Key US securities developments

SEC climate disclosure proposal

Climate-related disclosures stood in the light throughout the course of 2023. On the national stage, the US Securities and Exchange Commission's ("SEC") 2022 proposal for new climate-related disclosure rules continued to remain a prominent point of discussion. The proposed rule – modelled in part after the Task Force on Climate-Related Financial Disclosures ("TCFD") framework and the Green House Gas ("GHG") protocol – controversially requires disclosures of material Scope 3 GHG emissions, with a proposed materiality threshold of a 1% impact on financial statement items. While the comment period ended in November 2022, the final rules have still not been issued despite multiple delays. Since announcing the proposed rules, the SEC has extended the timeline to allow for public comments due to technical errors, as well as postponing the final rule issuance under a cloud of external controversy, including allegations of government overreach and concerns regarding the burden involved in fulfilling reporting obligations. Although the final rule was last expected to be issued during the first half of 2024, SEC officials are reported to have indicated that the rules may be made less extensive.

California climate disclosure rules

Other US regulators are, however, pushing forward on climate-related disclosures. In 2023, California for example issued a series of extensive statutory climate disclosure laws: State Bills 253 ("SB 253") and 261 ("SB 261") and Assembly Bill 1305 ("AB 1305").

SB 253 applies to private and public US entities "doing business in California" with total annual revenues of over $1 billion in the previous fiscal year and requires annual public disclosure of Scopes 1, 2 and 3 GHG emissions. SB 253 also requires third-party assurances for Scope 1 and 2 emissions, as well as dictating that the state may establish a third-party assurance requirement for Scope 3 emissions in the future. SB 261 applies to private and public US entities with total annual revenues of over $500 million in the previous fiscal year and requires those entities to publish a biannual climate-related financial risk report. To minimise the compliance burden, SB 261 allows this reporting requirement to be fulfilled by using a comparable climate-related financial risk reporting framework (e.g., TCFD). Reporting requirements under SB 253 and 261 are expected to take effect in 2026. Many practitioners are awaiting regulatory guidance on certain key questions, such as the extent to which the rules apply to foreign parents with large California subsidiaries, what "doing business in California" means and how the revenue thresholds will be determined (e.g., gross or net basis). 

California has expanded its climate disclosure rules even further with AB 1305. The bill requires companies operating in California to provide substantiating information on their websites regarding voluntary carbon offsets and other climate-related claims. In particular, all entities that make any claims in California that they have achieved "net zero emissions," are "carbon neutral," etc. are required to publish "[a]ll information" documenting (i) how the claim was determined to be accurate or accurately accomplished, (ii) how interim progress is measured and (iii) whether there is independent verification of the company data and claims provided.

Statutorily, AB 1305 took effect from 1 January 2024. However, the author of the bill recently clarified his intention for the bill to become effective in 2025. In early January 2024, The California Assembly's Daily Journal published a letter of legislative intent to this effect, with unanimous consent for publication. As such letters may be used by courts as extrinsic aids in determining the intention of the Legislature, this suggests that the initial deadline for making disclosures pursuant to the bill may be extended to 1 January 2025.

Workforce and diversity disclosure rules

Environmental, Social, Governance ("ESG") regulation in the United States has also expanded beyond "E" to "S" and "G". Proponents of greater transparency for corporate board diversity scored a prominent win in October 2023, as the US Court of Appeals for the Fifth Circuit upheld Nasdaq's board diversity rule. The rule, approved by the SEC in 2021, requires that companies either (i) have at least one director who identifies as a member of at least one of a designated list of underrepresented groups (i.e., female, underrepresented racial or ethnic minority or LGBTQ+) or (ii) provide an explanation for why this is not the case. The rule also requires companies to make an annual disclosure regarding how many board members identify as belonging to each underrepresented category.  While the petitioners have filed a motion for a rehearing en banc of the decision in the Fifth Circuit, the Fifth Circuit's October 2023 decision is still expected to reinforce the SEC's own rulemaking plans, with a proposal on board diversity disclosure expected to be released around April 2024. 

