March 8 2022

Annual report time: disclosure focus areas

Shearman & Sterling LLP | Banking & Financial Services - USA

Richard B. Alsop, Roberta Berliner Cherman, Marwa M. Elborai, Masahisa Ikeda

Introduction
ESG disclosures
Climate change disclosures
HCM and board diversity disclosures
Cybersecurity disclosures
Covid-19 disclosures
Nasdaq board diversity requirements


Introduction

It is now time for foreign private issuers (FPIs) to prepare their annual reports on Form 20-F. For companies with a calendar year-end, the Form 20-F must be filed with the US Securities and Exchange Commission (SEC) by 2 May 2022 (which is the first business day following 30 April 2022).

This article is part of a series that provides an overview of recent developments, trends and topics that are relevant to FPIs preparing their 2021 Form 20-F. For the first article in the series, see "Annual report time: approaching 2021 Form 20-F and SEC updates".

ESG disclosures

Environmental, social and governance (ESG) issues are an increasingly important area of focus for issuers and investors. Issuers have begun to disclose more information on ESG, including the business impacts of climate change and their efforts aimed at advancing the ESG agenda and reducing carbon emissions. Increasing investor focus on ESG has led to asset managers offering more investment products that incorporate ESG themes, and issuers are increasingly issuing green bonds, sustainability-linked bonds and other types of sustainable bonds.

As such, possible areas for comments to be issued by the staff of the SEC with respect to an issuer's Form 20-F are likely to include:

  • comments seeking greater transparency, accuracy and reliability of ESG disclosures. In a speech on 8 November 2021, Gurbir Grewal, the director of the SEC's division of enforcement, emphasised that "if an issuer chooses to speak on climate or ESG – whether in an SEC filing or elsewhere – it must ensure that its statements are not materially false or misleading, or misleading because they omit material information"; and
  • comments arising from a comparison between public disclosures outside of the SEC reporting system versus disclosures made in SEC filings in order to assess whether there are material omissions from disclosures filed with the SEC. For example, many companies publish sustainability/corporate social responsibility reports on their websites and care should be taken in analysing the degree to which material disclosures made in such publications should also be included in the Form 20-F annual report.

Climate change disclosures

During 2021, the SEC has consistently signalled that it is focusing on climate change disclosures made by issuers. In comments made in The Wall Street Journal's CEO Council Summit on 7 December 2021, Chair Gary Gensler indicated that the SEC hopes to propose new climate change rules in early 2022. Therefore, while new disclosure rules will not apply to the 2021 Form 20-F, issuers should nonetheless take stock of their existing disclosures and consider potential modification in light of the SEC's focus on this topic.

The following bullet points set out below a chronology of certain key statements made by the SEC during 2021, together with relevant links to where further detail can be obtained. Prior to SEC rulemaking proposals being released, the statements referred to below are useful for issuers in shaping their thinking on these topics and considering whether to update disclosures in advance of any rulemaking:

  • In a public statement on 24 February 2021, then-Acting Chair Allison Herren Lee directed the Division of Corporation Finance to enhance its focus on climate-related disclosure in public company filings. She asked the staff of the SEC to consider how companies comply with previously issued SEC guidance and current disclosure requirements.
  • On 4 March 2021, the SEC announced the creation of the Climate and ESG Task Force in the Division of Enforcement. The initial focus of the task force is to identify any material gaps or misstatements in companies' disclosure of climate risks under existing disclosure requirements. Therefore, the more proactive approach of the Division of Corporate Finance in raising comments on climate change disclosures could also lead to issuers receiving additional attention from the task force.
  • In prepared remarks on 28 July 2021, SEC Chair Gary Gensler set forth key considerations for the staff of the SEC to address in the SEC's forthcoming rulemaking proposal on mandatory climate risk disclosures. The Financial Stability Board created the Task Force on Climate-related Financial Disclosures (TCFD) to improve and increase reporting of climate-related financial information. In prepared remarks, SEC Chair Gary Gensler indicated in September 2021 that he had asked the staff of the SEC to learn from the TCFD framework, among other things, in developing proposals for climate risk disclosure requirements. Therefore, TCFD recommendations are a useful resource for companies formulating their overall approach to climate change disclosure.
  • On 14 September 2021, SEC Chair Gary Gensler testified before the Senate Committee on Banking, Housing, and Urban Affairs that investors are demanding "consistent, comparable, and decision-useful disclosures around climate risk, human capital management and cybersecurity".
  • On 22 September 2021, the staff of the SEC published a sample comment letter regarding climate change disclosures. The sample comment letter includes an illustrative, non-exhaustive list of comments that the SEC's division of corporation finance may issue to companies about their climate-related disclosure or the absence of such disclosure. The sample comment letter contains nine points, mainly focused on risk factors and management's discussion and analysis (MD&A) disclosures. Most of the topics addressed in the sample comment letter were previously covered in the interpretative guidance published by the SEC in February 2010. These disclosure matters can include:
    • the impact of pending or existing climate-change-related legislation, regulations and international accords;
    • the indirect consequences of regulation or business trends (such as transition risks relating to low/net zero carbon emissions); and
    • the physical impacts of climate change.

