SEF Central 2024: Cybersecurity, Climate, Private Funds, ESG, SPACs and More - The SEC's Active Rulemaking Agenda
A transcript from last week’s Securities Enforcement Forum Central 2024 panel on the SEC’s rulemaking agenda follows. The panelists were:
Alina Fortson — Senior Counsel, McDonald's Corporation
Gary Kleinricht — Managing Director, Secretariat
Scott Mascianica — Partner, Hilgers Graben
William Ridgway — Partner, Skadden
David Woodcock — Partner, Gibson Dunn
You can find the video at Docket Media’s YouTube channel here, and the full conference agenda here.
00:00 - 00:14
Bruce Carton: Welcome back. For the introductions this afternoon, Danette Edwards from Catten is going to handle the introductions. She was kind enough to be our program chair this year, help to organize some things and she'll be handling the intro. So Danette.
00:27 – 01:05
Danette Edwards: Thank you, Bruce. I have big shoes to fill. I'm excited to do the introductions this afternoon. We have great esteemed panelists. The first one I'll be introducing is the Cybersecurity, Climate, Private Funds, ESG, SPACs and More panel. This panel will be moderated by Gary Kleinrichert. Gary is a managing director for Secretariat where he serves as a forensic accountant and testifying expert. Gary has worked on several matters on behalf of the DOJ and has served as a neutral arbitrator and is a former member of the ACPA Nationals task force. Next we have Alina Fortson. Alina is a senior counsel for . . .
01:05 - 01:46
Danette Edwards: ESG on the global legal and compliance team at McDonald's Corporation. Throughout her career, Alina has held a number of environmental and regulatory compliance-focused roles at law firms and multinational companies. Next we have Scott Mascianica. Scott is a partner at the law firm of Hilgers Graben, I hope I got that right. Scott served for nearly a decade at the SEC in various investigative and supervisory capacities, including as an assistant regional director in the Fort Worth office, and as an assistant director for the enforcement division's nationwide asset management unit. Next we have Bill Ridgeway. Bill is a partner at . . .
01:46 - 02:23
Danette Edwards: Skadden in Chicago. Prior to joining Skadden, Bill was an AUSA in the Southern District, I'm sorry, in the Northern District of Illinois, where he served as the Deputy Chief of the National Security and Cybercrime Section. And last but not least, we have David Woodcock. David is a partner at Gibson Dunn in Dallas and Washington, DC. Prior to joining Gibson, David served in-house as an assistant general counsel for Exxon Mobile Corporation, where among other things, He led all aspects of ESG, sustainability, and governance. David previously served as director of the SEC's Fort Worth Regional Office. . . .
02:26 - 03:12
Gary Kleinrichert: Thank you very much. First of all, I assume you can all hear me OK. And thanks for joining us after lunch as we get into the deeper area of the afternoon. We have a great panel of experts. I'm excited to talk about the exciting topic of SEC rulemaking. First Let me set the stage on kind of the status of SEC rulemaking a little bit with a few stats. Under Chairman Gensler, the level of proposed and finalized new rules are up around 50% from the prior administration and up over 20% from the administration before that. Just some . . .
03:12 - 03:59
Gary Kleinrichert: of the key areas where there have been proposed and finalized rules are in cryptocurrency, digital assets and related trading platforms, disclosure requirements for ESG factors, particularly climate related risks, proposed increased reporting and transparency requirements for private funds, including hedge funds and private equity, Detailed disclosures regarding cyber security risk, incident and governance policies. Increased transparency in short selling activities. Updating of rules around proxy voting and corporate governance. And disclosures related to human capital management including information on company workforce, employee turnover, training programs and diversity. And those are just some of the new rule proposed rules under the . . .
03:59 - 04:33
Gary Kleinrichert: Gensler administration. The Commission has faced resistance in some areas, however the SEC has continued to push for reforms in modernizing financial markets and enhancing investor protections. I want to start with a question of, as we are diving into some of these areas a little bit more, we're going to dive into many of those areas a little bit more, but how does the increase in rulemaking overall here in the United States compared to what we are seeing around the world in other countries and other regions. Alina?
04:34 - 05:08
Alina Fortson: Thank you for the question. Assuming everyone can also hear me OK? Good? OK. So before I start, I do want to say that I'm happy to be here to share some of my views and observations with all of you, but they are my own and not those of my employer. So I think what is interesting about this moment in time and also a little bit challenging for some is what we're seeing despite the active rulemaking agenda that we just talked about, the SEC and the rules coming into effect here at the federal level are a little . . .
