In 2022, public companies witnessed a new kind of corporate governance activism. New rules and regulations from the Securities and Exchange Commission (the SEC) use the lever of mandated disclosure to push for corporate governance actions, and in some cases what amounts to reforms. The SEC’s broad foray into governance represents an expansion of historically more limited SEC rules in the governance space, mostly focused on audit committee and auditor independence and more general disclosure of board structures and oversight. Many commentors note that investors were well able to push companies historically for disclosure on governance matters and that the proposed SEC disclosure mandates may impinge on decisions and policies that boards should be able to define and/or compel board structure and composition to move in directions that are not best suited to the effective functioning of the board.

The SEC rules have long mandated disclosure related to board organization and description of committee responsibilities. Until recently, rulemaking spurred by the Sarbanes-Oxley Act of 2002 (the SOX) had been the most specific of this type of governance mandate, with requirements that members of a company’s audit committee be financially literate and that companies disclose whether audit committee members include a “financial expert” (and if not, why not). Recent similar “disclose or explain” mandates have included explanation of whether public companies have policies prohibiting officers and directors from hedging against company stock.[1] In these cases, the disclose or explain rules often push companies to adopt what the SEC rule makers view as the desired governance action, rather than be forced to explain why they do not. While not an outright prohibition on taking the “or explain” route, conformity to peers and the risk that investors and proxy advisory firms may question those companies that take an outlier “explain” approach pushes companies toward the preferred outcome for regulators.

While the use of disclose or explain rules has been mostly limited to relatively cabined requirements outside of the audit committee context in recent memory, at the end of 2021 and throughout 2022 the SEC significantly increased rulemaking that, if fully adopted, would represent a significant push by the SEC to regulate corporate boards, their composition and their areas of responsibility and focus. The SEC’s regulatory agenda for 2023 hints at additional governance-related rules that would continue this trend.

10b5-1 Trading Plans

Starting in late 2021, the SEC’s proposed rulemaking on the use of Rule 10b5-1 trading plans by companies, directors and executive officers kicked off the regulation of what had previously been the domain of market practice-based corporate governance.[2] The proposed rules would have gone so far as to impose mandated blackout periods for corporate use of the Rule 10b5-1 safe harbor. In a significant addendum to the rule’s prior requirement that trading plans be adopted only when a participant was not in possession of material non-public information, the proposed rule also regulated the exact length of blackout periods and what modifications and terminations would be permitted. The proposed rule also required disclosure of insider trading policies and specific trading plans by insiders, a significant expansion of the information currently required.

The SEC finalized the changes to Rule 10b5-1 trading plans in December 2022, and while corporate plans were excluded from the rulemaking on the new blackout periods, the required disclosure of material terms of insiders’ plans and the requirement for companies to file their insider trading policies (or explain why they don’t have one) are both significant examples of how the SEC is mandating its view of good corporate behavior in a prescriptive manner, with few exceptions.

Whereas companies previously could tailor plans and policies to accommodate a range of procedures within the broader restrictions of the rule, the SEC has now mandated specific timing and policies around plans and suggested areas for insider trading policy coverage, implicitly compelling specific governance practices. Companies and insiders can always trade outside the Rule 10b5-1 safe harbor while not in possession of material non-public information, but given the prevalence of the plans and the specific financial planning needs insiders often have with respect to future sales, coupled with enforcement risk, the new rules will likely result in a shift to compliance with the new rule for insider 10b5-1 plans and, over time, greater conformity across company insider trading policies.

Whether the disclosure of insider trading plans and related policies was high on investors’ priorities is debatable – investors have successfully advocated for disclosure in other governance areas, including board and employee diversity and cybersecurity and board oversight; however, the SEC clearly believes that insider trading plans are a focus for investors’ review. With respect to the explanation of the exhibit for insider trading policies, the SEC goes so far as to say “Specific disclosures concerning registrants’ insider trading policies and procedures would benefit investors by enabling them to assess registrants’ corporate governance practices and to evaluate the extent to which those policies and procedures protect investors from the misuse of material nonpublic information.”[3]

Cybersecurity and Climate

The governance rules began to quickly stack up with the March 2022 cybersecurity proposal and the climate proposal, each of which mandates disclosure of board expertise, board structure and board risk analysis, and goes well beyond disclosure requirements.

