Article

SEC 2021 exam priorities: climate change, ESG and cybersecurity

March 12, 2021

On March 3, 2021, the Securities and Exchange Commission’s Division of Examinations (the “Division”) released its 2021 examination priorities. The Division publishes its examination priorities annually to provide insights into its risk-based approach, including areas that present potential risks to the U.S. capital markets. Examination priorities affect all firms regulated by the SEC, including issuers, broker-dealers, mutual funds, municipal advisers and others.

This year the Division is enhancing its focus on climate change and Environmental, Social and Governance (“ESG”)-related risks, particularly its review of proxy voting policies and firms’ business continuity plans. In addition, the Division is reemphasizing its continued focus on information security and operational resiliency. As climate-related events become more frequent and more intense, the Division is focused on business continuity and disaster recovery plans, particularly for systemically important registrants, but all firms must diligently plan and prepare for the disruptive effects unforeseen events may have on business operations.

It is worth noting that despite its recent focus on ESG, the SEC has not adopted ESG-specific guidelines and has left ESG reporting largely voluntary, except to the extent certain aspects of ESG information are relevant to existing reporting requirements. However, on March 4, 2021, the day after the announcement of the Division’s examination priorities, the SEC’s Division of Enforcement announced the creation of a Climate and ESG Task Force, which will initially focus on identifying any material gaps or misstatements in issuers’ disclosure of climate risks under existing rules. The lack of specific guidelines or a consistent reporting framework presents a unique risk for reporting entities, as investors and other stakeholders increasingly demand such disclosures. Notably, ESG perception can have a direct impact on a firm’s stock price or its ability to successfully access the capital markets. Accordingly, implementing a process for identifying and measuring ESG risks affecting the organization, including methods of reporting them internally and externally, becomes more critical each day. 

On information security, the SEC will continue to focus on cybersecurity issues, with particular attention to customer data protection, disclosure of material cybersecurity risks and incidents and compliance with obligations under the federal securities laws. Implicit in a firm’s ability to make timely disclosures are disclosure controls. These controls must provide an appropriate method of discerning the impact that cyber risks may have on the organization, and on its financial condition and results of operations.