05:08 - 05:42
Alina Fortson: bit behind what we're seeing in other jurisdictions. So whether it be states in the US or the adoption of different ESG disclosure laws around the world, those tend to be moving at a pace of implementation that we are not seeing for the SEC rules, putting a lot of US-based multinational companies in a difficult position of moving forward with ESG disclosures that may eventually overlap with some of what the SEC may require. So knowing that those rules are on the horizon but having to move forward with other disclosures in the meantime, whether that be under CSRD, for . . .
05:42 - 06:07
Alina Fortson: example, or the ISSB rules that we're seeing a lot of jurisdictions, Australia and others adopt, or some of the state level jurisdictions like in California. So it's an interesting time to see how that plays out in terms of what companies put forward under different regulations, knowing there may be other definitions or regulatory schemes coming forward on the horizon. Interesting.
06:08 - 06:12
Gary Kleinrichert: Scott, can you speak to finalized cybersecurity rules and their intended impact?
06:14 - 06:52
Scott Mascianica: I would be honored, Gary, truly. You said at the outset the exciting aspect of SEC rulemaking and I think many years that would actually, there might be met with some groans, but I think over the last few years there's certainly this has been nothing but exciting or at least active for maybe lack of a better word. And the SEC's finalized cybersecurity rules related to public companies is just one of many. We've actually already heard these rules referenced, I think, on three panels already, so I don't want to dig into too much detail and retread old ground . . .
06:53 - 07:33
Scott Mascianica: and Bill is the really the expert on these but I just want to highlight a couple that that jump out to me aspects of the rule. The first is the the mandatory disclosure obligations now for public companies to file on Form 8K four days after the discovery of a material cyber incident. Now, not four days after the incident actually occurred, but four days after the determination that the incident itself is in fact material. So that's the first. The second is that unlike the proposed rule which actually suggested that public companies would need to have mandatory follow-up . . .
07:33 - 08:21
Scott Mascianica: obligations on their periodic reports thereafter, quarterly and annual reports following a cyber incident disclosure, the Commission did not include those obligations in the final rule. However, given the fact that the disclosures that are now required via Form 8K are related to a material event, query whether or not public companies will continually have to address cyber incidents going forward after they've disclosed on Form 8K. The third piece relates to the law enforcement exception. So when the Commission proposed the initial cybersecurity rules, The Commission did not propose a law enforcement exception, which is really at odds with what . . .
08:21 - 09:05
Scott Mascianica: you see at a lot of state level regimes related to breach notifications. In the final version of the rule, the Commission allowed for an exception if the attorney general determines that there's a national security issue at interest or national security issue that could be disclosed. There can be a 30-day delay in notification. Now, query how practical that is for companies to obtain. DOJ has issued guidance on that front. It came out in December of last year. But those are just a few of the many aspects to the cyber security rule. Bill, I don't know if you want to chime in on those.
09:06 - 09:34
Bill Ridgway: Yeah, sure. As kind of the cyber lawyer in the room, I never would imagine that the SEC would be the regulator that I deal the most with in my day-to-day work. But indeed, these rules and indeed that regulator has been the top of mind for a lot of cyber practitioners. And so how does this actually work? How practically are we seeing it? I deal with a lot of incidents. I work with my SEC reporting colleagues. And you could probably see by the flurry of 8Ks that are coming out, companies are struggling a bit with figuring out . . .
09:34 - 10:03
Bill Ridgway: how to handle this. one is just the sheer timing, right? Most cyber events, we don't really know what's happened in those early days. And of course, it's not four days from the incident, it's four days from when you identify it, but there's a sense that you're feeling under the gun, and every day that you're not making that materiality assessment, you're gonna be second-guessed by the SEC, because they sometimes do come in and second-guess those decisions. And so the timing pressure, I think, is immense. There's a lot of questions around what sort of details do we include . . .
10:03 - 10:31
Bill Ridgway: here. We've seen companies come out and say, you know, there's a little bit of speculation that goes on almost because there's uncertain facts about a case that are disclosed and then have to be corrected. We've seen companies correct the number of impacted individuals. We've seen companies correct, they first said it was a nation state actor, now they've discovered it was somebody who's living with their mom. Those types of things happen in cyber events, and so it's creating a lot of challenges with how much detail do you include, and if you don't include it, are you gonna . . .
10:31 - 10:57
Bill Ridgway: be judged for having omitted it? So I do think there's, you know, we're getting a little bit more close to a steady state. You're starting to see some patterns here, but you're also seeing the SEC push back. Because one of the things that a lot of clever SEC lawyers did, well, we really don't know, it's a close call, so we're gonna do this kind of provisional. We're not really sure yet whether it has been material yet and do that as a 105. And then we saw the SEC come out and say, no, no, you're watering down . . .
