For companies’ compliance professionals, addressing these requirements promptly is imperative, particularly given the unpredictable nature of enforcement timelines. To navigate this landscape effectively, strategic and efficient action is essential.

In this rapidly changing regulatory environment, organizations must implement a comprehensive approach to compliance. A variety of corporate functions are essential to ensure proper compliance management, including on-boarding, auditing, investigations, and several other activities. Additionally, companies’ technology departments play a crucial role in maintaining institutional operations by ensuring that coding and software effectively address relevant issues.

For compliance professionals, this involves incorporating AI into your toolkit at appropriate stages in the compliance process.

Leveraging AI for compliance

To fully leverage the advantages of AI, it is essential for compliance professionals to seek out customizable platforms or tools that meets their departments’ specific requirements and provides the necessary infrastructure for future applications. AI compliance tools are engineered to assist organizations in adhering to regulations and best practices when deploying AI. These tools can automate tasks, analyze data to identify potential risks, and offer real-time alerts for regulatory changes. Common applications of these tools include risk management, compliance monitoring, reporting, and more commonly, aligning with best practices.

Indeed, some key reasons for using AI in regulatory compliance include:

Efficiency, speed & accuracy through automation — AI can efficiently process extensive data sets, crucial for meeting regulatory demands that require comprehensive documentation and timely analysis. AI tools can improve precision by adhering to established rules more consistently, ensuring accurate and dependable compliance. By automating routine tasks, AI frees up time for compliance professionals to concentrate on complex decision-making and strategic planning, which is particularly advantageous in sectors with intricate regulatory frameworks.

Data analysis & predictive analytics — AI excels in identifying data patterns and trends, aiding organizations in detecting compliance risks and areas for improvement. Through the analysis of historical and current trends, AI can forecast future compliance issues, enabling organizations to manage potential risks proactively.

Cost-effectiveness — The integration of AI for automating compliance procedures substantially lowers costs associated with manual inspections and audits by increasing individual productivity. The initial investment in review, setup, and training can be justified because employees will be eventually empowered to deliver output of a higher-quality and a greater quantity.

Adaptability — AI systems possess the capability to be updated in accordance with evolving regulations, ensuring ongoing compliance as laws and standards change. Modern AI systems specifically designed for regulatory compliance can be rapidly modified to incorporate new regulations, even lowering overall personnel training costs and time needed to get up to speed on new rules.

Enhanced monitoring — AI also facilitates continuous monitoring of activities and transactions, delivering real-time alerts and insights to maintain compliance. One of the most effective tools for regulatory compliance is real-time tracking and alert systems which can consistently monitor regulatory sources for updates and interpret changes immediately within the context of existing regulations. AI utilization in this process allows for the identification and notification of the most pertinent changes. Further, with advanced AI coding, the system can recommend policy updates in response to regulatory changes, thus providing additional support for compliance efforts.

Regardless of the reasons for investing in AI, it is crucial to allow corporate risk & compliance functions to allocate resources during these developmental stages. Going forward, AI will become increasingly complex and costly; yet to neglect with current technology undermines organizations’ future prospects for success.

Conclusion

As the regulatory landscape continues to evolve, it is imperative for organizations to adopt a proactive and comprehensive approach to AI-driven compliance management. By using AI to automate routine tasks, enhance data analysis, and provide real-time alerts, compliance professionals can better anticipate and mitigate their organizations’ potential compliance risks. And as institutions aim to align with best practices, integrating AI into their compliance processes ensures agility and responsiveness to regulatory changes, thereby safeguarding operations and preserving their competitive edge.

There is no indication that the rapid pace of executive orders and regulatory changes will decelerate. It is imperative that regulatory compliance is viewed by corporate management as a cost-saving measure rather than an expense. Candidly, this means that AI-driven regulatory compliance tools need to be a real investment for organizations to undertake.

You can find out more about how some companies are managing their compliance and risk here

This , which came out February 12, reflects a return to a more traditional approach regarding the shareholder proposal process. In addition, it is also a shift back to previous principles-based rulemaking that focus primarily on financial materiality, according to , Special Counsel at Sullivan & Cromwell. The guidance also signals a potential reversal of previous rules passed in 2021, which had allowed stockholder proposals with “broad societal impact.”

This move by the SEC has important implications for shareholder proposals that raise social and ethical issues because a company could choose to exclude a proposal based on economic relevance of the stockholders who are supporting a proposal, according to Hu. Indeed, this new guidance essentially reverses the SEC’s 2021 action that allowed proposals touching on “broad societal significance” to bypass the ordinary business exclusion.

The 2021 action allowed such shareholder proposals to go forward based on two considerations: i) whether the proposal addresses issues essential to the management’s daily operation of the company and which makes it impractical for shareholders to directly oversee these matters; or ii) whether the proposal excessively controls or interferes with the company’s management processes.

Impact of this new SEC guidance on ESG

The effect of the ordinary business exclusion and the evaluation of shareholders’ economic relevance is expected to lead to , including those related to environmental, social & governance (ESG) and anti-ESG issues, according to analysis by Sullivan & Cromwell. In particular, the ordinary business exclusion emphasizes the need for a company-specific materiality analysis when determining whether shareholder proposals can be excluded from proxy materials. As a result, this shift is widely expected to make it easier for companies to exclude shareholder proposals from their proxy statements, particularly those related to ESG and political policies.

In addition, the return to principles-based and mandated reporting on financially material matters has two important implications for companies and their ESG reporting:

Strengthened separation of financial and sustainability data — This SEC guidance strengthens the likelihood that financial material information will be the sole focus of SEC filings and that non-financially significant information, like specific ESG disclosures, might be relocated to sustainability reports rather than being included in SEC filings, according to Hu. This distinction could help streamline SEC documents and makes sure that they remain focused on financial data relevant to investors.