The SEC has also signalled a desire to expand the breadth of its workforce disclosure requirements. In September 2023, the SEC's Investor Advisory Committee unanimously recommended that the SEC propose a rule requiring public companies to provide additional workforce data, including their labour costs, the total number of full-time, part-time, and contingent workers employed by a company, turnover data and more. The underlying rationale for the recommendation is that additional workforce data will enable investors to properly assess the value of a company. 

On 26 July 2023, the SEC adopted rules requiring public companies to disclose material cybersecurity incidents and certain information regarding their cybersecurity risk management, strategy and governance. Under the final rules, foreign private issuers ("FPIs") are required to furnish on Form 6-K information on material cybersecurity incidents that they disclose or otherwise publicise in a foreign jurisdiction, to any stock exchange or to security holders. They are also required in their annual report on Form 20-F to (i) describe the board of directors’ oversight of risks from cybersecurity threats and (ii) describe management’s role in assessing and managing material risks from cybersecurity threats. Upcoming annual reports on Form 20-F to be filed in 2024 (for fiscal years ending on or after 15 December 2023) will be required to include the new disclosures.

Disclosure of cybersecurity incidents

The final rules amend Form 6-K to add “material cybersecurity incidents” as a reporting topic. However, consistent with other Form 6-K disclosure items, FPIs are only required to disclose cybersecurity incidents on Form 6-K to the extent that they are required to disclose such incidents in their home jurisdiction or otherwise make the information available to security holders. As a result, existing home-country obligations under market abuse or similar rules will continue to primarily govern the cybersecurity reporting requirements of FPIs. However, the SEC’s guidance for what may constitute a “material” cybersecurity incident for a US domestic company under Form 8-K will likely help an FPI assess whether a cybersecurity incident would trigger disclosure in their home market. This may particularly be the case if an FPI’s peers or competitors who are US domestic companies report their cybersecurity incidents in accordance with the SEC’s new rules under Form 8-K. The amendment to Form 6-K became effective on 18 December 2023.

Disclosure of cybersecurity risk management, strategy and governance

Under the final rules, FPIs are required to make certain disclosures on Form 20-F regarding cybersecurity risk management, strategy and governance. This requirement mirrors the standard set forth under Item 106 of Regulation S-K for US domestic companies.

1. Risk Management and Strategy.
   Under Regulation S-K Item 106(b), disclosure is required to describe the company’s processes, if any, for assessing, identifying and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. A company should address, as applicable, (i) whether and how the described cybersecurity processes have been integrated into the company’s overall risk management system or processes; (ii) whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and (iii) whether the company has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. A company is also required to describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations or financial condition and if so, how.
    
2. Governance.  
   Under Regulation S-K Item 106(c)(1), companies are required to describe the board of directors’ oversight of risks from cybersecurity threats, and, if applicable, identify any board committee or subcommittee responsible for such oversight and describe the processes by which the board or such committee is informed about such risks. Under Regulation S-K Item 106(c)(2), companies are required to describe management’s role in assessing and managing the company’s material risks from cybersecurity threats. Item 106(c)(2) provides the following non-exclusive list of potential disclosure items:

• Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise;
• The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and
• Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Practical considerations

Companies should evaluate whether it would be appropriate to implement changes in how they handle cybersecurity matters. For example, companies should consider whether they have employees or consultants with adequate knowledge and experience to determine if there are sufficient safeguards in place, whether they currently have mitigation plans that can be readily implemented, and whether sufficient information is being reported to the board of directors for them to oversee cybersecurity matters. While the SEC asserts that it does not seek to influence whether and how companies manage their cybersecurity risk, the new rules highlight the importance of maintaining a comprehensive cyber risk management program. Companies going through the SEC registration process or review of periodic/current reports should also expect to get staff comments on cybersecurity issues.

In 2023, the SEC continued to aggressively pursue bad actors in the cryptocurrency industry. In an apparent strategy of "regulating via enforcement," the SEC brought over twenty civil actions regarding cryptocurrency assets in 2023, addressing issues ranging from massive fraudulent schemes to undisclosed celebrity endorsements.

