Financial

On May 16, the U.S. Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P, which implements the Gramm-Leach Bliley Act (“GLBA”) for SEC-regulated entities such as broker-dealers, investment companies, registered investment advisers, and transfer agents.

Among other requirements, the amendments require SEC-regulated entities to adopt written policies and procedures for an incident response program

In December 2023, the Dutch SA fined a credit card company €150,000 for failure to perform a proper data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR for its “identification and verification process”.

First, the Dutch SA decided that the company was required to perform a DPIA because the processing met two of

Earlier this month, the New York Department of Financial Services (“NYDFS”) announced that it had finalized the Second Amendment to its “first-in-the-nation” cybersecurity regulation, 23 NYCRR Part 500.  This Amendment implements many of the changes that NYDFS originally proposed in prior versions of the Second Amendment released for public comment in November 2022 and June 2023, respectively.  The first version of the Proposed Second Amendment proposed increased cybersecurity governance and board oversight requirements, the expansion of the types of policies and controls companies would be required to implement, the creation of a new class of companies subject to additional requirements, expanded incident reporting requirements, and the introduction of enumerated factors to be considered in enforcement decisions, among others.  The revisions in the second version reflect adjustments rather than substantial changes from the first version.  Compliance periods for the newly finalized requirements in the Second Amendment will be phased over the next two years, as set forth in additional detail below.

The finalized Second Amendment largely adheres to the revisions from the second version of the Proposed Second Amendment but includes a few substantive changes, including those described below:

  • The finalized Amendment removes the previously-proposed requirement that each class A company conduct independent audits of its cybersecurity program “at least annually.”  While the finalized Amendment does require each class A company to conduct such audits, they should occur at a frequency based on its risk assessments.  NYDFS stated that it made this change in response to comments that an annual audit requirement would be overly burdensome and with the understanding that class A companies typically conduct more than one audit annually.  See Section 500.2 (c).
  • The finalized Amendment updates the oversight requirements for the senior governing body of a covered entity with respect to the covered entity’s cybersecurity risk management.  Updates include, among others, a requirement to confirm that the covered entity’s management has allocated sufficient resources to implement and maintain a cybersecurity program.  This requirement was part of the proposed definition of “Chief Information Security Officer.”  NYDFS stated that it moved this requirement to the senior governing bodies in response to comments that CISOs do not typically make enterprise-wide resource allocation decisions, which are instead the responsibility of senior management.  See Section 500.4 (d).
  • The finalized Amendment removes a proposed additional requirement to report certain privileged account compromises to NYDFS.  NYDFS stated that it did so in response to public comments that this proposed requirement “is overbroad and would lead to overreporting.”  However, the finalized Amendment retains previously-proposed changes that will require covered entities to report certain ransomware deployments or extortion payments to NYDFS.  See Section 500.17 (a).

Continue Reading New York Department of Financial Services Finalizes Second Amendment to Cybersecurity Regulation

On 26 June 2023, the International Sustainability Standards Board (“ISSB”) published its inaugural International Financial Reporting Standards Sustainability Disclosure Standards (the “ISSB Standards”) (read our previous blog post on this here).  In August 2023, the UK Financial Conduct Authority (“FCA”) published Primary Market Bulletin 45, confirming its intentions to update its climate-related disclosures

On 26 June 2023, the International Sustainability Standards Board (the “ISSB”) issued its inaugural International Financial Reporting Standards (“IFRS”) Sustainability Disclosure Standards (the “Standards”), heralding progress in the development of a global baseline of sustainability-linked disclosures. The Standards build on the concepts that underpin the IFRS Accounting Standards, which are required in more than 140 jurisdictions, but notably not in the United States for domestic issuers subject to regulation by the Securities and Exchange Commission (“SEC”), which must apply US Generally Accepted Accounting Principles (“US GAAP”).  Despite broad investor appetite for  transparent, uniform and comparable disclosure rules, the scope of required sustainability disclosure and timing for adoption of the SEC’s pending climate disclosure rule remains unresolved.