Distinction between financial and sustainability reporting timelines — Before this new guidance, some companies were moving toward the simultaneous release of their annual financial reports and sustainability reports. This was a challenge for companies because “the reliance on third-party data, especially for Scope 3 emissions, presents hurdles in timely and accurate reporting,” Hu states. However, the focus now on principles-based reporting of financially impactful information ensures that the timelines are likely to remain different.

What should companies do now?

To navigate this murky environment, Hu advises companies to seek legal counsel to ensure compliance and strategic alignment with the evolving regulatory environment. In addition, companies should:

Monitor legal requirements — Make sure legal requirements are the foundation for their disclosures and decision-making processes. A company-specific materiality assessment is crucial in determining what issues are financially material and significant to the company’s business model, and thus, to shareholders.

Focus on principles in disclosures — Ensure that all filings align with the SEC’s principles-based approach to disclosure. Companies should focus only on financial information in their SEC filings and reserve other information for sustainability reports or other documents that cater to a wider stakeholder base.

Balance risks and benefits regarding what information to include in SEC filings — Hu also recommends that companies should conduct a cost-benefit analysis of disclosure placement and consistency. This means considering the potential risks and benefits of including certain information in their SEC filings rather than in other reports. By taking a thoughtful and company-specific approach to disclosure, companies can navigate the evolving regulatory landscape and make strategic decisions that align with their mission and the expectations of their stakeholders.

Caution is warranted on the horizon

Once fully staffed, the SEC will likely consider changes to existing rules around shareholder engagement. Likewise, Hu said she also expects the SEC to scrutinize those actions recommended by proxy advisors as signals for the proxy season’s voting patterns, particularly on proposals related to diversity, equity, and inclusion (DEI), especially as some companies narrow their activities in this area. However, it is a little early to know the impacts, she adds.

Either way, companies must proceed with caution and strike a balance between investor expectations and regulatory requirements, while primarily focusing on issues that are significant to their specific business model and bottom line.

You can find out more about how the Securities and Exchange Commission is managing the current regulatory environment here

Further affirming this promise, Trump issued an to establish a cryptocurrency working group, which was tasked with proposing new regulations for digital assets and exploring the creation of a national cryptocurrency reserve, thereby continuing the pledge to swiftly reform the country’s cryptocurrency policy.

As a part of the new administration, Mark Uyeda, the new Acting Chair of the U.S. Securities and Exchange Commission (SEC), announced plans to to develop a comprehensive and clear regulatory framework. The primary objective of the task force will be to assist the Commission in establishing clear regulatory boundaries, providing realistic paths to registration, crafting sensible disclosure frameworks, and deploying enforcement resources judiciously. The overarching goal is to transition from what has been termed regulation by enforcement to a more structured regulatory approach.

What will be the regulatory approach?

Looking forward, it will be necessary to establish a regulatory framework for cryptocurrencies that could be similar to that of the banking industry. It is probable that the SEC, as opposed to the Commodity Futures Trading Commission, will emerge as the final regulator for this sector. Such a regulatory structure would offer the advantage of clearly defining the role and significance of cryptocurrencies both within the United States and outwardly in other global economies.

You can learn more about cryptocurrencies’ role in US financial markets in the , available on YouTube

Recently, the SEC’s Division of Enforcement’s own Crypto Assets & Cyber Unit has been rebranded as its Cyber & Emerging Technologies Unit, with the aim of this rebranding seemingly focused more on fraud and retail use. This change continues with the SEC’s overall theme of inserting regulation early in the process rather than doing so by enforcement actions.

The current administration’s dynamic stance on cryptocurrencies signals a pivotal shift in the regulatory landscape. From President Trump’s assertive moves to establish a cryptocurrency-friendly environment to the proactive measures by the SEC and the U.S. Senate Banking Committee, it is evident that cryptocurrency is poised to become a fundamental component of the financial system. However, the juxtaposition of regulatory clarity and the inherent risks of digital assets necessitates a balanced and thoughtful approach. As we advance, it is imperative to construct a robust framework that fosters innovation while safeguarding the integrity and security of the nation’s financial ecosystem.

Sen. Tim Scott (R-SC), Chairman of the Banking Committee, delivered the for the Committee’s hearing on Investigating the Real Impacts of Debanking in America. In his address, Scott emphasized that the use of cryptocurrency and other digital assets in banking is fundamental to participating in a free and fair society. This suggests an intention to limit financial institutions’ ability to de-bank or de-risk based on digital currency usage.

While this notion appears advantageous, it raises several concerns regarding the future of cryptocurrency. Additionally, there was minimal discussion on the use of cryptocurrencies in illegal activities and the associated risks. As a former chief of the SEC’s Office of Internet Enforcement once noted: “Every single crime you can conceive of is easier to do now because of crypto.” Thus, it would seem imprudent to proceed with improperly regulated cryptocurrency while simultaneously attempting to de-risk it.

Is crypto the future?

The indication is clear that decentralized finance, particularly cryptocurrencies, will be a significant trend in the future. In this context, it is essential to acknowledge that the US will play a crucial role in establishing a regulatory framework around this asset. Given the stance of the current administration, a comprehensive reassessment of the previous regime’s actions is necessary to ensure an optimal position for implementing regulations.

