2024 Expectations From the SEC: AI, Cybersecurity, ESG
A wide range of topics are covered in the Securities and Exchange Commission’s (“SEC”) 2024 Examination Priorities,1 published late last year. Taking into consideration this year’s priorities, recent rules and a rapidly changing regulatory landscape, our experts discuss what to expect in the following three areas: artificial intelligence (“AI”), cybersecurity and environmental, social and governance (“ESG”).
Artificial Intelligence
Author: Dera Nevin
Overview
As in the past, the Division of Examinations “remains focused on certain services, including automated investment tools, AI, and trading algorithms or platforms, and the risks associated with the use of emerging technologies and alternative sources of data.”2 Examinations of investment advisors and broker-dealers may involve evaluating automated trading and any related conflicts of interest. Furthermore, investment companies — including mutual funds and ETFs — may also continue to prioritize review of investment strategies using algorithmic modelling and alternative data sources.
What It Means
Organizations should understand where and how they are using AI. They must take an inventory of all proposed or current AI systems in use and assess whether any uses violate rules or regulations. They should also consider if any uses present conflicts of interest or potential customer harm and identify any mitigating controls in place to address each assessed risk. It is crucial to develop and periodically review written policies for AI governance and related regulatory risks and assess existing policies on conflicts of interest, disclosures to customers and customer harm around AI. It is also essential to develop and implement testing to understand how AI systems are performing relative to regulatory requirements and established policies.
Where automated decision making or recommendation systems are implemented, organizations should ensure that AI recommendations are “explainable.”3 Guardrails, testing or human oversight of such AI systems may need to be implemented and documented. Furthermore, as the use of alternative sources of data has been an SEC examination priority for some time, organizations should consider inventorying all sources of alternative data and reviewing contracts to ensure that the acquisition and use of such data complies with applicable rules and regulations, including whether data can be shared or used with AI systems. In the same vein, organizations that use investor data within AI systems may need to adopt policies and procedures to ensure compliance with applicable privacy and data protection laws.
Cybersecurity
Authors: Jordan Rae Kelly, Matt Saidel, Sara Sendek
Overview
The SEC notes that “cybersecurity remains a perennial focus area for all registrants.”4 Recent rules requiring a 72-hour disclosure window following a materiality designation and annual disclosures5 of risk mitigation and board governance strategies bring organizational responses and preparedness efforts into the spotlight. The SEC’s enforcement actions6 against Solar Winds and the company’s chief information security officer (“CISO”) indicate that less-than-forthcoming communications disclosure strategies could expose organizations to accusations of securities fraud — particularly with respect to misrepresenting or mischaracterizing the severity of a cybersecurity incident or their level of information security and preparedness.
What It Means
Organizations will likely remain hesitant to publicize at an early stage whether an incident has a significant impact on current or future revenues and it may take time for them to factor in reputation risk and loss of customer or investor trust into their determinations. It is possible that the SEC will continue to interpret poorly considered or excessively risk-averse communications strategies as misrepresentations, meaning that organizations must have effective strategies in place ahead of an incident.
Organizations should waste no time in considering how they will respond to an incident and how holistic strategies should flow from their decisions around filing, as publicly reporting an ongoing incident may significantly alter crisis communications considerations. They should consider how their risk mitigation and governance strategies will be viewed by the public and the media and have plans in place to mitigate negative scrutiny.
ESG
Authors: Miriam Wrobel, Todd Rahn
Overview
Although the SEC adopted its long-anticipated climate disclosure rule7 on March 6, ESG did not appear in its enforcement priorities for 2024. The new climate disclosures affect all publicly traded companies, but the omission of ESG from the SEC’s enforcement priorities this year may indicate a recognition of the effort and time adoption requires, providing a period wherein registrants can focus their energies on preparing updated disclosures. There is also the question of how much information companies will be required to provide, pending active legal challenges to the rule. Yet despite ESG’s absence from the SEC’s enforcement priorities for the first time since it appeared in 2021, demands on registrants to provide such disclosures continue to intensify and this exclusion does not limit the SEC’s ability to review and comment on related issues.
What It Means
The SEC’s new climate disclosure rule has attracted legal and political challenges,8 given the current politicization of ESG. These challenges will test how much climate information the SEC can require from companies under their existing legal authority. However, reporting requirements around ESG are expanding across various jurisdictions, with the regulatory climate around ESG becoming more complex since the SEC first proposed its climate-related disclosures in March 2022. California recently enacted two new laws, SB253 (the Climate Corporate Data Accountability Act) and SB261 (the Climate-Related Financial Risk Act), which require certain climate-related disclosures for companies doing business in the state with revenues of more than $1 billion and $500 million, respectively. The California model might inspire other U.S. states to regulate disclosures. The EU’s Corporate Sustainability Reporting Directive (“CSRD”) has also come into force, requiring companies doing business on the continent to make a broad array of ESG-related disclosures, including on greenhouse gas emissions. Other governments including the UK, India and Australia, are also regulating around ESG and climate-related reporting.
The bottom line? ESG and compliance requirements related to climate-related reporting appear here to stay. Good ESG reporting takes time to do right. No matter how strictly the SEC enforces the climate disclosure rule, reduced in scope as compared to its 2022 predecessor, jurisdictions across the world are requiring more disclosure and most organizations don’t have the luxury of waiting to see which rules will stick. These regulations are diverse enough that they will impact many companies large and small across every industry. In light of this, it will be key to prepare for climate-related reporting notwithstanding the SEC’s or another jurisdiction’s current or anticipated rules. This requires significant effort across a number of disciplines including data availability, internal controls, hiring and training personnel, and delivering performance against disclosed commitments while aligning across geographies to ensure compliance.
Conclusion
The above analysis highlights the importance of carefully examining and understanding the SEC’s priorities, which typically require experience and expertise not resident in most organizations. Even in the case of ESG, which the SEC did not include as a 2024 enforcement priority, it will be key for organizations to prepare for compliance with the new climate disclosure rule and keep a close eye on the actions of regulators in order to anticipate what’s to come. A trusted partner can help with such analysis. With so many aspects of a business’ operations proving of interest to the SEC and a rapidly changing legal, technological and political landscape that is growing more complex by the day, seeking the knowledge of seasoned experts will help organizations avoid regulatory surprises.
