The SEC Stays Climate Disclosure Rule Amid Legal Challenges
On April 4, 2024, the SEC stayed The Enhancement and Standardization of Climate-Related Disclosures for Investors (the “Rule”) pending judicial review in the Eighth Circuit. In issuing the order, the SEC underscored that the Rule is “consistent with applicable law,” that it would continue “vigorously defending” the Rule in court and that a stay would “avoid potential regulatory uncertainty” for registrants amid ongoing legal challenges.
This stay followed numerous legal challenges filed after the Rule’s adoption on March 6, 2024, including suits in the Second, Fifth, Sixth, Eighth, Eleventh and D.C. Circuits. The Fifth Circuit had granted a stay on March 15, 2024, after several petitioners argued they would suffer irreparable harm in the form of unrecoverable compliance costs and constitutional injury. Then, on March 21, 2024, the pending actions were consolidated in the Eighth Circuit, and several parties moved for a stay there. The SEC requested a consolidated briefing schedule to encompass all motions seeking a stay, which 31 petitioners opposed, urging the court to expedite briefing.
It is unusual for the SEC to stay its own rule pending judicial review. Part of the motivation may be to slow the judicial timeline, ensuring appropriate time for full briefing and lessening potential pressure on the Eighth Circuit to accelerate its decision. The SEC further noted that the stay does not encompass “any other Commission rules or guidance,” referring specifically to the Guidance Regarding Disclosure Related to Climate Change from February 2010, which it may continue to assess compliance with.
For more information, see Debevoise Insights here and here.
The SEC Charges Its First AI Fraud Cases
On March 18, 2024, the SEC announced settled charges against two investment advisers, Delphia (USA) Inc. (“Delphia”) and Global Predictions Inc. (“Global Predictions”) for making false and misleading statements in violation of the Investment Advisers Act of 1940 about their alleged use of AI in connection with providing investment advice. Delphia agreed to pay a civil penalty of $225,000, and Global Predictions agreed to pay a civil penalty of $175,000. These settlements are the SEC’s first-ever cases charging violations of the antifraud provisions of the federal securities laws in connection with AI disclosures.
According to the SEC’s order against Delphia, from 2019 to 2023, the firm made false and misleading statements in its SEC filings, in a press release and on its website, that it used AI and machine learning to analyze its retail clients’ spending and social media data to inform its investment advice when it actually did not use any such data in its investment process. Delphia’s false statements included declarations that it used “a predictive algorithmic model” for asset selection and deployed “machine learning to analyze the collective data shared by its members to make intelligent investment decisions.”
In the SEC’s order against Global Predictions, the SEC found that the firm made false and misleading claims in 2023 on its website and on social media about its purported use of AI. For example, the firm falsely claimed to be the “first regulated AI financial advisor” and misrepresented that its platform provided “[e]xpert AI-driven forecasts.”
AI-related securities class actions are likely to become more frequent as public companies increasingly start disclosing in their public filings how they use AI. Shareholder plaintiffs can scrutinize these disclosures in hindsight to contend that the company did not properly characterize its AI technologies or use by, for example, failing to disclose an AI use case that actually existed or omitting references to an associated risk of generative AI such as quality control, privacy, IP, data-use limitations, cybersecurity, bias or transparency.
The matters reflect Chair Gensler’s determination to target “AI washing”—securities fraud in connection with AI disclosures under existing provisions of the federal securities laws—and underscore that public companies, investment advisers and broker-dealers will face rapidly increasing scrutiny from the SEC in connection with their AI disclosures, policies and procedures. Given the enhanced scrutiny, companies should carefully consider whether to make AI-related disclosures and, if so, how to frame them to avoid claims that those disclosures are misleading.
For more information, see Debevoise Insights here and here.