A hint of foreshadowing can be observed in the joint submission of — submitted by the SEC and Binance, the largest cryptocurrency exchange in terms of daily trading volume — to stay the regulator’s lawsuit against the cryptocurrency exchange. While, this joint filing references the potential influence of the recently established SEC task force, it also underscores a shift in the economic sphere, shown by the judge granting a in the lawsuit. Indeed, it is likely that there will be a change in regulation significant enough to settle this lawsuit within the 60-day stay that the court has granted.

Conclusion

It is clear that the current administration has decided to set itself apart from prior administrations in many ways, and crypto regulation is a very visible way to show the difference. Congress and the SEC along with other actors are poised to make crypto a fundamental part of the US financial system. In the not-so-distant future, the impacts of these new changes will become more apparent.

Nonetheless, the juxtaposition of regulatory clarity with the inherent risks associated with digital assets warrants a balanced and prudent approach. Moving forward, it is essential to develop a comprehensive framework that promotes innovation while ensuring the integrity and security of the financial ecosystem.

You can find more about the challenges and opportunities of cryptocurrency here

Financial regulatory impact

Trump has been an outspoken supporter of digital assets and cryptocurrencies. At a Bitcoin conference earlier this year, he promised to build a government stockpile of Bitcoin and to fire U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler on the first day of his administration.

Although it may be up for debate whether Trump can actually fire Gensler, he can demote him from the chair position and designate a new chair. The likely replacement would be Republican Commissioner Hester Peirce or her Republican colleague, Mark Uyeda. Although Gensler could stay on for the remainder of his term as Commissioner through 2026, it is customary in such situations for chairs to step down with such a change in power in the presidency.

Crypto is a big winner

Bitcoin prices spiked to an all-time high on election night above $75,000 as the outcome of the election unfolded, and the US stock market exploded the morning after the election, clearly indicating some investors were very bullish on the Trump win.

And perhaps the most notable race beyond the Trump victory that is relevant to financial services regulation, occurred in the Ohio U.S. Senate race in which Sen. Sherod Brown (D-Ohio), Chair of the powerful Senate Banking Committee, lost his race. Brown has been an outspoken critic of crypto-assets and a close ally of Gensler. The crypto industry targeted Brown, raising an estimated $40 million through various political action committees and contributions for his victorious opponent, Bernie Moreno, a businessman from Ohio.

However, Sen. Senator Elizabeth Warren (D-Mass.), a staunch crypto critic, easily won a third term, defeating pro-crypto candidate John Deaton. With the Democrats losing control of the Senate and Brown’s defeat, however, Warren stands to be the next ranking member of the Senate Banking Committee.

Sustainable investingĚý& deregulation

Trump’s presidency is set to have profound implications for sustainable investing. A cornerstone of his campaign promises includes rolling back green regulations that currently hinder oil and gas drilling and coal mining. If enacted, these deregulatory measures could significantly boost shares in traditional energy sectors, reversing the gains made under the Biden-Harris administration’s climate policies.

Trump also has expressed a firm intention to rescind all unspent funds under the Inflation Reduction Act, a landmark climate law from the Biden-Harris administration. This act encompasses hundreds of billions of dollars in subsidies for electric vehicles, solar power, and wind energy. The rollback of such funds could stymie growth in renewable energy sectors, although comprehensive changes would likely necessitate congressional approval. It’s worth noting that several Republican lawmakers have shown support for parts of the Inflation Reduction Act, indicating potential resistance within Trump’s own party.

Broader economic implicationsĚý

A Trump presidency is expected to foster a more protectionist trade environment. His previous tenure was marked by trade wars, particularly with China, which saw tariffs imposed on a range of goods. Renewed trade hostilities could disrupt global commerce, create supply chain bottlenecks, and increase costs for consumers and businesses alike. The ripple effects would be felt globally, with economies closely tied to US trade policy bearing the brunt.

The regulatory landscape under Trump is also expected to see significant shifts. Deregulation would be a key theme, affecting sectors from energy to finance. While this might spur short-term economic growth by reducing compliance costs for businesses, it could also lead to longer-term risks such as environmental degradation and financial instability. The rollback of regulations designed to mitigate climate change could have severe environmental consequences, while less stringent financial oversight might increase the likelihood of market excesses and crises.

You can hear the recent Thomson Reuters Institute Insights podcast about on Spotify here.

On the fiscal front, Trump’s proposed tax policies could lead to substantial changes in the US economy. Tax cuts, particularly for corporations and high-income earners, might stimulate investment and economic activity; however, these measures could also exacerbate income inequality and increase the federal deficit, leading to potential long-term economic challenges.

Individual industry sectors could also see various impacts. The energy sector, for example, stands to gain significantly from Trump’s proposed policies. Rolling back regulations on oil, gas, and coal industries would likely lead to increased production and profitability. However, this could come at the cost of environmental sustainability and could slow the transition to renewable energy sources.

In the technology sector, the outcome could be mixed. On one hand, deregulation might benefit tech companies by reducing operational constraints; but on the other, increased tariffs and trade tensions with key markets like China could disrupt supply chains and affect profitability.

Further, Trump’s stance on healthcare could lead to attempts to dismantle or alter the Affordable Care Act. This could result in significant changes in healthcare coverage and costs, impacting both consumers and providers. The pharmaceutical sector might benefit from deregulation, but broader healthcare access issues could arise.

°ä´Ç˛Ôł¦±ôłÜ˛őľ±´Ç˛ÔĚý

Even though no one can predict the future for certain, the election of Donald Trump is set to bring profound changes to the economic and regulatory landscape of the United States. Emerging markets, sustainable investing, and various sectors will all feel the impact of his policies. While some industries might benefit from deregulation and tax cuts, the broader implications could include increased market volatility, environmental risks, and challenges to global trade dynamics.

