Welcome to new board oversight duties…It is one of the great things about board work…it is ever changing and evolving. Every year there is a shift in corporate governance standards in an effort to evolve along with the rapidly changing business landscape and stay aligned with the shifting priorities of investors and regulators.

The SEC has new proposed regulations for next year.

Here is what I have learned:

On October 26th, 2022 the U.S. Securities and Exchange Commission (SEC) adopted a final rule that requires publicly listed companies adopt a compensation clawback policy.

In 2010 Congress mandated the compensation clawback rule – this rule is the last of the executive compensation regulations being finalized by the SEC as required by the Dodd-Frank Act.

The SEC is calling for the national security exchanges (i.e. Nasdaq, NYSE) to require the companies that are listed on their exchanges to enact a clawback policy. The stock exchanges will add policy requirements around clawbacks to their corporate governance listing requirements.

Companies listed on exchanges will have to:

– Adopt / comply with a clawback policy
– Make the required disclosures relating to the policy

The rule states that if the company is required to prepare a financial restatement and recover the portion of incentive compensation paid to its current or former executives based on any misstated financial measure. The policy applies to compensation received during the three most recently completed fiscal years before the date the company issued the restatement.

“The rule applies to both corrections of material errors made by restating prior period financial statements as well as corrections of non-material errors that would result in a misstatement if left uncorrected.”

Companies will have to file their clawback policies as an exhibit to their annual reports filed with the SEC.

Cooley states: “Issuers will have up to one year plus 60 days following publication of the new rule in the Federal Register to adopt compliant policies, depending on when exchange listing standards go into effect. The new rule becomes effective 60 days after publication in the Federal Register. Issuers will be required to adopt policies no later than 60 days after the effective date of the applicable listing standards, and they will be required to comply with the disclosure requirements in proxy and information statements and annual reports filed on or after the date such policies are adopted. Smaller reporting companies, emerging growth companies and foreign private issuers are NOT exempt.”

It is important to note that the new rule does not reference including a trigger based on misconduct unrelated to financial restatements…many companies currently have this trigger.

I suggest that boards may want to begin educating and updating management and directors about the new requirements. Look at your current clawback policy is to begin to see what changes will need to be made. Be sure the policy is compliant with the new rule requirements. Companies should also review and amend existing employment agreements.

Key Takeaways

Companies listed on exchanges will have to:

• -Adopt / comply with a clawback policy
• -Make the required disclosures relating to the policy
• -Issuers will have up to one year plus 60 days following publication of the new rule in the
• -Smaller reporting companies, emerging growth companies and foreign private issuers are NOT exempt.

EU’s New ESG Reporting

New environmental, social, and governance (ESG) reporting requirements called the Corporate Sustainability Reporting Directive (CSRD) have been approved in the European Union. Under the draft CSRD, an initial set of ESRS must be adopted by June 30, 2023.

These new EU ESG reporting requirements will dramatically impact the nonfinancial reporting landscape. A wide range of companies including both public and private non-EU companies that will meet the new thresholds who did not previously need to comply with mandatory nonfinancial reporting.

For US issuers, these new EU rules result in mandatory ESG reporting that is much broader than the current USA ESG topics that are covered under the current (and the proposed future) SEC rules.

Take a look at this table from Cooley highlighting the key features of the EU and SEC reporting standards / key features.

These new EU requirements cover a much wider set of topics than what is required in US ESG reporting.

Additionally, US companies must prepare to adopt a “double – materiality” approach that will include an impact standard that is very different from the SEC’s investor focused framework.

Many companies have already begun voluntarily reporting on ESG…for many companies ESG reporting has been a marketing initiative. Perhaps it is time to bring in legal and financial teams to advise and review ESG disclosures as reporting becomes more mandated across different geographies and industries.

Key Takeaways:

• EU has adopted more stringent ESG reporting requirements.
• US companies must prepare to adopt a “double – materiality” approach that will include an impact standard that differs strongly from the SEC’s investor focused framework.
• Perhaps it is time to bring in legal and financial teams to advise and review ESG disclosures as reporting becomes more mandated across different geographies and industries.

SEC Cybersecurity / Governance Requirements

Under existing reporting frameworks for public companies, there have not been disclosures explicitly regarding cybersecurity.

In March 2022 the SEC announced proposed rules and opened a comment period which ended May 2022. Final actions on rules are expected to be announced April 2023.

The proposed rules require a company to disclose within four business days after the company has determined that it has experienced “a material cybersecurity incident”, not the discovery of such an incident. The SEC notes that it expects companies “to be diligent in making a materiality determination in as prompt a manner as feasible.”

In reporting a material cybersecurity incident, a company would be required to disclose (to the extent known at the time of filing):

• When the incident was discovered / whether it is ongoing.
• A description of the nature and scope of the incident.
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose.
• The effect of the cybersecurity incident on the company’s operations.
• Whether the company has remediated or is currently remediating the incident.