10:57 - 11:23
Bill Ridgway: the standard. We don't want you to do it in that fashion. But it does, I do still think it raises a serious question about how do we navigate these issues and we'll talk a little bit later about some procedures and some tips for how to, the things that we see, at least the SEC asking of our clients in the wake of those incidents so that you can kind of have a good track record of having done this in a diligent manner because it is challenging. one of the points that I do think is interesting on the . . .
11:23 - 11:56
Bill Ridgway: cyber rules, there's also these rules related to disclosure about cyber risk management. Many of you probably have been involved in helping companies draft those or have been involved in that. And it is, we've seen now, we've seen comment letters come in, and it's very, SEC's been very much in the weeds. We just received one recently where they said, you said your CISO had extensive experience. Can you please describe the number of years of experience he has had in the sector? Literally, that is the level of detail we're seeing. So there is a really high expectation when . . .
11:56 - 12:15
Bill Ridgway: it comes to the type of information that companies are disclosing about their cyber risk and how it's managed and governed. And I do think, as you're probably all thinking, at least as lawyers in the room, concerns about whether that could be second guessed, either in a private securities action or by the SEC. So it's a tough spot, I think, for public companies to be in.
12:16 - 12:53
David Woodcock: I would add, I don't think it's the second guessing piece. All of the rules we're going to talk about today and most of the rules the SEC has come out with, some of them say explicitly their goal is to increase the risk of liability. So in some ways it is not like are they going to second guess that is what they're there for and it's that's my takeaway before the the meetings over or the session’s over but its takeaway is all of these rules that we're gonna talk about are gonna live with most of us enforcement lawyers for a long time, and they're gonna be such ground for second guessing exactly the most minutiae type things. So, anyway.
12:53 - 13:09
Gary Kleinrichert: Well, we can't talk about rules without talking a little bit about enforcement. So Scott, I might jump ahead a little bit about enforcement in the cyberspace. And can you discuss how the SEC's enforcement actions such as SolarWinds reflects their approach to compliance?
13:10 - 13:46
Scott Mascianica: So before addressing what it will look like kind of going forward, I think we need to go back and look at how the Commission has enforced cybersecurity historically. And really, the easy way to break it down is to break it down between regulated entities, investment advisors, broker dealers, and then public companies. So we're talking about public companies, really, before 2021, this is easy. Enforcement actions were the Yahoo case in 2018 and we're done. That was it. You have the 21A report that the Commission issued on business email compromises that provided guidance to the market on things . . .
13:46 - 14:26
Scott Mascianica: that the Commission at that time under Chair Clayton viewed as important. It was really the first time that we actually saw any reference to 13(b)(2)(B), the internal accounting controls that we've heard referenced being suggested as a possibility to be one of the charges that could show up in a cyber security incident enforcement action. But there was not a lot until 2021. And then in 2021, with First American Pearson, we see the Commission start to use the disclosure controls and procedures or DCP provisions of the Exchange Act for enforcement actions. The Commission then graduates with with Blackbaud
14:27 - 15:06
Scott Mascianica: to negligence-based enforcement activity anti-fraud charges and then we see SolarWinds where we have the first enforcement action alleging scienter fraud, also the first enforcement action involving a public company individual for the CISO or at the time of the filing. And then the Commission's filed case or settled case against R.R. Donnelly. Our first panel today, and I can't remember who did it, but it was like such a flex. They went through that SolarWinds opinion like off their memory for about 10 minutes. And so I'm not going to, I can't do any better than that. But . . .
15:06 - 15:48
Scott Mascianica: what I think is one thing that is really interesting within the cybersecurity space and it really brings it full circle is the use of the internal accounting controls charges in the SolarWinds and in the R.R. Donnelly case. And I believe two panels ago somebody mentioned that the Commission has typically expanded jurisdiction via settled orders. And I know that's just a brilliant observation. If you're in the room, like really, job well done, because I completely agree with that. And I think the concern here is that the Commission attempting to use the internal accounting controls provisions in a cyber . . .
15:48 - 16:29
Scott Mascianica: security context, really when any cyber security incident, any breach could arguably be viewed as accessing company assets without authorization, which is one of those internal accounting controls prongs. So again, if we're just appreciating that cases that are settled orders, how the sausage gets made, there's specifics, there's details that we don't have access to, But just looking at the face of the order, that's a concerning thing, I think, for public companies is whether or not this is a position the Commission will take going forward, that every time that the company that is a victim of a cybersecurity . . .
