Navigating the uncertainty of the SEC’s latest changes to cybersecurity and ESG rules has been a challenge to risk management leaders. At all stages of risk maturity, companies must contend with ongoing litigation around the rules and continuously shuffle priorities among everything else on their plate, including year-end audit requirements, the introduction and application of AI, and various internal transformation initiatives.
During a panel at AuditBoard’s 2024 Audit & Beyond Conference entitled “Checklist for Success: Best Practices for Compliance with New SEC Rules for ESG and Cybersecurity,” CrossCountry Consulting’s Steve Coppolino led a discussion with two seasoned experts, Kristina Wyatt and Manju Mudé, who provided valuable insights into the new SEC rules governing ESG and cybersecurity disclosures. These regulations, aimed at promoting transparency and protecting investors, highlight the evolving compliance landscape and underscore the importance of strategic governance for organizations across all sectors.
Below are some of the key takeaways, challenges, and best practices discussed during the session.
ESG Disclosure Rules
- Challenges: Kristina Wyatt, Deputy General Counsel & Chief Sustainability Officer at Persefoni AI and a former Senior Counsel at the SEC, highlighted the importance of transparency in the ESG domain. Although some aspects of the rule, such as Scope 3 emissions reporting, are still under debate and likely to be scaled back, companies are encouraged to prepare for an increase in required disclosures. There is a need for consistency in reporting regardless of the SEC rule finalization as found across other released guidance (inclusive of Corporate Sustainability Reporting Directive (CSRD) and California SB 253 and 261). Climate-related risks are truly shaping how companies think about sustainability,
- Best practices: To prepare for ESG disclosure requirements, companies should integrate climate risk into their overall governance and reporting frameworks, conduct thorough assessments, and develop strategies to address potential risks.
Cybersecurity Disclosure Rules
- Challenges: Manju Mudé, Chief Information Security Officer, formerly Splunk and Oportun, emphasized that the new cybersecurity rules require timely incident reporting, creating a need for companies to balance transparency with confidentiality. Organizations are grappling with several challenges in meeting the new cybersecurity disclosure requirements, including identifying material incidents, striking a balance between transparency and business risk, and operationalizing incident reporting. Mudé explained that organizations face challenges in disclosing security incidents without compromising sensitive information that could further expose them to risks.
- Best practices: To comply with cybersecurity disclosure requirements, organizations should implement robust governance and risk management frameworks, conduct regular assessments, and have clear incident response plans in place.
Integrating ESG and Cybersecurity Compliance
- Alignment: A key theme that emerged was the intersection of ESG and cybersecurity within corporate governance. Both disclosures emphasize the need for robust risk management, reinforcing the importance of elevating these areas to the board level. By integrating ESG and cybersecurity reporting into their broader integrated risk management approach, organizations can streamline compliance efforts, enhance overall governance, and demonstrate a commitment to sustainability and resilience. Depending on the size and industry of the business, teams responsible for compliance may already be stretched thin, so approaching ESG and cyber domains as an integrated effort can avoid silos and redundancies.
- Navigating uncertainty: Given the ongoing litigation and potential changes to the rules, organizations should adopt a flexible approach, monitor developments closely, and be prepared to adjust their compliance strategies as needed. Reporting teams should develop templates and repeatable playbooks that are responsive to further SEC changes, empowering them to think about compliance proactively and efficiently without introducing additional complexity once their companies must effectively comply.
For expert support complying with evolving SEC rules, contact CrossCountry Consulting.