Following the high-profile charges filed against cryptocurrency exchange FTX in 2022, the SEC continued to implement a broad application of the Howey Test. The Howey Test is a judicial standard used to determine whether an asset, such as a cryptocurrency token, is considered a security and, as a result, subject to registration and regulation under the US Securities Act of 1933. In 2023, the SEC alleged that five cryptocurrency exchanges sold unregistered securities on their respective platforms, including the operator of the world's largest cryptocurrency asset trading platform. The SEC's charges against the operator resulted in a guilty plea by the company's former CEO and an order to pay a substantial fine of $4 billion. The SEC also charged a cryptocurrency exchange with operating as an unregistered securities exchange, broker and clearing agency, in addition to operating an unregistered offer and sale of securities in connection with their staking-as-a-service program. The charges are currently being litigated, with the classification of tokens as securities in this context remaining at issue.

The SEC also targeted noncompliance in the cryptocurrency asset intermediary space.  Cryptocurrency intermediaries commonly provide a combination of securities services that are typically kept separate, such as broker-dealing and custodial and clearing functions. This consolidation introduces conflicts of interest into the market and increases the risk profile for investors. For example, a cryptocurrency asset trading platform acted simultaneously as a broker, exchange and clearing agency without registering any of these functions with the SEC. The SEC alleged that the platform also coordinated with issuers to conceal suspect statements from regulator discovery, in a business model that Gurbir S. Grewal, Director of the SEC's Division of Enforcement, referred to as "combin[ing] multiple market intermediary functions under one roof to maximize profits." The platform agreed to settle the claims and paid a considerable fine of $24 million.

As we enter 2024, regulation of cryptocurrency continues to be a hot topic. However, some optimism has emerged for cryptocurrency players hoping to decelerate the broad classification of cryptocurrencies as securities. Bolstering a positive outlook for cryptocurrency is the recent SEC approval of the first spot bitcoin exchange-traded funds ("ETFs"), with 11 ETFs being approved from sponsors such as Fidelity and Investco. This development is expected to unveil a new stage for bitcoin, as US investors will be able to trade in bitcoin as a regulated product, rather than being only able to do so through unregulated exchanges or ETFs that invest in bitcoin futures. Increased clarity on regulation of cryptocurrency may also come in 2024. A market-structure bill that would define the cryptocurrency oversight roles of both the SEC and the Commodity Futures Trading Commission has been proposed in Congress and has progressed through the initial stages of the legislative process, though a substantial path still exists to it becoming law. Regulatory clarity also may emerge through the judicial process, as Coinbase has filed a December 2023 petition to have a court review the SEC's denial of their request for a specified set of rules for the cryptocurrency sector. 

In October 2023, the SEC adopted amendments to update the beneficial ownership reporting rules for major shareholders of public companies. Under Regulation 13D – G, market participants who own more than 5% of a voting class of equity securities registered under the US Securities Exchange Act of 1934 ("Exchange Act") must publicly file a long-form beneficial ownership report on Schedule 13D or a short-form report on Schedule 13G. In adopting the amendments, the SEC intended to have market participants provide more timely information on their shareholding positions to meet the needs of investors in today’s fast-paced financial markets. 

The most significant rule changes to Regulations 13D and 13G are the accelerated filing deadlines. The SEC shortened the deadlines due to changes in technology and developments in the financial markets which have rendered the old deadlines outdated. For Schedule 13D filers, the initial filing deadline is shortened from 10 days to five business days, while amendments need to be filed within two business days rather than promptly. With respect to Schedule 13G filers, the initial filing deadline for (i) qualified institutional investors and exempt investors is generally shortened from 45 days after the end of a calendar year to 45 days after the end of the calendar quarter in which the investor beneficially owns more than 5% of the covered class; and (ii) passive investors is shortened from 10 days to five business days. Amendments to a Schedule 13G filing needs to be filed 45 days after the calendar quarter in which a material change occurred rather than 45 days after the calendar year in which any change occurred. 

In a welcome move, on 30 October 2023, the SEC granted exemptive relief from Rule 15c2-11 under the Exchange Act for fixed-income securities sold in compliance with Rule 144A.