The cybersecurity proposal, among other changes, would expand Regulation S-K to require both domestic and foreign private issuers to disclose instances of material cybersecurity incidents, and would amend Forms 10-K and 20-F to require annual disclosure regarding a company’s procedures for identifying and managing cybersecurity risks, including board oversight of cybersecurity risks and management’s role, and relevant expertise, in assessing and managing cybersecurity risks and implementing related policies and procedures and identification of any director that qualifies as having “cybersecurity expertise.”[4] The SEC acknowledges certain pitfalls of implementing additional expertise requirements, such as the availability of directors with such expertise and related liability concerns and has tried to address those concerns in its proposal, ^[5] but even if directors that qualify having cybersecurity expertise are available, being named as an expert could still lead to a decrease in the willingness of qualified directors to serve in those roles.

Since its publication in March 2022, the climate proposal has been the source of significant commentor attention. The SEC reiterated its perceived need for involvement in climate disclosure, saying “Investors need information about climate-related risks—and it is squarely within the Commission’s authority to require such disclosure in the public interest and for the protection of investors—because climate-related risks have present financial consequences that investors in public companies consider in making investment and voting decisions.”[6]

The climate proposal covers, among other things, disclosure requirements for the notes to companies’ audited financial statements and disclosure of greenhouse gas emissions (along with a third-party attestation report), and like the cybersecurity proposal, significant disclosure related to governance. The rule would require disclosure under Regulation S-K on climate-related governance practices, risk management of a company’s climate-related activities and the impacts of those activities, and any climate targets or goals. With respect to a company’s climate-related governance practices, companies would be required to disclose whether any board member has expertise in climate-related risks, in addition to the board’s role in oversight and management’s role in assessment and management of climate-related risks.[7] Interestingly, there was significant overlap between the cybersecurity proposal and the climate proposal in terms of the specific disclosure requirements, perhaps indicating a new SEC rulemaking template for governance disclosures.

Market Reaction

In comment letters on the proposals, public companies and other commentors raised concern as to the level of detail the new rules would require as to the workings of public company boards, and that disclosure mandates will cause a race to load up boards with subject matter experts, regardless of whether the board as a whole deems it the best approach for the governance of the company. Concerns raised include whether boards will grow too large and unwieldly in order to accommodate all the skill sets and expertise necessary to satisfy investors looking to tick boxes in governance checklists based on SEC disclosure rules and whether non-experts will unduly defer or feel constrained in their exercise of fiduciary duties and oversight obligations by the presence of rules-defined “experts.” Where the SOX audit committee expertise serves a specific financial statement oversight function, it is not clear that cyber or climate experts on the board are necessary to augment the insight and expertise of other board members or to effectively manage and oversee management’s efforts and expertise in these areas.

Is SEC Rulemaking Necessary?

There is a strong case for the existing effectiveness of market practice in corporate governance. Investors have been pushing companies for disclosure of cybersecurity oversight, climate strategy and board diversity with significant effect over the last few years without the SEC mandating disclosure. The SEC points to the need for consistent disclosure,[8] but rulemaking regularly leads to rote boilerplate disclosure intended to meet the technical requirements of the rule and incur as little liability risk as possible and does not necessarily lead to better, more probing descriptions than are provided by companies responding to the demands of their shareholders.[9]

Similarly, the stock exchanges, which have for years been the bodies dictating independence requirements and definitions for directors, have entered the arena with respect to board diversity. NASDAQ introduced a disclose or explain requirement that companies disclose a board diversity matrix, and companies must explain if they do not have board members with certain diversity characteristics. While the NYSE has not put in place a similar rule, many NYSE companies are including a board diversity matrix in order to meet their peers’ disclosure in this area and satisfy investor demands. The SEC has added “board diversity” to its regulatory agenda for the second half of 2023, but in light of existing disclosure, the NASDAQ rule and investor-led insight published in SEC-filed reports or on company websites, it seems any action by the SEC now would only codify what the market is already doing for disclosure and would most likely unnecessarily tie companies to extensive sets of disclosure rules that push companies into strict lanes of behavior and disclosure, instead of allowing for adaptability to specific company governance needs.

