, our in-house readers share tips, anecdotes, and thoughts about topics that arise in their daily practice. This particular batch of thoughts is about disclosure controls, particularly in the context of the climate and cybersecurity disclosure rules that could be coming soon from the SEC (see Part 1 of this blog series):
- “We have refreshed the design of our cybersecurity governance and internal/external reporting framework to take into account the heightened reporting requirements in the pending rules. We’re not there yet on climate, though.
I was surprised how challenging some of the cybersecurity governance modifications were because cybersecurity has been a concern for quite some time and processes have been in place for at least a decade. It still requires work to ensure everything is accounted for in disclosure controls.”
- “The SEC’s new climate rules feel like déjà vu. Like 2002 all over again when Sarbanes-Oxley put COSO on the map for the typical disclosure lawyer. I’m too old for this stuff.”
- “Data and systems to support the data to ensure we’re receiving accurate information and that they have a reliable source is our biggest challenge in anticipating the SEC’s climate rules and how they will impact disclosure controls. It’s an interesting exercise as it makes you rethink a lot of your existing processes and how they might dovetail with all these new ones.”
- “The recent SEC action that resulted in a company paying $35 million to settle charges that it failed to maintain adequate disclosure controls is an eye-opener. That case was about a lack of controls to review employee complaints about workplace misconduct. It also concerned impeding former employees from talking to the SEC about possible securities law violations by using separation agreements that required those former employees to notify the company if a government agency contacted them.
That company had the fairly common risk factor about the ability to attract and retain employees in its SEC filings. And the company’s failure to percolate information about the nature and volume of employee complaints to the company’s disclosure committee so that the committee might modify the risk factor was deemed inadequate by the SEC’s Enforcement Division. So did the notification clause in the separation agreement that departing employees signed, even though there were no instances of a former employee actually being told not to talk to the SEC. Scary stuff.”
- “The composition of disclosure committees can be tricky. Historically, the most consistent source of headaches has been organizational changes affecting directors and senior leadership that might have Item 5.02 disclosure consequences, or that might affect which individuals should be deemed an ‘Officer.’ HR organizations tend not to consider disclosure obligations when these topics first arise, and they tend to have a hyper-developed culture of confidentiality.
Another challenge is presented by disclosure committees with executive leaders as members. They tend not to behave as working committees might, and perfunctory meetings tend to be scheduled rather late in the quarterly disclosure process.”