As we look ahead, it is crucial to consider these potential outcomes and prepare for the complexities and opportunities they present. The economic and regulatory shifts under a Trump administration will undoubtedly shape the global landscape in significant ways, demanding careful analysis and strategic response from businesses, investors, and policymakers alike.

Additional reporting for this post was supplied by dispatches from Todd Ehret of Regulatory Intelligence

The new pilot program, announced in April by the DOJ’s criminal division, explicitly offers to forego prosecutions for individuals who cooperate with investigations into wrongdoing at their employer. It builds upon earlier efforts to credit companies for voluntarily reporting internal misconduct.

The Pilot Program on Voluntary Self-Disclosure for Individuals offers non-prosecution agreements (NPAs) to individuals who proactively provide original information to the DOJ’s criminal division concerning specified types of corporate criminal misconduct. “Receiving such information will help us investigate and prosecute criminal conduct that might otherwise go undetected or be impossible to prove, and will, in turn, further encourage companies to create compliance programs that help prevent, detect, and remediate misconduct and to report misconduct when it occurs,” the DOJ stated inĚý.

Experts said the program will raise the bar for companies by offering NPAs to participants in misconduct, a key distinction from earlier policies.

“This marks the first time a DOJ program has explicitly offered to forego prosecution of an individual in exchange for their cooperation against a company,” the law firm Paul Weiss said in anĚý.

Targeting certain violations

Although the program applies broadly to misconduct by any public or private company, it emphasizes corporate malfeasance at banks, investment funds, and healthcare providers. Specifically, the program targets violations that are:

• • • by financial institutions, their insiders or agents, including schemes covered by statutes related to money laundering, anti-money laundering, registration of money transmitting businesses, fraud, and fraud against or compliance with financial institution regulators
    • related to the integrity of financial markets undertaken by financial institutions, investment advisors, or investment funds; by or through public companies or private companies with 50 or more employees; or by any insiders or agents of any such entities
    • related to foreign corruption and bribery by, through, or related to public or private companies, including violations of theĚý, theĚý, and anti-money laundering statutes
    • related to healthcare fraud or illegal healthcare kickbacks by or through public companies or private companies with 50 or more employees

Experts noted that the DOJ program complements other regulatory efforts to encourage whistleblowers to provide information that could help expose corporate misconduct.

“These whistleblower programs supplement existing programs with other enforcement authorities, such as the [Securities and Exchange Commission],” said law firm Wilmer Hale in a note to clients. “We expect to see continued attention on and incentives for whistleblowers, not just from the DOJ but also from other enforcement authorities.”

Retaliation problem with internal whistleblowing programs

Recent studies have pointed to deficiencies in corporate whistleblowing programs that encourage employees to come forward when witnessing behavior that puts their organization at risk. A major hurdle has been the risk of retaliation against employees.

±·±đ·ÉĚýĚýin January showed that corporate whistleblowers who report through internal channels face higher rates of retaliation than those who report to the government. The study, which examined eight years ofĚýwhistleblower retaliation cases under the Dodd-Frank ActĚýandĚýthe Sarbanes-Oxley ActĚý(SOX), found that more than 90% of the retaliation cases involved internal whistleblowers, the authors said in anĚý.

“These findings are of particular importance in light of Congressional efforts to amend the Dodd-Frank Act to extend anti-retaliation protections for internal whistleblowers. They also validate the importance of regulations by the Ěý(SEC) andĚýĚý(CFTC) that explicitly do not require whistleblowers to make internal reports prior to qualifying for a reward under the Dodd-Frank,” the authors said.

Compliance programs need review

With regulators and enforcement authorities coaxing employees to disclose corporate wrongdoing amid persistent retaliatory threats at many organizations, corporations would be wise to review their compliance policies, experts said.

“The probability of detection for wrongdoers continues to increase with this program and the other federal bounty programs,” said , an attorney at , a law firm that helps corporate whistleblowers. “Responsible organizations would be wise to redouble their efforts to create a culture where people blow the whistle internally. And, where violations have occurred, smart companies will self-report to federal law enforcement and regulatory organizations — before it is too late.”

Other firms offered similar advice. Since the DOJ program will cover a range of potential misconduct, including fraud and bribery, “companies should consider reviewing and updating their whistleblowing policies and procedures (or adopting them if needed),” Paul Weiss told clients. “These policies and procedures should address the assessment and prompt internal investigation of allegations of misconduct, as well as non-retaliation against whistleblowers (and avenues for whistleblowers to seek recourse in the event there is retaliation).”

Additionally, companies should consider developing a clear framework to encourage and guide the prompt internal reporting of potential violations. Such frameworks position firms to determine whether, when, and how to be first in the door to self-report potential violations.

You can here.

To better examine this situation, Reuters Events has published a new report, , in which we surveyed more than 3,000 corporate sustainability professionals. Most interestingly, respondents underscored the fact that there is no one-size-fits-all platform in existence today. Instead, practitioners are seeking a suite of tools and services — ranging from internal data analysis tools to more advanced solutions like predictive analytics — that can help them meet sustainability reporting demands.

Most useful tools today seen as waning in future

Today’s most popular tools and technologies include internal data analysis solutions, emissions accounting/estimation solutions, and supplier surveys and audits — which were ranked first, second, and third, respectively, in our investment rankings this year. These are followed closely by management platforms for environmental, social & governance (ESG) data. Combined, these four tools could be considered critical elements to any sustainability reporting function, given the tools’ capability to source, collate, store, and interpret the data required.

What is interesting is that internal data analysis solutions in particular falls from the most popular technology among respondents in our survey, to the 15^th most popular tool — or to put it differently, the second-least popular tool — when we asked respondents to predict their investment for 2027. Meanwhile, emissions accounting solutions fell from the second-most popular to eighth-most popular choice.