Rule 15c2-11 sets out certain requirements for US broker-dealers seeking to initiate (or resume) quotations for securities trading in the US over the counter ("OTC") market, also known as the "pink sheets". Historically the rule applied only to equity securities that trade in the pink sheets. In 2020, however, the SEC amended Rule 15c2-11 to require, among other things, that the documents and information that a broker-dealer reviews to provide or resume quotations generally must be current and publicly available. In December 2021, the SEC staff issued a no-action letter that affirmed the application of Rule 15c2-11 to debt securities but established a compliance regime over three phases to allow for an orderly and good faith transition to compliance. In response to continued concerns raised by market participants, the SEC staff issued another no-action letter in November 2022 delaying implementation of amended Rule 15c2-11 by two years. Without this exemptive relief, the new interpretation would have applied to Rule 144A fixed-income securities from 4 January 2025.

The SEC’s grant of exemptive relief allows issuers of Rule 144A fixed-income securities to continue providing relevant information directly to holders and prospective purchasers of those securities, often through password-protected data rooms, rather than making the information publicly available. The relief granted by the SEC should address significant concerns raised by market participants that the application of Rule 15c2-11 to Rule 144A fixed income securities would impair the liquidity and pricing of those securities (and the ability of issuers to raise capital through private placements over time) if private company issuers were not willing to make relevant information publicly available. 

In March 2022, the SEC proposed rules and amendments which aimed to enhance disclosure and investor protections with regards to US public offerings by SPACs and shell companies, as well as the use of financial projections in those offerings with a major emphasis on de-SPAC transactions – the M&A transaction that follows a SPAC IPO. The SEC adopted the final rules by a 3-2 vote on 24 January 2024. The final rules will become effective 125 days after publication in the Federal Register, which publication is expected to occur promptly.

The final rules, among other things: (i) require additional disclosures about SPAC sponsor compensation, conflicts of interest, dilution, the target company, and other information that is important to investors in SPAC IPOs and de-SPAC transactions; (ii) require the target company in a de-SPAC transaction to be a co-registrant with the SPAC and thus assume statutory liability for the disclosures in the registration statement filed in connection with the de-SPAC transaction; (iii) clarify that a de-SPAC transaction is considered a "distribution of securities" to the SPAC's existing shareholders; and (iv) make the liability safe harbor under the Private Securities Litigation Reform Act of 1995 (PSLRA) for forward-looking statements, such as financial projections, unavailable for de-SPAC transactions.

Notably, the SEC declined to adopt proposed Rule 140a which would have established that anyone who acts as an underwriter in a SPAC IPO and takes steps to facilitate a de-SPAC transaction would be subject to liability as a statutory underwriter. In the adopting release, the SEC instead issued general guidance on the concept of "underwriter" and confirmed there would be an "underwriter" present in a de-SPAC transaction where an entity sells for the issuer or participates in the distribution of securities in the combined company to the SPAC's investors and the broader public. As a result, statutory underwriter liability could apply in a de-SPAC transaction, depending on the facts and circumstances, even where there is no entity accepting securities for the issuer with a view to resell the securities to the public (as is the role of an underwriter in a typical IPO).

The SEC also decided not to adopt proposed Rule 3a-10 which would have provided SPACs with a safe harbor from the definition of "investment company" under the Investment Company Act. Instead, the question of whether a SPAC is an investment company requires a facts and circumstances analysis. 

In December 2023, the SEC's Fall 2023 Regulatory Agenda was published, which sets out the short- and long-term regulatory actions that the SEC plans to take. Among other topics, the agenda indicates the proposed date for proposed amendments to the private placement exemptions provided under Regulation D of the Securities Act.

The SEC's proposed amendments to Regulation D will likely include updates to the definition of "accredited investor" and to the information furnished on Form D to improve protections for investors. 

SEC Commissioner Caroline Crenshaw's speech in January 2023 provides some insight into possible reforms. One of Crenshaw's key concerns is that, although Regulation D was meant to "facilitate access to capital by small businesses" by having a less intensive disclosure regime, many large issuers have taken advantage of this regime and benefit from insufficient regulatory obligations relative to their size. In response, Crenshaw proposed (i) revising Form D to, among other changes, expand the information required to be reported on the publicly filed form and (ii) making a two-tiered disclosure system that requires more information from more mature private issuers and larger private offerings. The proposed amendments to Regulation D are expected in April 2024.