16:29 - 16:54
Scott Mascianica: breach has somehow now walked itself into being, violating the internal accounting controls provisions. Hopefully that's not the case, hopefully reason prevails, but again, we only have little breadcrumbs to go off of here. So, you know, again, that's a 100,000 foot overview of what cybersecurity enforcement has looked like on the public company space with, you know, at least one nugget that's jumped out to me recently.
16:54 - 16:56
Gary Kleinrichert: Bill, do you have anything to add to that?
16:56 - 17:25
Bill Ridgway: Yeah, I mean, I do think that the SolarWinds may not be the last word, and I know at least the SEC is of the view that that was incorrectly decided and they're continuing to press internal accounting controls, theories in investigations, so we shouldn't over-read the decision to think you're safe. And I do think there's a lot more thinking about the way the SEC is using things like a security statement, which really ended up being one of the things that was the hook that really got the CISO in trouble in terms of how putting out statements . . .
17:25 - 17:49
Bill Ridgway: about security, that's a lot of things a lot of tech companies do, a lot of businesses do, and really being mindful about the ways that what's being said and what the CISO is doing and maybe even the CISO is doing their job properly by saying, hey, we have these vulnerabilities, we need to work on them. Those are the types of statements, and fortunately, that we're going to get used against the company in the wake of an incident. So I think this is an important part of the chapter, but it's not the end of the story when . . .
17:49 - 17:51
Bill Ridgway: it comes to the internal accounting controls.
17:51 - 18:36
Scott Mascianica: Yeah, and one other thing, Gary, just in kind of looking backwards, in the first enforcement action that the Commission filed in that Yahoo case in 2018, in the press release, the enforcement director at that time, Steve Peikin, there's a quote in that release that says we are not going to second guess good faith business judgment concerning cyber security disclosures. And so if we look at what the position was in 2018 to where we are now in this steady progression and elevation in cybersecurity enforcement activity. And then to David's point, now we're going to have all of these rules that at some point are going to be enforced. I think we're just looking at the beginning of what is going to be a lot of activity over the next 5-10 years.
18:36 - 19:05
David Woodcock: I think if I can say something about the accounting rules, I went back to 1981 there was a statement by the Commission which supposed to bind says it this binds the Commission, this is a statement that we all agree with. And it was about the accounting provisions of the FCPA, which is what we're talking about now, the books and records, internal controls. And the Commission was worried because the business community had made some complaints that these things have no state of mind requirement. You could bring a books and records or an internal accounting controls failure . . .
19:05 - 19:38
David Woodcock: for almost anything. And the Commission said, no, no, no, we're not going to do that. We're not looking for perfect controls, we're looking for effective controls, reasonable controls, and they have to be cost-effective. And they said there's no stand, there are not going to be stand-alone cases like this. And they said that we're only going to do injunctions where it's likely that the conduct will be repeated. And so in some ways from 2018 or whatever, to 1981, things have really changed. On the other hand, it's probably, companies probably like it at some point, right? . . .
19:38 - 19:55
David Woodcock: Because they'd rather have a books and records control, or internal controls case, than a 17(a)(2), or certainly a 10b-5. So in some ways, it's, I suspect the Commission has been pushed in some ways to go this lighter route and still be able to bring a case, but it is not going away.
19:55 - 19:57
Scott Mascianica: I think companies would like no case at all. That's probably what their price is.
19:57 - 20:05
David Woodcock: Yeah, but if the option is no case or 17(a)(2), right, they'll take books and records or something.
20:05 - 20:15
Gary Kleinrichert: David, I'm gonna stick with you and can you speak to, and we're gonna pivot a little bit to the climate change rule. Can you speak to some of the interesting aspects of the climate change rule?
20:15 - 20:58
David Woodcock: Some of the interesting aspects, sure. So I guess starting, the climate-related disclosure rule was finalized in March of this year. It was originally proposed about two years earlier in 2022. The final rule, if you print it out on PDF, is 885 pages. And it has 3,241 footnotes. So I'm going to summarize this rule in about a minute. Or less. OK, well, there you go. It's an amazing rule. There's litigation, which we'll talk about, that talks about this as being the most expansive increase in SEC regulation ever. I don't know if that's true, but there's probably . . .
20:58 - 21:38
David Woodcock: some good reason to think that. It's incredibly broad. And so just some of the things it does, you've probably heard this, I'll quickly go through them. It wants companies to disclose material impacts on operations. So climate-related risks that have or are reasonably likely to have a material impact on the business. And that reasonably likely to have is the SEC's attempt to fit this into the materiality standard. But you would not be surprised to hear that it's actually not part of the materiality standard. That's my commentary, not background. Impact on the company. Have climate-related risk had . . .