100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned
On December 18, 2023, the SEC rule requiring disclosure on Form 8-K of material cybersecurity incidents became effective. The early results of this new disclosure requirement indicate a trend toward rapid disclosure, as opposed to the extended analysis that the SEC expected most companies would undertake in determining materiality in the wake of a cybersecurity incident. Notwithstanding this trend towards speed, companies experiencing a cybersecurity incident would be well advised to exercise caution before disclosing too early in their incident response. Though companies may not unreasonably delay, they can and should take the time needed to conduct a reasonable investigation of the facts to support an informed and deliberative materiality determination. Observations from the initial 11 Form 8-Ks filed under Item 1.05 include:
Timing of Cyber 8-Ks
- Item 1.05 requires an issuer to file a Form 8-K disclosing specified information about a cybersecurity incident within four business days of determining that the cybersecurity incident is material. Although the SEC acknowledged that in most cases the registrant will be unlikely to determine materiality on the same day that the incident is discovered, in practice, companies have disclosed incidents more quickly than the SEC may have anticipated. The average time from detection of a cybersecurity incident to disclosure has been 5.45 business days. Eight companies (over 70% of the sample) have filed Forms 8-K under Item 1.05 within four business days of detecting the cybersecurity incident.
Substance of Cyber 8-Ks
- Of the 11 companies that reported a cybersecurity incident under Item 1.05 of Form 8-K, one identified a material operational disruption in its initial filing, and another identified a material impact on its results of operations in an amended filing made three weeks after the initial filing. The other nine companies did not expressly identify a material impact.
- More than half of the companies that have reported a cybersecurity incident under Item 1.05 of Form 8-K disclosed an operational disruption related to the cybersecurity incident, but notably only a single company disclosed that the disruption was material. In contrast to financial or more qualitative impacts, operational disruptions may be more readily identifiable in the early stages of an incident, when disclosure decisions are typically being made.
- Five companies disclosed a cybersecurity incident that resulted in access to or exfiltration of data; three of the companies disclosed the nature of the exfiltrated data, while two disclosed the information in a subsequent Form 8-K amendment. The disclosure trend suggests that attacker access to potentially significant data, or a significant volume of data, are factors weighing in favor of disclosure, even if the nature of the data and whether it was, in fact, taken are the subject of ongoing investigation.
- Four of the cybersecurity incidents reported on Item 1.05 of Form 8-K included identification of the suspected threat actor. Item 1.05 calls for a description of the “nature” of the cybersecurity incident. This could be interpreted to include the nature of the threat actor where that is relevant to an understanding of the incident and its potential impacts. It is important to consider whether identification of the threat actor would impede the company’s response or remediation of the incident.
Form 8-K Amendments
- Companies are required to file a Form 8-K amendment to disclose required information that is not determined or is unavailable when the Form 8-K is filed. Of the amendments that were filed, some disclosed remediation of the incident and others detailed the impact of the incident. The relative frequency with which amendments have been filed underscores the difficulty inherent in cybersecurity incident disclosure: incidents and investigations evolve rapidly and unpredictably.
For more information, see Debevoise Insights.
SEC Rule-Making Agenda
The SEC’s Fall 2023 Regulatory Agenda was posted in December 2023. A summary of key pending rule changes is included below. We expect the spring 2024 agenda to be released by June 2024. For more information, see the full regulatory agenda here.
Title
|
Stage of Rulemaking
|
Announced Release Date
|
Human Capital Management Disclosure
|
Proposed Rule Stage
|
April 2024
|
Incentive-Based Compensation Arrangements
|
Financial Data Transparency Act Joint Rulemaking
|
Regulation D and Form D Improvements
|
Revisions to the Definition of Securities Held of Record
|
Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies
|
Final Rule Stage
|
April 2024
|
Cybersecurity Risk Management Rules for Broker-Dealers, Clearing Agencies, MSBSPs, the MSRB, National Securities Associations, National Securities Exchanges, SBSDRs, SBS Dealers, and Transfer Agents
|
Enhanced Disclosures by Certain Investment Advisers and Investment Companies about Environmental, Social, and Governance Investment Practices
|
Open-End Fund Liquidity Risk Management Programs and Swing Pricing; Form N-PORT Reporting
|
Registration for Index-Linked Annuities; Amendments to Form N-4 for Index-Linked and Variable Annuities
|
Proposed Rule Stage
|
June 2024
|
Corporate Board Diversity
|
Proposed Rule Stage
|
October 2024
|
Rule 144 Holding Period
|
Covered Clearing Agency Resiliency and Recovery and Wind-Down Plans
|
Final Rule Stage
|
October 2024
|
Electronic Submission of Certain Materials Under the Securities Exchange Act of 1934; Amendments Regarding FOCUS Report
|
|
This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.