One technology among our top four that bucked this trend is ESG data management platforms, which rose to become our most-popular technology by investment mentions for 2027. This is also further supported by trends identified in the rise of third-party platforms for data storage, suggesting that such platforms will continue to rise in importance among sustainability practitioners in the coming years.

Technology tools of tomorrow seen as rising in priority

AI and blockchain to see increase in investment — The technology to see the biggest increase in investment sentiment is artificial intelligence (AI) for use in materiality assessments, which becomes our second-most popular technology for investment in the next three years. It is unsurprising to see an anticipated fast rise of AI in the use of materiality assessments because of the necessity of such assessments for compliance with legislation and reporting directives such as the European Union’s Corporate Sustainability Reporting Directive (CSRD), with the technology promising to automate laborious and resource-intensive practices. Likewise, given the necessity for accurate supply chain data for Scope 3 emissions reporting, there is a clear use case for blockchain technologies to verify what can be difficult-to-source data.

GenAI expected to have a significant impact — While not included in our suite of technologies, we asked respondents separately what kind of an impact generative AI (GenAI) may have on their sustainability reporting capabilities. Last year saw a surge in interest in GenAI for a multitude of business cases, and sustainability reporting is no different. In our survey, more than two-thirds (67%) of respondents said they expect GenAI to have a material impact on their sustainability reporting.

Most effective and easy to implement tools

We also set out to better understand the overall experience of today’s technologies, exploring how sustainability practitioners regarded tools in terms of their effectiveness and ease of implementation. Across both metrics, sensors and smart meters for data collection scored highest. And while their overall use case may be limited to collecting very specific data, they do so efficiently and are comparatively easy to implement.

ESG data management platforms scored highly for efficacy, but comparatively poorly for ease of implementation. Respondents said the technology suite helped in ensuring the completeness of data required and provide better data management controls. “[They] allow us to collect, manage, and analyze ESG data internally and externally to create goals, and track our progress towards those goals,” one survey respondent said. However, the complexity in the supply chain where what was described as a “myriad of ESG issues” can arise meant systems can require simplification.

Emissions accounting solutions, while considered a relatively critical technology given its position near the top of our investment rankings, scored distinctly close to our average for both efficacy and ease of implementation. Respondents highlighted that while there was high confidence in their calculations given automation and a reduced chance of human error, a lack of primary data means some reports may not be as accurate as needed.

Understanding the barriers to investment

Survey respondents also cited internal, external, and technological factors as barriers to investment. Internal factors were most commonly mentioned, cited by 56% of respondents, while technological and external factors were cited by 41% and 18% of respondents respectively. (Respondents were allowed to cite a number of different barriers to investment.)

Across all barriers, the most commonly cited barrier was the limited access to capital or budgetary constraints, cited by 16% of respondents. When combined with the 15% of respondents who cited high costs of implementation (which we have included within the technological bracket), cost-related issues become a clear barrier to investment for many sustainability practitioners today.

While this is not surprising, it is clear that sustainability professionals need to be judicious in prioritizing their suite of tech tools and become more sophisticated in outlining their expected return on investment. Guidance for procuring these tools for effective collaboration cross-functionally with the company’s IT function and other partners is essential. Likewise, inserting sustainability into core financial workflows, such as , could assist practitioners in overcoming barriers to gaining buy-in from the organization’s CFO or other individuals who control the budgets.

You can download a copy of the Reuters Events research report, , here.

These regulations mandate publicly traded companies to promptly disclose cybersecurity incidents within four business days of identifying their materiality, alongside reporting on their cybersecurity risk management and governance procedures. This move by the SEC underscores the imperative for businesses to actively manage and report cybersecurity incidents, despite the intricate and firm nature of the .

However, businesses also must address a major issue that the SEC did not discuss in its ruling: the impact of generative artificial intelligence (GenAI) on their cybersecurity functions.

A notable step forward

These regulations mark a notable stride towards enhanced accountability and transparency in addressing cybersecurity risks and incidents. Companies are urged to revisit and enhance their disclosure protocols, conduct thorough cybersecurity risk evaluations, establish comprehensive incident-response strategies, invest in cybersecurity infrastructure and training, and institute clear communication channels to ensure compliance with the new mandates. Although these requirements may seem substantial, businesses should already be prioritizing safeguarding their operations, regardless of regulatory directives from the SEC.

The prevalence of data breaches has been on an upward trajectory for several years, with no sign of abating. For example, , in which tens of thousands of customers had their information compromised in a ransomware attack targeting Infosys McCamish Systems, one of the bank’s service providers, in November 2023. While notifications to customers began in February, potentially exceeding state-mandated notification deadlines, reports indicate that more than 57,000 customers were affected, with exposed data including addresses, names, Social Security numbers, dates of birth, and some banking details.

The pervasiveness of data breaches transcends industries and organizational sizes, inflicting millions of dollars in damages on US businesses. A single data breach’s average cost is $4.45 million, underscoring the pressing need for robust cybersecurity measures across all sectors.

New rules and new risks

The SEC’s cybersecurity disclosure rules, introduced in July 2023, have transformed how public companies must handle and disclose cybersecurity incidents. While the regulations are multifaceted, here’s what businesses must understand:Ěý

Swift, comprehensive incident reporting — Companies must now disclose “material cybersecurity incidents” within a strict four-business-day window after gauging the severity of the incident. This replaces the less specific “prompt” reporting standard that often caused delays. Companies must provide in-depth descriptions of the incident, including the attack’s nature, the systems compromised, the potential effects on business functions and finances, and the company’s response strategy.