21:38 - 22:15
David Woodcock: material impact or are they reasonably likely to have material impacts on the outlook or strategy of the company? Disclose how. Disclose how they have that, how they have new financial statement note reporting costs or expenditures above a certain amount relating to severe weather events or other natural conditions. So you now have this footnote Disclosure that requires a severe weather event happens, how did that impact your business? Natural conditions, I guess that'll be played out, how did that impact your business? Also have to disclose carbon offsets and renewable energy certificates, how are you using them if they're . . .
22:15 - 22:54
David Woodcock: above a certain amount? They want to hear about risk management oversight process. Anybody who does this work, think TCFD, the UK standards for disclosing how does your company govern climate risk. GHG emissions and assurances, scopes one and two GHG emissions if material for large entities and then phased in assurance requirements by an independent GHG emissions attester. And just these two things right here, they largely don't really exist right now right so yes there are firms who do this and lots of firms who are getting into it but one of my favorite lines there was a one
22:54 - 23:27
David Woodcock: of the accounting firms talked about when this rule was proposed that they would need to hire a hundred thousand new employees to work on to deal with this rule. Also, targets and goals the SEC wants to just once companies to disclose targets and goals they have relating to climate in certain circumstances. And then mitigation efforts. So, do they have a transition plan? What is it? Do they perform scenario analysis? How do they do it? And do they have an internal carbon price? So anyway, a lot of new requirements. Just quickly, it differs from the proposal in . . .
23:27 - 24:00
David Woodcock: some ways. There was what's called a Scope 3. They wanted you to disclose your Scope 3 emissions, and Scope 3 emissions are, without getting into great detail, the emissions of the end user of your product. So if you are an oil and gas company and you sell gasoline, someone comes to your station and buys the gasoline, they drive off, that gas is combusted, they've now emitted the gas. I didn't emit it, they did. And so you count those emissions, or if you have medical device products that are plastics, how are those products used by the end . . .
24:00 - 24:32
David Woodcock: user? They wanted you to disclose that, that's out. Some more limited disclosures on scope one and two emissions. A lengthen phase in for third party assurance, no requirement to disclose director expertise like they had in the, it's considered in the cyber security area. Do you have members of the board who are experts in climate? They want you to disclose that, that came out. And then a much more limited Reg. S-X financial footnote. I'm not going to go into the original one. The original one was... How do I say this? I'm on the panel. It was truly . . .
24:32 - 24:59
David Woodcock: remarkable is what I will say. It would have created truly a new accounting industry if it would have stayed in place. And then, you know, no new requirement to disclose transition plan dollars. You were going to have to disclose how much are you spending on a transition plan. That's out. So the rule is on pause now because it's being litigated and it'll work its way through the court probably by the end of the year, have some kind of hearing or decision, but that's where it stands.
24:59 - 25:00
Gary Kleinrichert: Thank you. Alina.
25:01 - 25:35
Alina Fortson: Speaking of the litigation, for those of us who are rulemaking folks, a lot of the challenges and the arguments brought for and against this rule and the litigation that's currently pending are the ones you would anticipate for any type of legal challenge against an administrative rulemaking, right? But I think right now, Post Loper and Chevron, which I know was mentioned on one of the earlier panels, a lot of folks are focusing on this issue of, did the agency have the authority to enact this rule, which as some have said, is one of the most expansive changes
25:36 - 26:06
Alina Fortson: that we've seen in a long time from the SEC. And I do think a lot of folks are saying, you know, post-Loper-Chevron, that the rule is less likely to stand or stand in its current form than maybe it was before that decision came out. But I know that SEC has maintained that it has the authority to regulate matters that are of interest to investors, whatever they may be. So I think it'll be interesting to see how it ultimately plays out and that does seem to be the issue that will likely decide the case.
26:07 - 26:20
Gary Kleinrichert: I'm going to stay with you, Alina. You're in-house. From an in-house perspective, how are you assessing the anticipated legal costs associated with this and what do you recommend for companies to do to prepare?
26:20 - 26:56
Alina Fortson: Yeah, I think what's interesting about this rule and what companies are spending to prepare and not just this rule but some of the rules I mentioned at the top that we're seeing pop out, pop up around the world is really long-term resource investment. So a lot of companies didn't have functions in finance dedicated to ESG controllership. The ESG controller role is something that a lot of companies have created in the past couple years and have invested people resources in same with Dedicated ESG legal counsel in house a lot of companies maybe didn't have that a . . .