This raises some concerns. For example, if there is a material cyber incident the company would have only four days in which to publicly disclose it upon determining that the incident was indeed, material. Determining materiality involves both quantitative and qualitative evaluations; that process needs to be created. Further the regulations require that any prior incident that doesn’t rise to the level of materiality may subsequently be deemed material when aggregated with other subsequent and similar cyber incidents. The process and protocols for this aggregation will require very thorough Board oversight and input.

Under the proposed rules companies will be required to describe the boards oversight of cybersecurity risk. Companies will have to disclose the following:

• Whether the entire board, specific board members or a board committee is responsible for the oversight of the cybersecurity risks.
• What the process is for the board to be informed about cybersecurity risks and how frequently this topic is discussed.
• How the board or board committees considers cybersecurity risks as part of its business strategy, risk management, and financial oversight.

Although the proposed rules and regulations have not been completed yet, companies can expect for these requirements to be finalized within the next 6 months and should begin preparing to comply.

Another noteworthy factor is that the proposed regulations will affect both small companies, as well as large multinationals. Understandably so, given virtually all companies are connected by the internet. Most supply chains include small dealers’, distributors and manufacturers. The proposed regulations do not exclude companies based on size. We all recall hearing about how the breaches of larger companies often originate from their less vigilant or resource challenged smaller companies that are part of their supply chain, or their distribution dealer and distributor network.

The new regulations pose questions to the board such as: Does the board have a cyber expert? What are their credentials and how was their expertise determined? How does the Board execute its oversight of cyber-risks? Does the company consider cybersecurity risks in its business strategy, financial planning, and capital allocation processes?

The proposed regulation does not mandate which Board Committee should own cyber-risk in its remit, that remains a topic for Boards to determine. There are pros and cons to consider. Some observe that the audit committee may be too overburdened as it is, and do they have the time and expertise to oversee ever-growing cyber risks? Additionally, audit committees already must observe heightened financial reporting deadlines, so that is another consideration to be weighed by the Board.

Companies are also being asked, do you have a Chief Information Security Officer? Where does that person report? What are their credentials? Embedded in these questions is a subtle determination of whether a CISO should report independently of the IT organization, perhaps analogous to the way internal audit functions generally don’t report within the finance organization.

It’s probably a very opportune time to have an outside third-party cyber penetration testing firm review the company’s current systems.

It might also be a good time to look at building a relationship with a cyber Managed Services Provider (MSP) who can do external monitoring to augment what you currently have in house.

Companies are well served to begin reviewing their existing cybersecurity policies, procedures, controls, and response measures. Companies may also want to begin reviewing their current governance structures / frameworks and whether any changes need to be made to the board / committees.

Another issue that speaks to the Board’s oversight is, do you have adequate insurance and planning in the event of a cyber breach? This raises the question of the adequacy of the company’s cyber insurance, and whether the company is financially modeling cyber-risks based on varying probabilities, from an ordinary event all the way to “Black Swan” scenarios.

These are specific proposed regulations that are complicated, if not concerning.

There are also inferred questions are how cyber ready is the board? Do you have external expert briefings for the board? External experts doing penetration testing? What kind of internal training are you overseeing within the company? Do the Directors have external courses and credentials they are expected to receive in order to stay current?

Boards will be well served to enhance their disclosures and add to their biographies write ups in their proxies which directors are their cyber experts.

Generally beefing up the director qualifications / descriptions is a big opportunity. I’ve recently met in person with several large institutional investors. Most companies have 10-12 investors who comprise about 70% of your ownership. These big passive institutions have separate governance groups who are actively seeking more disclosure. Sharing more about your individual director’s expertise / perspective will be very positive in their reviews. Use your proxy to do more story telling in “non-lawyered” plain speak.

As we plan for 2023, our boards oversight duties and expectations from regulators are more demanding than ever. Boards need to be sure we keep our priority and our focus on the business.

The additional regulatory workload should as much as possible live in the committees.

I suggest separate board calls; for example, do a “director education” board call with a pre read followed by a presentation from your outside law firm and accounting firm. Ask them each to prepare a crisp, brief presentation on the new SEC disclosures. Guide them to update your board.

Key Takeaways:

• New finalized SEC cybersecurity / governance requirements are expected to be announced April 2023.
• Companies would be required to disclose within four business days after the company has determined that it has experienced “a material cybersecurity incident”
• Boards should be prepared to identify which directors are cybersecurity experts.
• Companies perhaps would be well served to begin reviewing their existing cybersecurity policies, procedures, controls, and response measures.

We have a huge amount of new regulatory oversight to absorb and implement in the coming year ahead. We must plan for and invest the time.

But most importantly, the board must not allow itself to be overwhelmed by these processes and compliance matters. Our true job is to stay focused on our company’s business and be stewards for the health and growth of our company.

Read original article