Therefore, when preparing disclosure for the 2021 Form 20-F, issuers should review the topics raised in the sample comment letter and consider if, and how, their disclosure should be amended to reflect those areas of focus.

  • Climate-related disclosures encompass three levels of reporting for greenhouse gas emissions:
    • scope 1 (emissions from a company's own operations, which is the narrowest reporting scope);
    • scope 2 (emissions from the company's use of electricity, steam, heating or cooling); and
    • scope 3 (emissions that are the result of activities from assets not owned or controlled by the company, but that the company indirectly impacts in its value chain).

In his 7 December 2021 remarks, Chair Gary Gensler said that the SEC was still considering whether to mandate all three levels of reporting for US public companies, particularly those issuers that have set themselves "net-zero" emissions goals to eliminate greenhouse gas emissions altogether. Chair Gary Gensler noted that: "If these companies are making such commitments, then we're considering what disclosures they have to the public around those commitments." Therefore, companies that disclose extensive sustainability-related commitments (such as net-zero) should consider their ability to disclose performance-related metrics to enable performance tracking.

HCM and board diversity disclosures

An increasing focus on all elements of ESG, not just climate change, has led many companies to consider expanding their human capital management (HCM) disclosures. Expanded HCM disclosures are on the SEC's rulemaking agenda and, in prepared remarks on 23 June 2021, SEC Chair Gary Gensler indicated that additional HCM metrics could include "workforce turnover, skills and development training, compensation, benefits, workforce demographics including diversity, and health and safety". It is not known whether any such rules would also apply to FPIs.

In amendments to Item 101 of Regulation S-K adopted by the SEC in August 2020, the SEC also required domestic US issuers (but not FPIs) to include new disclosures on human capital resources. These amendments require domestic companies to include in their annual reports:

a description of the registrant's human capital resources, including the number of persons employed by the registrant, and any human capital measures or objectives that the registrant focuses on in managing the business (such as, depending on the nature of the registrant's business and workforce, measures or objectives that address the development, attraction and retention of personnel).

This disclosure is required to the extent that it is material to an understanding of the issuer's business taken as a whole, or if it is material to a particular segment, then that segment should be identified. A recent survey found there was little uniformity in the information and related data that was reported on this topic in filings made by domestic companies during 2021.

Therefore, while these disclosure requirements are not applicable to FPIs, companies should nonetheless consider whether the inclusion of disclosure on these topics would be useful to investors and improve the company's overall disclosures, particularly as investors become more accustomed to seeing these disclosures being made by domestic US companies.

No additional rules will apply to forthcoming 2021 Form 20-F annual reports, but issuers may nonetheless consider expanding their HCM disclosures, and doing so may potentially include the establishment of the processes for collection and evaluation of key HCM metrics.

Cybersecurity disclosures

The SEC continues its focus on cybersecurity disclosures against the backdrop of cyberattacks increasing in frequency and severity around the world. "Cybersecurity risk governance" is on the SEC's near-term rulemaking agenda, and while a rulemaking proposal from the SEC might be forthcoming in the short term, it would be some time before a final rule on cybersecurity risk disclosures is issued. However, issuers should nonetheless take the opportunity to reassess their cybersecurity disclosures.

Cybersecurity disclosures were addressed in the SEC's 2018 interpretative guidance, but this was not codified in SEC rules. While there is no existing issuer disclosure requirement explicitly referring to cybersecurity risks and cyber incidents, the SEC's guidance makes clear that issuer may nonetheless be required to provide disclosure relating to cybersecurity risks and incidents pursuant to Regulation S-K and Regulation S-X, where cybersecurity may be material in order to discharge an issuer's disclosure obligations relating to business and operations, risk factors, MD&A, internal controls over financial reporting, and disclosure controls and procedures. The SEC expects companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. The SEC emphasised avoiding generic boilerplate cybersecurity-related disclosure and the need to provide specific information that is useful to investors.

Cybersecurity is also on the SEC's enforcement agenda. Beginning in June 2021, the SEC's division of enforcement sent letters to certain SEC reporting issuers that the SEC believed may have been impacted by the SolarWinds cyberattack in December 2020. The SEC offered amnesty to companies who voluntarily disclose to the SEC how the company was impacted by the SolarWinds cyberattack and any other cyberattacks resulting in unauthorised accesses lasting longer than one day, and any remedial actions the company implemented in response, to the extent that those voluntary disclosures show that the company failed to make prior required disclosures or maintain adequate internal controls.

On 16 August 2021, the SEC announced the settlement of an enforcement action against a UK-based company dual listed on the New York Stock Exchange and the London Stock Exchange. The SEC alleged that the company had misled investors about a 2018 cyberattack because the company had failed to revise its risk factor disclosure in its quarterly earnings release and its Form 20-F annual report to reflect that it had experienced a material data breach. The SEC's order instituting cease-and-desist proceedings stated that the company's periodic disclosures remained unchanged and implied that no "major data privacy or confidentiality breach" had occurred when the company knew months earlier about the material data breach. The chief of the SEC enforcement division's cyber unit said that: "As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents."

