4 Min Read

ESG and Cyber – US SEC’s ESG disclosure requirements

Read more

By Sarah Crowther, Ornela Markaj and Erin Burns


Published 30 June 2022


A recent vote by the U.S. Securities and Exchange Commission (“SEC”) concerns rule changes regarding environmental, social and governance (“ESG”) funds. ESG has been catapulted into the limelight and ESG narrative is now an essential focus of law firms and corporations. Investors are now re-evaluating traditional investment approaches and the scope of ESG appears to be widening. The SEC sought to standardise ESG related disclosures by proposing amendments to the rules and reporting forms. The SEC aims is to promote consistent, comparable and reliable information for investors concerning funds that incorporate ESG factors.

The vote came two days after the SEC fined BNY Mellon Investment Adviser, Inc. for misstatements and omissions about ESG considerations in making investment decisions for certain mutual funds that it managed. BNY Melon had implied that all investments in the funds had undergone an ESG quality review, even though this wasn’t always true. It was found that various investments held by certain funds didn’t have an ESG quality review score and so BNY Mellon agreed to pay the $1.5million penalty. This highlights the need to be transparent when engaging with ESG and potentially why the SEC proposed a vote.

The Implications

The vote proposed several changes:

  1. Require funds and advisers to provide specific disclosures within fund prospectuses, annual reports and adviser brochures regarding their ESG strategies.
  1. Ensure that fund names which suggest an ESG focus invest at least 80% of their assets’ value into such areas.
  1. Require certain ESG reporting on a census-type data report, which would inform the SEC’s regulatory, enforcement, examination, disclosure review and policymaking roles.

The proposed changes would apply to certain registered investment advisers, registered investment companies, business development companies and advisers exempt from registration. There are already similar disclosure regulations in the EU i.e. the Sustainable Finance Disclosure Regulation (“SFDR”), and in the UK, i.e. the Sustainability Disclosure Regime (“SDR”) which is currently under contemplation.

The aim of the proposals appears to be to create transparency when it comes to ESG investing. It is thought that investors should be able to have a greater understanding of the parameters, be more protected and enable them to allocate their capital more efficiently. These proposals are consistent with the SEC’s recently announced 2022 Examination Priorities which covers in detail under the ‘significant focus areas,’ ESG investing. Also flagged within their priorities are Information Security and Operational Resiliency, Emerging Technologies and Crypto-Assets.

ESG and Cybersecurity

ESG is becoming increasingly linked to cybersecurity. Consumers and investors of all kinds are becoming more savvy about potential cyber vulnerabilities at the organisations with which they connect and share data. As companies are dealing with more and more data, concerns around this are heightening. The message is that a more transparent view of companies’ cyber practices, and a standard framework, is going to be expected. The SEC’s proposals in relation to ESG highlight their growing focus on developing corporate strategies and that data protection and privacy will also gradually fall under the regulator’s remit.

The SEC has been increasingly tackling cybersecurity. In March 2022, SEC proposed amendments to standardise disclosure regarding cybersecurity risk management. On 3 May 2022, the SEC further announced that 20 additional positions will be allocated to the Crypto Assets and Cyber Unit within the Division of Enforcement which enforces actions against securities law violations in connection to crypto assets. The increase in resources will nearly double the size of the unit. This increased focus is in line with the FBI who have formed a new unit dedicated to cryptocurrency, and the DOJ creating a new team within the Criminal Division, the National Cryptocurrency Enforcement team. This international concentration emphasises the need for companies to have consistent requirements across the board in relation to data and cybersecurity.

SEC Chair Gary Gensler has stated that the SEC evolves to reflect evolving risks, including cybersecurity. He said, “cybersecurity is an emerging risk with which public issuers increasingly must contend. Investors want to know more about how issuers are managing those growing risks.” The SEC want consistent and comparable metrics across a range of topics and it looks like cybersecurity and privacy could be tackled next. Proposed amendments could require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.

SEC’s 2022 Examination Priorities highlight the need for security controls and the importance of this for business continuity. It states that “failing to prevent unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction of sensitive records may have consequences that extend beyond the firm compromised to other market participants and retail investors.” In particular the examination division of the SEC will be reviewing whether firms have taken appropriate measures to safeguard against ransomware attacks, phishing, account intrusions and general cybersecurity.

The ESG related disclosure rules are subject to consultation and the comment period is to remain open for 60 days after publication in the Federal Register.