  1. IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information (“IFRS S1”) requires an entity to disclose information about all sustainability-related risks and opportunities that could reasonably be expected to affect the entity’s prospects. The effect on the entity’s prospects refers to the effect on the entity’s cash flows, its access to finance, or cost of capital over the short, medium or long term.
  2. IFRS S2 Climate-related Disclosures (“IFRS S2”) requires an entity to provide information about its exposure to climate-related risks and opportunities. Information to be disclosed includes both physical risks—such as extreme weather events—as well as transition risks, such as changes in customer behaviour.

Both IFRS S1 and IFRS S2 are effective for annual reporting periods beginning on or after 1 January 2024. Accordingly, where the Standards have been adopted for a 2024 reporting cycle, relevant disclosures will begin to be published in 2025 in an entity’s general purpose financial reports (subject to transitional provisions), alongside an “explicit and unreserved statement of compliance” when disclosing against the Standards. Whilst the launch of the Standards has been a welcome step, seeking to provide greater uniformity in corporate reporting, individual jurisdictions will decide whether entities will be required to comply with the Standards.Continue Reading ISSB issues inaugural global sustainability disclosure standards

Earlier this week, the Securities and Exchange Commission (“SEC”) published an update to its rulemaking agenda indicating that it does not plan to approve two proposed cyber rules until at least October 2023 (the agenda’s timeframe is an estimate).  The proposed rules in question address disclosure requirements regarding cybersecurity governance and cybersecurity incidents at publicly

May 23, 2023, Covington Alert

The U.S. Department of the Treasury (“Treasury”), in its capacity as chair of the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”), recently posted two new frequently asked questions (“FAQs”) to CFIUS’s website that have important implications for parties planning transactions subject to the Committee’s jurisdiction.

First, CFIUS confirmed its recent practice of requiring detailed information on all direct or indirect foreign ownership involved in a transaction, including disclosure of all limited partners (or “LPs”) of an investment fund, without regard to any pre-existing agreements between the fund sponsor and investor regarding disclosure.

Second, CFIUS offered guidance regarding the meaning of “completion date” for purposes of when a mandatory filing must be submitted for a multi-stage transaction. The guidance could have broad implications, especially for some venture financing transactions, as it introduces uncertainty regarding the ability of investors to use a staged transaction to acquire an initial, passive equity interest prior to submitting a mandatory CFIUS filing with respect to a subsequent acquisition of control or certain non-passive rights. The new guidance seems at odds with language that appears in the preamble to the regulations implementing the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), and the practice of transaction parties for the last several years. CFIUS did not provide any explanation for this change, which raises questions as to why the Committee has issued the guidance now.

Each of these developments is discussed in more detail below.

1. CFIUS may require detailed information regarding all foreign persons involved directly or indirectly in a transaction, including limited partners in an investment fund.

Treasury published the following FAQ on May 11:

Does CFIUS require information on all foreign persons, such as limited partners in an investment fund, that would hold an interest in a U.S. business, whether directly or indirectly, as part of the transaction?Continue Reading CFIUS Issues Guidance On Disclosure of Information About Limited Partner Investors and Application of Mandatory Filing Rules to Multi-stage Transactions

On March 30, the Lula administration officially presented its proposed new fiscal policy framework for Brazil.

Minister of Finance Fernando Haddad and Minister of Planning and Budget Simone Tebet presented the framework to the press after several rounds of negotiation within the administration and with the congressional leadership, in particular the Speaker of the House and the President of the Senate.

