I am a big believer in the saying “if it ain’t broke, don’t fix it.” I am not entirely sure where this saying comes from (and trying to figure that out sent me down a bit of a rabbit hole), but suffice it to say, there are plenty of things that we deal with as securities and governance professionals that are best left alone because they work just fine. I think disclosure committees often fall neatly into this category, because there have been relatively few developments which have necessitated significant changes to the disclosure committee’s responsibilities over the years, and disclosure committee charters are usually flexible enough to allow the committee to adapt to changes in rules and practices over time.
All of that said, I do think that a disclosure committee tune-up may be advisable right now. As a Morrison & Foerster alert notes, this year the SEC has ramped up its actions against companies for ineffective disclosure controls and procedures with respect to cybersecurity incidents, with the agency now focusing on how companies ensure that cybersecurity incidents are identified and communicated to management so that appropriate disclosure decisions can be made on a timely basis. Further, a push for more voluntary environmental and social disclosures, as well as the prospect of mandatory SEC disclosure in the coming months, has focused attention on the disclosure controls and procedures that companies have in place for those disclosures. As Corp Fin’s recent sample letter on climate change disclosures has demonstrated, the Staff is looking closely at how disclosures about climate change included in CSR and sustainability reports relates to the disclosures that the company includes in its SEC filings. Here are my suggestions for areas that the disclosure committee should consider:
Does the disclosure committee have the right mandate? Disclosure committees were established when disclosure controls and procedures requirements were adopted as part of the SOX certification rulemaking, but in the almost 20 years since that time, we have certainly observed some “mission creep” for the disclosure committee. As a result, it is advisable to review the disclosure committee charter to see if it accurately describes the scope of the committee’s responsibilities and its role in the disclosure process, including the committee’s role in analyzing and assessing whether disclosure is required under SEC or other requirements.
Are the right people in the room? Given the SEC’s focus on cybersecurity disclosure controls and procedures, does the disclosure committee include a representative from the company’s information technology function, or does someone from that function report to the committee on a regular basis? Further, does the disclosure committee have an appropriate level of involvement in the company’s ESG disclosure efforts, and are there representatives on the committee who can assist with understanding what is being disclosed in SEC reports and in other communications and how that disclosure is developed?
Is the disclosure committee in a silo? Is the disclosure committee properly positioned within the organization, and does it have the appropriate authority to have access to the raw data that it needs to make informed recommendations for disclosure decisions on a timely basis? In some cases, the disclosure committee may be too tilted toward the company’s financial reporting function, which can cause it to lose sight of, and not have appropriate access to information about, broader disclosure topics such as cybersecurity and ESG.
Does the disclosure committee have the right framework in place for assessing materiality? One of the most important roles that the disclosure committee serves is assisting management with making informed decisions about the materiality of information. As we all know, materiality is not a static concept, so it is advisable for the disclosure committee to take steps to articulate the framework that is used for analyzing and determining whether information is material, and tweak that framework as necessary given changes at the company, new SEC rules and evolving investor expectations.
Does the disclosure committee have an active role in the design and evaluation of disclosure controls and procedures? The members of the disclosure committee are usually best situated to determine if the company’s disclosure controls and procedures are operating effectively, and have the best perspective on what improvements may be necessary or when changes are necessary due to new SEC requirements. As a result, the disclosure committee should have clearly articulated responsibilities with respect to disclosure controls and procedures, and a mechanism should be in place for recommending regular adjustments and following up on their implementation.
-Dave Lynn, TheCorporateCounsel.net October 1, 2021