26:56 - 27:39
Alina Fortson: few years ago and have been building up those departments Inside their organizations. I would also say there's a lot of investment I'm seeing on the technical side. A lot of tech companies are coming out with products that are designed to help companies gather all of the data that is required to be disclosed under these types of rules and report it in a way that can be assured or that follows the requirements of these laws that are coming out. And those are big investments. If companies are either purchasing those types of data platforms or building them in a house, you know, between the people and the IT investments are really seeing long-term resource investments from a lot of companies in order to prepare for compliance with this rule.
27:39 - 27:40
Gary Kleinrichert: Thank you. Scott, can you speak to the recent Fifth Circuit ruling on the SEC's private funds rule?
27:46 - 28:26
Scott Mascianica: Yeah, be happy to. So among the suite of rules that the SEC passed as part of its rulemaking wave that Gary described at the top of the panel, the SEC finalized what's known as the private funds rule, which generally speaking, I mean, along with its climate brethren and other cybersecurity rules and others that are hundreds of pages long, was very lengthy. At a 100,000 foot view, the rule puts strict limitations on private funds, which are to be compared to public funds, if you think mutual funds and regulated investment companies, around certain arrangements such as side . . .
28:26 - 29:12
Scott Mascianica: letter arrangements, preferential redemptions, and also impose some quarterly reporting requirements for private funds, which was a significant uptick in the amount of regulatory scrutiny that private funds would ultimately be subject to. Within 60 days after the Commission finalized the rule, the National Association of Private Fund Managers filed a petition in the Fifth Circuit challenging the rule. And really the central question or really questions that the Fifth Circuit considered were around really the Commission's authority to promulgate the rules, whether or not they had the ability via statute in order to make the rules in question. And there . . .
29:12 - 29:52
Scott Mascianica: were two specific bases that the Fifth Circuit considered. The first is whether or not the Dodd-Frank Act conferred authority on the Commission to promulgate the rule. And the second is whether or not the commission's deceptive acts and practices rulemaking authority under Section 206-4 of the Advisers Act gave the Commission the ability to promulgate these rules. And the Fifth Circuit said no to both. On the first question, it's actually for those that are interested in statutory construction and a court's analysis of legislative history. It's a very interesting opinion because the Fifth Circuit said at first blush, it . . .
29:52 - 30:31
Scott Mascianica: appears that the Commission does have authority. But after you dig into the Dodd-Frank Act, what becomes very clear is that the Dodd-Frank Act concerned retail customers for the statute that the Commission relied upon for its authority and it did not confer authority for the Commission to actually regulate private fund investors. So that was the first issue. And then the second issue is that as it related to the deceptive acts and practices, the court found that the Commission had not established a sufficient basis that there was an issue in need of remedying. In fact, the court noted . . .
30:31 - 30:53
Scott Mascianica: that, I believe by the commission's own acknowledgement, that there were only 0.05 percent of advisors who were engaged in the sort of misconduct at issue, which the court naturally found pretty persuasive. So the court ultimately vacated the rule, one of many legal challenges in the Fifth Circuit that are going on related to rulemaking.
30:53 - 30:58
Gary Kleinrichert: David, do you have anything to add on basis for challenging SEC rules?
30:58 - 31:34
David Woodcock: I think Alina raised several of them and walked through several of them. I think the statutory authority is a big one. The major questions doctrine, what is the basis for the rulemaking? So what's the SEC's basis for this rulemaking? I think that's what makes the current time very different from past rulemaking efforts. The SEC has been making rules for a very long time. Not all of them are challenged. In fact, I suspect most of them are not challenged. There's a very robust notice and comment process to take in comments, to consider them, and to draft the . . .
31:34 - 32:11
David Woodcock: rule in such a way. The US also has something called cost benefit analysis under the APA, which Europe doesn't have in the same way. And so there's an element of cost benefit analysis of economics that goes into rulemaking. So it usually works itself out. What makes the current era different, if you go back to most all rulemakings, they are the result of some legislative impetus. There is some statutory basis, go do this. In 1968, ’69, there was the NEPA which said, go make environmental laws. Every agency should look at the environmental laws and how they're enforcing . . .
32:11 - 32:49
David Woodcock: them. Okay, great, I'll go make rules to do that. Dodd-Frank, obviously, a hundred rulemaking efforts by the SEC. Sarbanes-Oxley. So you see these upticks in rules, and they're largely not challenged. Some of them are, but it's rare. Here, out of all the rules that this current administration has made, think about, there's been no new legislation authorizing it or even encouraging it. In fact, one of the bases for the rulemaking is that there is no legislation, right? We have to fill that gap. And so It makes these rules particularly subject to challenge in a way that I . . .