Yearly disclosure of cybersecurity frameworks — Alongside incident reporting, companies are now obligated to reveal their cybersecurity risk management policies, governance structures, and incident response protocols in their annual reports. This mandate outlines how they evaluate and control material risks from cyber-threats, how their board and management oversee cybersecurity, and how these safeguards fit into the company’s broader risk management strategy.

Prioritizing investor protection — These regulations are designed to furnish investors with reliable, up-to-date insights into how companies tackle cyber-risks, fostering increased transparency and responsibility within the corporate world.

The cost of non-compliance — Although the SEC hasn’t yet outlined precise penalties for violating the new rules, their enforcement powers are far-reaching. Fines could reach up to $25 million alongside other disruptive actions like cease-and-desist orders or suspension-of-trading privileges. Even more concerning is the increased likelihood of lawsuits from investors or stakeholders if companies neglect to disclose material cybersecurity events. The SEC’s rules provide a strong basis for activist investors to challenge companies that fail to meet their obligations.

But what about GenAI?

The report is also notable for what it doesn’t address: the impact of GenAI. Businesses are increasingly adopting GenAI to do everything from customer service to website search. Yet, GenAI is vulnerable to more subtle forms of manipulation from bad actors, such as their ability to corrupt chatbots and AI-powered search to divulge private customer data or provide inaccurate information. The breaches can act like a slow leak in a tire; a business might not become aware of them for quite some time. And yet, the SEC cybersecurity disclosure rules do not address the potentially devastating impact of GenAI breaches.

GenAI cuts both ways, of course. On the plus side, GenAI offers potent tools to combat cybersecurity attacks and sharpen companies’ training abilities and even its SEC reporting. However, GenAI has to be actively managed, and companies should remember that human oversight remains vital throughout the process. This includes training the models to generate valid scenarios or report formats and continually verifying the outputs for quality. GenAI can even help with this, flagging potential oversharing in disclosures based on preset guidelines.

Beyond its failure to mention GenAI, the SEC’s new cybersecurity disclosure rules have had their fair share of critics. One major sticking point is the whole “materiality” issue and the tight reporting deadlines. Companies are expected to figure out if an incident is significant enough to report “without unreasonable delay” — then tell the SEC about it within four business days. That’s a tall order, considering it takes an average of 277 days to even spot and contain most breaches. How are companies supposed to accurately assess the scope of an attack that quickly, without potentially misreporting key details?

Then there’s the disclosure headache. Companies must walk a tightrope, providing enough information to satisfy the SEC while avoiding revealing so much that they put their security at further risk. It’s a delicate balance that leaves room for misinterpretation.

Even more concerning are the implications for public and national security. Some experts worry that rushing to disclose incidents could hinder investigations. The SEC’s rules do offer a loophole — the U.S. Attorney General can delay disclosure for national security or safety reasons — but this solution is considered cumbersome and limited.

Despite these criticisms, the rules are law. Companies now face the unenviable task of navigating these complexities as best they can. Indeed, the SEC’s disclosure rules should be seen not as a burden, but a catalyst for proactive cybersecurity improvement. Businesses that wait until mandatory reporting deadlines to address security are already operating from a position of risk — and waiting for the SEC to force your hand is a recipe for a future breach.

Company cybersecurity leaders should embrace the opportunity to improve now and stay ahead of the curve.

These new rules have noteworthy implications on climate risk, reporting, and corporate transparency. Despite the new rules facing significant litigation from various corporate interests, in-house legal departments should not delay in deploying resources to prepare to meet these regulatory requirements.

The reception to the SEC’s new climate disclosure rules has been varied. Many clients have expressed a sigh of relief that the rules were not as stringent as they could have been, particularly regarding the most burdensome aspects of reporting and compliance, according to , Partner at Eversheds Sutherland. However, the final rules are still comprehensive, necessitating significant effort and resources to comply. This sense of relief is balanced with an acknowledgment that while the most onerous proposals were not adopted, the remaining requirements are far from trivial.

The rules’ impact on reporting and timelines

A key aspect of the SEC’s final rules is the decision to omit mandatory Scope 3 emissions reporting — involving regulatory disclosures around vendors and suppliers downstream in the company’s supply chain. Instead, the SEC required disclosure of Scope 1 and 2 emissions only when they are deemed material. , aĚýClinical Professor at NYU’s Stern School of Business, an , and ethics expert, that the reporting exercise on emissions is less important than actually using the information to spur action that could reduce their impact on the planet.

While dropping the requirement for Scope 3 reporting is the most controversial aspect of the rule, Smith noted this decision will not affect every company equally, as many will be subject to other mandatory reporting obligations or will voluntarily report Scope 1, 2, and 3 emissions. Excluding Scope 3 emissions considerably alters an organization’s climate risk and reporting disclosure as it limits the completeness of reported data, potentially obscuring the full impact of an organization’s carbon footprint. As such, the market’s reaction to disclosures — or the lack thereof — will serve as an indicator of the significance of greenhouse gas (GHG) reporting data in investment decisions.

In-house legal departments should proactively assess the climate risk information available to them and not delay their preparation for disclosure until the pending litigation is complete.

The final requirements also differ significantly from the previous proposal that focused on the materiality threshold for disclosing Scope 1 and 2 greenhouse gas emissions, as well as for various disclosures related to climate risks and the transition to a lower-carbon economy.

Critics of the rule as written, such as the at Columbia University Law School, point out allowing companies and other third parties to conduct their own assessments of materiality enables companies to determine what information is material or immaterial and thereby results in less consistent information for investors. Supporters argue, on the other hand, that the SEC has long relied on companies to determine what information is material.