Key takeaways:

  1. The new framework tries to strike a balance between fiscal responsibility and social responsibility, combining fiscal adjustment measures with the preservation of budget for key social policies, in particular the conditional cash transfer to the poor, minimum wage, healthcare and income tax exemption for workers and the middle class.
  • The new framework’s ‘fiscal anchor’ is based on an annual primary budget surplus target (excluding debt interest payment), from -0.5% of GDP in 2023 to 1.0% of GDP in 2026, growing in 0.5 pp increments per year.
  • The annual primary budget surplus target will be pursued within a tolerance range between +0.25% and -0.25% of GDP of that year’s target (e.g., if the target for the year is 0.5%, the range will be from 0.25% to 0.75%). This tolerance range mechanism mirrors the existing inflation target mechanism used by the Central Bank.
  • In addition to the target, growth in spending will be pegged to revenue increase at 70% (e.g., if revenue increases BRL 10 billion, spending can increase only up to BRL 7 billion). If the annual primary budget surplus target is not achieved, the spending growth peg is reduced to 50% to slow down further spending.

Continue Reading Brazil’s Lula Administration Presents New Fiscal Framework

FCA Issues Reminder on Board and Executive Management D&I Disclosure Obligations

The UK Financial Conduct Authority (“FCA”) has provided a reminder to primary market participants in its Primary Market Bulletin 44 of the need to make diversity and inclusion-related (“D&I”) disclosures in their annual reports. The obligations were introduced last year through amendments to the Listing Rules  and the Disclosure Guidance and Transparency Rules (“DTRs”), as set out in the FCA’s Policy Statement PS 22/3 (and covered in our previous blog post here).

At a glance, the amendments to the Listing Rules oblige in-scope companies to disclose annually on a “comply or explain” basis whether they meet specific board diversity targets, and to publish standardised data on the composition of their board and senior management, in each case in relation to sex or gender and ethnic background.

Changes to the corporate governance rules were introduced (through the amendments to the DTRs) to encourage a broader consideration of diversity at a board level, including with respect to a wider pool of diversity characteristics, spanning ethnicity, sexual orientation, disability, and socio-economic background

The rules are intended to increase transparency with better, more comparable information on the diversity of companies’ boards and executive management. The FCA believes that greater transparency will provide improved data for companies and investors to assess progress in this area, and inform shareholder engagement and investment decisions, thereby enhancing market integrity and promoting greater D&I.Continue Reading FCA Primary Market Bulletin No. 44

On February 22, 2023, the New York Stock Exchange (“NYSE”) and the Nasdaq Stock Market (“Nasdaq”) filed rule proposals[1] to adopt new listing standards implementing Rule 10D-1 under the Securities Exchange Act of 1934. That rule, which the Securities and Exchange Commission (the “SEC”) adopted in October 2022, requires national securities exchanges to implement standards to require listed companies to adopt and publicly file so-called “clawback” policies to recover erroneously awarded incentive-based compensation following accounting restatements. Rule 10D-1, which was first proposed in 2015 and re-opened for comment twice, implements Section 954 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The proposed listing standards are subject to a 21-day comment period once published in the Federal Register before the SEC can approve them, and must, in any event, become effective by November 28, 2023. Listed companies will be required to adopt clawback policies that comply with the new standards within 60 days of the effective date of the applicable listing standards (the “Adoption Deadline”).

The listing standards proposed by both NYSE and Nasdaq are materially consistent with Rule 10D-1 and its adopting release. Among other things, both proposed listing standards provide for the commencement of delisting proceedings for listed companies that fail to either adopt a compliant clawback policy or comply with such policy after a clawback obligation arises. These delisting provisions are discussed below, and, for an in-depth discussion of Rule 10D-1’s requirements, please refer to our previous alert.

NYSE – Delisting for Noncompliance

Failure to Adopt a Policy: As proposed, a company listed on NYSE that fails to adopt a compliant clawback policy by the Adoption Deadline will have five days to notify NYSE, after which the exchange will send a written delinquency notification to the company. Upon receipt of this notification, the company would have five days to contact NYSE to discuss the delinquency and to issue a press release disclosing the company’s delinquency, the reason for the delinquency and, if known, the anticipated date on which a clawback policy will be adopted. If the company fails to issue such a press release in time, NYSE will issue a press release stating that the company has received a delinquency notice.Continue Reading NYSE and Nasdaq Propose Clawback Listing Standards