32:49 - 33:16
David Woodcock: think past rules have not been. So statutory authority, APA, First Amendment is one that's often raised in these challenges, and then the non-delegation doctrine. Congress can delegate authority to these agencies, but there has to be some intelligible basis by which they will exercise it. And so I think that's what makes this particular era right for challenge, and that's why you see so many challenges. Interesting. . . .
33:16 - 33:29
Gary Kleinrichert: Alina, what proposed rules should we be most aware of regarding human capital and corporate board diversity and what recommendations do you have regarding how in-house counsel should address these rules?
33:29 - 33:59
Alina Fortson: Yeah, so you said it. In the world of ESG disclosures, for those of us that are focused on those, the human capital management rule is expected to come out, the proposal is expected to come out in October of this year and the board diversity disclosure rule is expected to come out, it's been delayed. At this point, I think we're anticipating it at some point in 2025. So I think it will be interesting to see the extent to which the timing of those regulations or how they are crafted is affected if at all by the outcome of . . .
33:59 - 34:33
Alina Fortson: the litigation challenging the climate disclosure rule, going back to this issue of the extent to which SEC has authority over some of these issue related disclosure topics. So something to watch out for. But again, going back to where I started my remarks, I think interesting to start thinking about what those disclosure rules may cover, the types of topics I know we have some preview, human capital management may cover, employee turnover or gender breakdown, things like that. Topics that I think may already exist in some of your clients. Voluntary disclosures, for example, or they may be starting
34:33 - 34:54
Alina Fortson: to make them under other regulatory schemes like CSRD or others. So important to start thinking about comparing those regulations against each other, understanding where the gaps are, where the differences are in terms of how they're defined and what they require in order to start preparing what compliance looks like once those regulations actually come out.
34:55 - 35:03
Gary Kleinrichert: Bill, we're gonna come back to you on cyber security rules. What are the implications of the cybersecurity rules going forward?
35:04 - 35:30
Bill Ridgway: So a couple of thoughts. one is I do think there are, there's a lot of, I see a lot of boards giving consideration to maybe restructuring how they think about cyber governance. I mean sometimes it was like historically audit committee, audit committees kind of look overburdened. There's a risk committee. And a lot more folks are thinking about technology committees, I think, particularly in the wake of like use of AI and all of those other tools. I think people are thinking about these things differently. So governance, I do expect, will change. I think one thing that, one . . .
35:30 - 35:58
Bill Ridgway: takeaway real practical is, you know, in the wake of these rules everyone kind of updated their policies, right? They had all the, they have their whatever, their SEC guidelines for how to think about materiality. And I do think it's really, people underestimate how challenging it can be to have your IT function and your disclosure committee or whatever it may be, your SEC reporting function, coordinate effectively in the wake of an actual cyber security incident. And so, and really, truly, you can have a policy, but to actually implement it, to make sure the people who are making . . .
35:58 - 36:27
Bill Ridgway: those reporting decisions have all the material facts that are being developed from the actual investigation. It's actually a lot more challenging. So we find it pretty useful to do the, you know, in cyber we do a lot of tabletop exercises. Doing cyber or SEC-reporting based tabletop exercises. What happens when email is down? How is your disclosure committee going to gather the information? What tools do they have to actually receive reports from their forensic providers in that situation? How are we going to make sure that we document in a way so that if the SEC emerges . . .
36:27 - 36:55
Bill Ridgway: a year later we have a record of when we actually gathered, when we met, what we considered. And so I do think there's a lot of like, just real kind of practical insights and kind of in the real world of a real incident when your company's getting pummeled, I feel like a lot of folks can underestimate how difficult and challenging that can be and their policies and procedures are not going to be up to stuff. And unfortunately, we're in a world where in a cold record when the SEC comes looking, it's going to look to them . . .
36:55 - 37:20
Bill Ridgway: like, well, it seems like your IT team didn't escalate things quickly enough. It seems like They didn't know all of the material facts. They didn't know how many servers were encrypted. Those are legitimate questions I have been asked. The SEC has asked me in investigations about what the Disclosure Committee knew. So that's the expectation we're dealing with. And so I do think there's some utility to kind of getting real practical about how we test this and make sure these policies and procedures are all married together.
37:21 - 37:34
Gary Kleinrichert: Okay, thank you. As we wrap up, we've got 8 more minutes. I'm going to go through the panelists for one final thought on kind of the current status and future status of SEC rulemaking. Alina, I'll start with you.