Another notable change in the final rules is the extension of the deadline for reporting disclosures, which now falls on the second quarterly Form 10-Q filing after each year’s end, allowing up to 225 days from the year’s end before disclosure is required. This extension aims to provide companies with more time to gather and verify their data, which is critical as the infrastructure for reporting is still developing. Accurate GHG reporting is crucial, as rushed or inaccurate reporting could mislead investors and result in legal action. The additional time granted should enable more accurate and complete disclosures.

The regulation also has the option for companies to disclose climate risk information in financial statement footnotes without adhering to a 1% threshold for financial impact. This represents a softer approach compared to the original proposal’s line-by-line analysis. Despite being less stringent, the requirement to disclose expenditures, losses, and capitalized costs resulting from severe weather events and other natural conditions at the 1% level remains a challenging task, according to Smith. It demands careful consideration, especially because such information will be subject to the audit process.

Preparing for disclosure amid pending litigation

Even with from the U.S. Court of Appeals for the 5th Circuit, SEC registrants remain subject to existing disclosure obligations regarding material information. (Most recently, a judicial panel for the 8^th Circuit Court consolidated at least nine lawsuits challenging the SEC’s climate rules.)

Given this state of flux, Smith advises in-house legal departments to proactively assess the climate risk information available to them and not delay their preparation for disclosure until the litigation is complete.

For some issuers, GHG emissions are required for 2025; and as such, the groundwork for adequate information infrastructure and data collection should begin immediately, regardless of the current legal uncertainties. It is also essential for companies to be prepared to respond to inquiries on climate-related issues from various parties, including corporate board members, investors, lenders, business partners. and consumers.

The reception to the SEC’s new climate disclosure rules has been diverse, with a mix of relief and acknowledgement of the comprehensive requirements. While some corporate leaders may have anticipated more stringent regulations, the final rules have been seen as a balanced approach that requires significant effort and resources to comply.

Many clients have expressed gratitude for the more measured approach, while still recognizing the importance of addressing climate-related risks and opportunities. Overall, the final rules are seen as a step forward in promoting transparency and responsible business practices.

In a recentĚý, Gensler acknowledged AI as the “most transformative technology of our time, fully on par with the internet” and when these types of technology emerge, firms will often make false claims to lure clients with the use.

AI washing is used to describe claims made or marketed by companies or investment advisors about their use of AI that are untrue or misleading. WhenĚýadvertising, investment advisers are held to seven principles-based prohibitions intended to guide adviser-marketing and prevent fraudulent, deceptive, and manipulative acts. These prohibitions include that marketing material must not be misleading and an adviser must have the ability to substantiate material statements, among others.ĚýTherefore, Global Predictions and Delphia (USA) were found to have violated these prohibitions, among others, when marketing false AI statements.

‘Expert AI-driven forecasts’

Global Predictions, a San Francisco-based firm that offers investment advisory services through an interactive online platform and makes investment allocation recommendations to clients, disseminated material to more than one person on its public website and social media sites, as well as in emails to current and prospective clients, which constituted advertisements, and that contained false and misleading statements concerning the firm’s use of AI.

For example, the SEC found Global Predictions claimed on its public website that its technology incorporated “expert AI-driven forecasts,” when it did not, and inaccurately claimed to be the “first regulated AI financial advisor” on its public statements and marketing material, and in turn, was unable to produce documents to substantiate this claim.

AI washing is used to describe claims made or marketed by companies or investment advisors about their use of AI that are untrue or misleading.

According to the seven prohibitions of the new marketing rule, if an investment adviser cannot produce information to substantiate claims in an advertisement, the exam staff will presume that the adviser did not have a reasonable basis for their belief.

Additionally, the SEC stated that Global Predictions misrepresented its regulatory assets under management on its public website and was unable to substantiate performance claims.ĚýThe firm also presented a hypothetical performance on its public website and YouTube without adopting and implementing policies and procedures reasonably designed to ensure that the hypothetical performance was relevant to the likely financial situation and investment objectives of the intended audience.

According to the new marketing rules adopting the release, the SEC stated that advisers would generally not be able to include hypothetical performance in mass audience or general circulation advertisements.

Finally, Global Predictions disseminated testimonials on its public website without describing material conflicts of interest on the part of certain persons giving the testimonials created by Global Predictions’ relationship with them. For example, one of the testimonials was given by an individual who had outside business relationships with Global Predictions’ chief executive officer.

The use of testimonials was a highly anticipated aspect of the new marketing rule but to be done in compliance with the rule, a firm must make prominent disclosure that includes a statement of any material conflict of interest, such as whether the person giving the testimonial is a client and whether compensation was provided for the testimonial.

False and misleading

Delphia was a robo-adviser and manager of five pooled investment vehicles. The firm developed algorithms to manage retail client portfolios based on different investment objectives and risk profiles for its clients.ĚýAccording to the SEC order, Delphia intended to useĚýAI and machine learning to collect this data from its clients (such as from social media, banking, credit card, online purchases, etc.) as inputs into its algorithms.

It was found that Delphia collected certain client data intermittently between 2019 and 2023, but it never used that data withĚýAI or machine learning or otherwise used that data in any way as inputs into its investing algorithms.

Delphia’s false and misleading statements were found in the firm’s Form ADV Part 2A brochures, press releases and website marketing.ĚýFor example, Delphia’s website claimed thatĚýthe firm “turns your data into an unfair investing advantage” andĚý“put[s] collective data to work to make our artificial intelligence smarter so it can predict which companies and trends are about to make it big and invest in them before everyone else.” Many of the statements were material because Delphia had represented to current and prospective clients that its use of client data as inputs into its investing algorithms was a vital differentiating characteristic from other advisers.