The cybersecurity and climate rules are widely expected to be adopted in the first half of 2023. While the proposed rules do not require boards to include directors with specific expertise, if adopted as they were proposed, many companies will feel strongly compelled by the disclose or explain mandates to include directors with expertise in these areas or fit existing director expertise into these buckets in order to meet peer company disclosure. Even if the rules are not finalized with the same level of detail in which they were proposed, the SEC has made clear its intention to step into the realm of governance activists in a way previously unseen. It is not clear that there is a strong investor driven regulatory mandate for these disclosures since investors have not been shy about asking for, and getting, the governance disclosure and engagement they want. The SEC has faced growing calls from Republican politicians to stop regulating ESG factors and a new Republican-led House of Representatives has promised significant oversight hearings.[10]

Key Takeaway

We should expect boards to have to grapple with multiple governance-related disclosure mandates in 2023. It will be important to consider what skills and experience sets will best serve a board’s strategy and oversight needs and how boards can best organize themselves to address the coming disclosure mandates.[11] It is important to remember that even in disclose or explain mandates, the governance regimes are not required and that boards should strongly consider what is the right approach for their board, how they fulfill their oversight mandate and how they consider risk and their company’s long-term strategy. SEC disclosure rules will force companies to think about the right structure and risks related to hot button issues, but ultimately it should remain up to the board to decide the most effective governance structures and policies, and maintain the flexibility it needs in order to fulfill its oversight duties.

ENDNOTES

^[1]  See our January 2019 alert memo on this topic for more information, available here.

^[2]  See our December 2021 alert memo on this topic for more information, available here.

^[3]  SEC Release No. 33-11138, Final Rule: Insider Trading Arrangements and Related Disclosures, available here. The SEC adopting release makes a similar argument that description of insider trading policies, could improve investor confidence, although again investors have not broadly been requesting this information through engagement with companies. “While not every individual component of an insider trading policy is necessarily material on its own, together, a comprehensive description of an insider trading policy can help investors to assess the thoroughness and seriousness with which the issuer addresses the prohibition of trading on the basis of material nonpublic information by its officers, directors and employees. More detailed disclosure about these policies and procedures could therefore improve investor confidence, and in turn, potentially contribute to market liquidity and capital formation.”

^[4]  See our April alert memo on this topic for more information, available here.

^[5]  SEC Release No. 33-11038, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” (March 9, 2022), available here. “Further, if many registrants move to add a board member or staff to their management team with cybersecurity expertise, or a chief information security officer at the same time, the costs to registrants associated with adding such individuals may increase if demand for cybersecurity expertise increases. This is especially true to the extent that certain relevant certifications or degrees are seen as important designations of cybersecurity expertise and there are a limited pool of individuals holding such certifications.” In addition, the proposal notes that, like audit committee financial experts, a director with cybersecurity expertise would not be deemed an “expert” for purpose of Section 11 of the Securities Act of 1933, as amended (which designation creates additional liability) and that the disclosure of expertise “would not impose on such person any duties, obligations, or liability that are greater than the duties, obligations, and lability imposed on such person as a member of the board of directors in the absence of such designation or identification.”

^[6]  SEC Release No. 33-11042, “The Enhancement and Standardization of Climate-Related Disclosures for Investors” (March 21, 2022), available here.

^[7]  See our April alert memos on this topic for more information, available here.

^[8]  Supra notes 5, 6. Both the climate and cybersecurity proposals repeatedly highlight the need for consistency in disclosure. “The disclosure of this information would provide consistent, comparable, and reliable—and therefore decision-useful—information to investors to enable them to make informed judgments about the impact of climate-related risks on current and potential investment.” “Consistent, comparable, and decision-useful disclosures regarding a registrant’s cybersecurity risk management, strategy, and governance practices, as well as a registrant’s response to material cybersecurity incidents, would allow investors to understand such risks and incidents, evaluate a registrant’s risk management and governance practices regarding those risks, and better inform their investment and voting decisions.”

^[9]  See our September alert memo on this topic for more information, available here.

^[10] See Letter to SEC on ESG Rule, available here.

^[11] For further discussion, see Prepared for Climate? A Director’s Readiness Guide and Practical Steps for Increased Board Effectiveness.

This post comes to us from Cleary Gottlieb Steen & Hamilton LLP. It is based on the firm’s memorandum, “Turning a Corner on Corporate Governance: The SEC’s Disclosure Agenda,” dated January 17, 2023, and available here.