37:34 - 38:13
Alina Fortson: Sure, I think I'll build on the point that was made about the need for cross-functional collaboration and encouraging our clients to think about whether they are approaching that in an appropriate way, giving all these various regulations that are coming up in the US, from the SEC and around the world. I think increasingly we are seeing regulators look to statements that were made in a voluntary context and use them in regulatory enforcement or maybe a statement that was made in the context of another regulation and use it across, right? And I think that will only increase as . . .
38:13 - 38:49
Alina Fortson: we see more and more regulations coming out that are on overlapping topics requiring similar things that are slightly different around the world. And for those of us that work for, advise, you know, again, companies that are based here in the U.S. But are multinational and are having to comply with that patchwork, I think increasingly important to bring all of the right stakeholders internally to the table, making sure you have your subject matter experts on the topic of IT or whatever it may be, but also your comps team, your PR team, your finance team, right, making sure that all the different folks who have an interest and what the company is disclosing externally on these topics are part of the process.
38:50 - 39:27
Scott Mascianica: Scott? Yeah, so naturally just as an enforcement attorney, I am most interested in seeing after the rules kind of settle, following legal challenges after proposed rules or reach their final form. What does it now look like when the blood of the instrument, when the Division of Enforcement gets involved to enforce these rules? Bill mentioned earlier about the cybersecurity rules where there needs to be certain disclosures related to, for instance, how information is communicated up to management concerning a cyber incident. Well, this is directly tied to what we've seen as the Commission's bases for charging companies with . . .
39:27 - 40:00
Scott Mascianica: disclosure controls and procedures violations. So that's just one example where you can see echoes from either prior enforcement actions or recent enforcement actions. How are they going to look now that we have new rules in place, new footholds for the Division of Enforcement to ultimately utilize, to scrutinize, and ultimately maybe play Monday morning quarterback on going forward. So I think after we see these rules reach final form, what the next 18 months, two years looks like I think is going to be fascinating to watch from an enforcement perspective. Thank you.
40:00 - 40:28
Bill Ridgway: I'm gonna reiterate one point I guess I suppose is just thinking about all of the things that the companies are writing about, things like security and really being thoughtful about that. It's rarely, I think it's useful as lawyers because you tend to have a kind of skeptical perspective about how things actually work. It is rare that a lot of those kind of aspirational statements that companies may make about their security can actually be true on the ground if you actually looked under the hood. And so I think we just need to be real, you know, you've
40:28 - 40:58
Bill Ridgway: got to sometimes push back on the PR team that may be wanting to manage an incident and have a website statement about what's being said, or your security team that wants to tout how our security by design is top in class. I really do think, unfortunately, we're in an environment where under the surface, those things are gonna be challenged in private litigation and by the SEC, and now, given the attention, I just don't see it going away, no matter which way things go in the election. I do think there's going to be a continued focus on
40:58 - 41:23
Bill Ridgway: people and how they talk about their use of AI, how they use their cyber security, and things along those lines. And so it's an area where sometimes not, I think there's a little bit of deference that sometimes folks in the SEC function give to the technologists, because they know the technology. But I do think we need to kind of have a little bit of a skeptical eye towards some of the statements because unfortunately those statements will be their own undoing when there's actually litigation or enforcement.
41:24 - 42:00
David Woodcock: David? So, these rules that we're talking about, you know, they're creating enforcement cases in the future. And if you go back to one of the earlier discussions we had, Scott, we were talking about the accounting control, internal controls rules. They started here, and now we end up with companies paying multiple millions of dollars to settle an internal accounting controls case when there was no disclosure violation or something like that, right? They've grown. So the rules that we're looking at today are just creating future enforcement cases and they're not going away no matter what happens with the
42:00 - 42:42
David Woodcock: presidential election. You can't undo them all And so they've ratcheted up the requirements and their costs, their cost on clients. Most of us in this room are enforcement lawyers, maybe we benefit from them, but it's ultimately a drag on a lot of industry. And in some ways, the United States has been in a competition with Europe. And Europe, as Alina said, is way, way ahead of us. And there are rules coming out of Europe over the next couple of years that pale, make what's happening here pale by comparison. So the corporate sustainability due diligence directive, which
42:42 - 43:09
David Woodcock: maybe most people haven't heard of, doesn't matter, it will be a rule in Europe in a couple of years. And it isn't about disclosure. It is about conduct. And it is about imposing new rules on how to run your business across all of your supply chain. And so those kinds of things are coming in Europe. And we're ratcheting up the rules here, and they're all going to create an enforcement environment that will be rich, is what I will say.
43:10 - 43:17
Gary Kleinrichert: Very good. Well, thank you to the panelists, and thank you to all of you for your attention. And that's all.