With the SEC’s adoption of cybersecurity and climate change disclosure rules looming and intensifying investor scrutiny of disclosure in these areas, a recent Perkins Coie blog recommends that companies take a hard look at their disclosure controls and procedures to ensure that cyber and ESG matters are appropriately captured. The blog identifies things that companies should keep in mind as they assess their disclosure controls and procedures in these areas. This excerpt addresses key issues in the data collection and verification process:
Determine what data to collect. Companies must determine what data to capture, and until the exact parameters of the final rules are known, should focus on the data most material to their business and industry. Companies can consider industrywide standards or metrics and whether key investors have preferred reporting frameworks. For example, BlackRock asks companies to report using the framework developed by the TCFD, supported by industry-specific metrics, such as those identified by SASB.
Establish data-gathering procedures and systems. Companies need to establish procedures for how data will be collected, where it is sourced, and how it is stored. Company personnel will need to be assigned responsibility over newly implemented procedures and data collection. Depending on the size and complexity of the data to be gathered, automated data management systems offer advantages over manual collection and storage methods. If companies intend to seek third-party assurance over their data, the procedures and systems need to be of sufficient quality and formality to enable testing by third parties.
Determine how data and resulting disclosures will be reviewed and verified. Companies must put in place procedures to vet the completeness and accuracy of the data collected and resulting disclosures. For example, internal controls and segregation of duties should be implemented to prevent and detect data fraud; also, certification and/or sub-certification procedures can be established whereby company personnel review and certify disclosures pertaining to their respective areas of responsibility. At the end of the day, the data and disclosures should be comparable across time, across communication channels (e.g., Form 10-K vs CSR Report), and amongst peers.
The blog says that companies should consider involving outside advisors such as audit firms and consultants in order to help them design internal controls and procedures or to provide assurance services, and should also assess whether any current disclosure committee needs to be reorganized in order to manage the increased challenges of these expanding disclosure obligations.
– John Jenkins, TheCorporateCounsel.net, March 6, 2023