This case demonstrates the SEC's continued focus on disclosure relating to cybersecurity issues and illustrates that if a company has experienced a cybersecurity incident, then great care should be taken in analysing the impacts on the company's future disclosures – including the use of "could" or "may" in the face of incidents that have already materialised. The 2018 guidance listed various criteria for companies to consider when determining whether a cybersecurity incident constitutes a "material" event and companies should carefully evaluate their materiality criteria for disclosure of cybersecurity incidents. Companies should take care not to understate the nature and scope of cybersecurity incidents or overstate their cyber protections.

In a speech on 29 October 2021, SEC Commissioner Elad L Roisman noted that, because issuers' businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule would likely work best. In commenting on the enforcement actions referred to above, Commissioner Roisman noted that: "The idea is not to blame the victim, but rather to address situations in which an entity did not fulfil its responsibilities under the law."

Covid-19 disclosures

In March and June 2020, the Division of Corporate Finance of the SEC issued disclosure guidance Topic No. 9 and Topic No. 9A in relation to disclosure that companies should consider in connection with covid-19 and related market disruptions (for further details, see "SEC issues new covid-19 disclosure guidance"). The SEC encouraged companies to:

provide disclosures that allow investors to evaluate the current and expected impact of COVID-19 through the eyes of management and to proactively revise and update disclosures as facts and circumstances change.

In particular, the guidance emphasised the importance of providing clear disclosure related to the management of short- and long-term liquidity and funding risks in the current economic environment.

The SEC's office of the chief accountant (OCA) also issued a statement on the importance of high-quality financial reporting in light of covid-19. Among other matters, the OCA stressed that companies should ensure that significant judgments and estimates are reasonable and disclosed in a manner that is understandable and useful to investors.

Covid-19-related disclosures impact many areas of the Form 20-F, including the MD&A and the risk factors. Comments on quarterly reports on Form 10-Q for domestic reporting companies initially concentrated on the liquidity and availability of capital resources, as well as known trends or uncertainties related to covid-19 that will have a material favourable or unfavourable impact on results from continuing operations. However, as the covid-19 pandemic has progressed, additional risks have emerged, such as supply chain disruptions, manufacturing shortages (such as semiconductors), increasing difficulty in workforce recruitment in certain markets and inflation-related risks.

Nasdaq board diversity requirements

On 6 August 2021, the SEC approved the Nasdaq Stock Market's proposal to amend its listing rules in order to advance greater board diversity through a combination of:

  • a "comply or explain" board diversity requirement to have a specified number of diverse directors; and
  • requirements to disclose additional board diversity statistics using a standardised matrix template.

In contrast to many other Nasdaq corporate governance rules, the new board diversity requirements also apply to FPIs.

For FPIs with a calendar year-end, the board diversity matrix disclosure requirements will apply to the Form 20-F filed for the 2022 year-end. FPIs listed on the Nasdaq Global Select Market, the Nasdaq Global Market or the Nasdaq Capital Market must have one diverse director (or explain why they do not) in their Form 20-F for the 2023 year-end, and such companies must have two diverse directors (or similarly "comply or explain") in their Form 20-F for the 2025 year-end (except for companies listed on the Nasdaq Capital Market for whom the requirement applies from 2026 year-end).

For FPIs to satisfy the board diversity requirement, two board members can self-identify as female, or one director can self-identify as female and one director can self-identify as LGBTQ or as an "underrepresented individual". In this context, an "underrepresented individual" means an individual who self-identifies as underrepresented based on national, racial, ethnic, indigenous, cultural, religious or linguistic identity in the country of the company's principal executive offices.

Companies with five or fewer board members can meet the board diversity objective by having only one instead of two diverse directors. "Controlled companies" are not exempt from these rules.

Newly listed companies that were not previously subject to a substantially similar requirement on another stock exchange are required to comply with the board diversity matrix disclosure requirements within one year of their listing. Newly public companies must "comply or explain" with the director diversity requirements by the date that depends on the Nasdaq market on which the company lists. A company newly listed on the Nasdaq Global Select Market or the Global Market must "comply or explain" as to one diverse director within one year following its listing and as to two diverse directors within two years following its listing (but in each case no earlier than the general deadlines described above).

Therefore, while no additional disclosures will be required in the 2021 Form 20-F, given increasing focus on this topic from the investor community and from the SEC, issuers should nonetheless consider whether to address this topic more fully in their forthcoming annual reports.

For further information on this topic please contact Richard Alsop, Roberta Cherman, Marwa Elborai or Masahisa Ikeda at Shearman & Sterling by telephone (+1 212 848 4000) or email ([email protected], [email protected], [email protected] or [email protected]). The Shearman & Sterling LLP website can be accessed at www.shearman.com.