If an investment adviser cannot produce information to substantiate claims in an advertisement, the exam staff will presume that the adviser did not have a reasonable basis for their belief.

In July 2021, the SEC audited Delphia which admitted it had not used any of its client’s data and had not created an algorithm to use client data. To try to remedy the findings, Delphia amended the firm’s marketing practices, including creating a compliance manager for its compliance team and the retention of two outside compliance consulting firms.

However, Delphia continued to make certain false and misleading statements in advertisements regarding the use of client data in various formats through August 2023, according to the SEC order.ĚýDelphia withdrew its SEC registration in January and moved its five pooled investment vehicles to a newly formed adviser.

Without admitting or denying the SEC’s findings, Delphia and Global Predictions consented to the entry of orders finding that they violated the Advisers Act and ordering them to be censured and to cease and desist from violating the charged provisions.ĚýDelphia agreed to pay a civil penalty of $225,000, and Global Predictions agreed to pay a civil penalty of $175,000.

SEC chair Gary Gensler said in February that the regulatorĚýis taking account of court decisions over its past rulemaking in crafting its final regulation for climate disclosure. In particular, he noted a recentĚýĚýthat rejected the argument made by industry trade groups that the SEC’s stock buyback rule, established in May 2023, violated the First Amendment. The groups said the agency’s stock buyback rule, which required companies to report day-to-day share repurchase data once per quarter, violated the First Amendment by impermissibly compelling their speech.

Legal experts noted that the First Amendment has become the preferred tool for industry groups in recent cases when objecting to proposed regulations that are deemed “controversial.” In a note to clients, the law firm Cooley wrote: “The First Amendment claim is certainly one that we have seen used successfully in the past and are likely to see again.”

Legal experts noted that the First Amendment has become the preferred tool for industry groups in recent cases when objecting to proposed regulations that are deemed “controversial.”

The suit against California’s recent climate disclosure laws, the U.S. Chamber of Commerce and other industry groups allege that the rules violate constitutional rights by compelling companies to engage in non-factual, costly speech on climate change, a controversial political matter.

“The industry has had some recent success with this concept by arguing that ‘the government is requiring me to make statements about my business that are controversial and because of that you can’t force me to make those statements since they violate my First Amendment rights,'” said Bill Tarantino, a partner with Morrison Foerster in San Franciso. “I think there are judges out there who would adopt that view, including the current Supreme Court.” However, legal scholars differ on whether the First Amendment provides plaintiffs with a solid case to challenge regulations brought by federal agencies such as the SEC.

Proponents of First Amendment argument

Some experts argue that the SEC’s constitutional authority relies upon Supreme Court precedent granting deference to the regulation of commercial speech, which is involved in the purchase or sale of a good or service. Such speech receives less First Amendment scrutiny so that the government can enact laws that protect consumers. The SEC’s mandatory disclosure regime, as it involves the purchase and sale of securities, operates under this paradigm.

“But there is a catch,” explained Sean Griffith, professor at Fordham Law School, in aĚý. “Regulations compelling commercial speech receive deferential review only when they are purely factual and uncontroversial. The uncontroversial requirement works to ensure that the regulation is motivated solely to protect consumers.” In the case of the SEC’s climate disclosure rule, there is a clear argument that the regulation is “controversial,” Griffith wrote, because the regulation imposes a “political viewpoint.”

Critics of First Amendment argument

Not all share Griffith’s viewpoint, however. What might be critical in any legal challenge that relies on the First Amendment is the U.S. Supreme Court’s 1985ĚýopinionĚýin . In the case, the Supreme Court said the government may compel a commercial disclosure that is “factual and uncontroversial… as long as disclosure requirements are reasonably related to the [government] interest” and are not unduly burdensome on further speech.

Rebecca Tushnet, a professor at Harvard Law School, sees the SEC’s climate disclosure rule requiring “purely factual information about business operations, such as an issuer’s own estimates of its climate-related risks. And because the mandated statements would be purely factual, they are considered uncontroversial when measured against the Supreme Court’s decision in the Zauderer case.

“The disclosures here would not force companies to take a position on the regulation of greenhouse gas emissions, endorse any ideological position on climate change, or make any moral statements. The issue of climate change may provoke disagreement, but climate disclosures reflect objective realities affecting businesses,” Tushnet wrote in aĚý.

Other legal scholars share a similar view.ĚýIn itsĚýĚýto the SEC, the Knight First Amendment Institute at Columbia University also cited the Supreme Court’s decision in the Zauderer case as a guide.

“The [SEC’s] rules satisfy the predicates for Zauderer review because they require the disclosure of factual and uncontroversial information about the risks associated with securities that companies offer to the investing public,” the Institute wrote. “If the proposed rules trigger First Amendment scrutiny at all, they should be evaluated under the deferential standard of review that applies to compelled disclosures of factual information in the commercial context.ĚýThe proposed rules appear to easily satisfy that standard.”

SEC needs to prepare for battle

Leaving aside the legal arguments on whether using the First Amendment will be an effective tool in the courts, the environment and recent court cases show that there has been momentum behind efforts to limit the rulemaking powers of federal agencies such as the SEC and others, or what some critics refer to as the administrative state.

“No matter what the SEC does, it is likely to face a protracted legal battle when the rule is finally promulgated,” wrote the Sabin Center for Climate Change Law in aĚý. “Indeed, the rule is an appealing target for challengers seeking to limit government action and attempting to push legal boundaries in Administrative Law and under the First Amendment.”