Publications Archives

Few European Data Protection Board (EDPB) opinions have been awaited as eagerly as the EDPB’s opinion on AI models (Opinion)[1]. The build-up to publication of the Opinion raised levels of expectation that were almost impossible for the EDPB to meet.

The EDPB finally delivered the Opinion just in time for Christmas, and it is almost as notable for what it does not cover as for what it does. A number of important issues concerning AI models are not addressed at all, and much of what the Opinion does cover is drafted in heavily qualified language that leaves substantial room for interpretation and will not be straightforward to apply in practice.

However, two points in particular stand out and should in our view be welcomed by those developing and deploying AI models. The first is that the EDPB has avoided taking a hard line that training AI models with personal data means that those models can never be considered anonymous. Instead it stresses the need for a case-by-case assessment based on the likelihood of personal data being extracted from the model and the likelihood of obtaining personal data from queries. However, the threshold set by the EDPB for a model to be considered anonymous is a high one, and controllers are likely to have substantial difficulties in practice with giving effect to data subjects’ rights in relation to models that are not considered anonymous.

The second is that the EDPB has not ruled out the possibility of controllers relying on legitimate interests for developing and deploying AI models, including training AI models on personal data scraped from publicly-accessible websites. Again, the EDPB stresses the requirement for a case-by-case assessment, and identifies factors that should be taken into account by controllers, including in relation to web-scraping. As with the issue of anonymity, the EDPB sets a high bar, and the Opinion is light on detail as to how the EDPB’s recommendations can be applied in practice.

It may be tempting to criticise the EDPB for taking such a cautious approach – after all, it leaves some of the most pressing questions unanswered, and creates the potential for significant fragmentation in approach at member state level. However, some of the limitations in the Opinion result from the way in which the issues were brought before the EDPB; it was always going to be difficult for the EDPB to give concrete answers to some of the questions put to it, and, given the rapid pace of technological development in the AI field, the EDPB would have been unwise to try.

Key Takeaways

The EDPB’s view is that training AI models with personal data does not necessarily prevent those models being anonymous. Whether they are actually anonymous depends on the likelihood of extraction of personal data, either through direct extraction from the model or from the model’s outputs.
The EDPB has set a high bar for anonymity, and developers will need to be able to demonstrate the design and functioning of their models, including by maintaining comprehensive documentation. The EDPB’s position that AI models may not be anonymous is likely to give rise to serious issues, particularly in relation to the exercise of data subjects’ rights.
The EDPB has not ruled out controllers relying on legitimate interests for developing or deploying AI models, including in relation to training models using personal data scraped from public websites. Again, the EDPB has set a high bar, and its position on necessity is likely to create significant practical difficulties for those training LLMs and similar foundation models.
Supervisory authorities may be able to impose corrective measures in relation to the deployment of AI models that are not anonymous, where those models have been developed through unlawful processing of personal data. This applies even where one party develops the model and another deploys it. Those acquiring AI models will need to carry out careful due diligence on the development phase, and will need to consider appropriate contractual protection.

Background to the Opinion

The Opinion arose from a request from the Irish Data Protection Commission (IDPC) for an opinion in relation to AI models and the processing of personal data. That background is important, because the EDPB can be criticised only so far for the limited scope of the Opinion; an opinion under Article 64(2) GDPR should not be confused with guidelines or recommendations issued by the EDPB on its own initiative under Article 70(1) GDPR. An opinion under Article 64(2) is directed to the questions put to the EDPB, so its scope is, to a degree, dictated by the scope of those questions. Nevertheless, given the keen interest in the Opinion and the broader significance of the issues discussed, this raises important questions about when the EDPB should be issuing guidelines or recommendations on its own initiative rather than relying on individual supervisory authorities to frame the questions it considers, as well as about the transparency of the Article 64(2) process. In its 2024-2025 Work Programme, the EDPB has planned to issue guidelines on anonymisation, pseudonymisation and data scraping in the context of generative AI.

The Opinion addresses three main issues. First, when can an AI model trained on personal data be considered anonymous? Secondly, can controllers rely on legitimate interests as a lawful basis under GDPR for processing personal data in the development and deployment of an AI model? Thirdly, what are the consequences of unlawful processing of personal data during the development of an AI model?

Scope of the Opinion

The Opinion is concerned only with AI models that are trained with personal data.[2] That reflects the definition of AI models used by the IDPC in its request[3], but it does mean that the Opinion does not address AI models that may process personal data but that were not themselves trained with personal data.

The Opinion also does not cover certain issues that may arise under the GDPR when using AI models, including the processing of special category data, automated decision-making, purpose limitation, data protection impact assessments and data protection by design and by default.[4] These are important considerations that are already being addressed in other jurisdictions (such as in California, with the draft automated decisionmaking technology (ADMT) regulations recently advanced to formal rulemaking by the California Privacy Protection Agency), and may need to be addressed by the EDPB in order to avoid supervisory authorities taking diverging approaches. Therefore, on these issues supervisory authorities should proceed cautiously and be open to considered dialogue with controllers on developing best practices.

When can AI models be considered anonymous?

The first question addressed by the EDPB is when an AI model that is trained with personal data can be considered anonymous.

Here, the EDPB considers three categories of AI models. The first category is AI models that are specifically designed to provide personal data about individuals whose personal data was used to train the model. The EDPB dispenses with these quickly – these models inherently involve the processing of personal data, and cannot be considered anonymous.[5] Examples given by the EDPB are AI models fine-tuned on an individual’s voice in order to mimic that individual’s voice, and models designed to reply with personal data from the training data set when prompted for information about a specific individual. It remains to be seen how broadly supervisory authorities interpret this category of AI models; certainly, many of the current generation of generative AI models (such as some large language models (LLMs)) are capable of outputting personal data from the data used to train them when prompted to do so (e.g. “tell me all about <celebrity>”), even if they are not designed uniquely for that purpose.

As to AI models that are not designed to provide personal data about individuals whose personal data was used to train the model, the critical question posed by the EDPB is whether information relating to those individuals can be obtained from the model with means reasonably likely to be used.[6] If so, the model cannot be considered anonymous. If not, the model can be considered anonymous and is outside the scope of the GDPR.

Here, the EDPB notes that the exploitation of vulnerabilities in AI models may result in leakage of personal data, and also identifies the possibility of accidental leakage of personal data through interaction with the model. Whilst the EDPB does not say so expressly, the EDPB evidently considers that means reasonably likely to be used may include means that would be unlawful under the GDPR and other EU and member state law. This is an interesting expansion of the approach taken by the CJEU in Breyer[7], which focused on whether a provider had legal means which enable it to identify the data subject.

On the basis that personal data may in certain cases be obtained from AI models trained with personal data, the EDPB concludes that AI models trained on personal data cannot be considered anonymous in all circumstances, and that a case-by-case assessment is required (one of many case-by-case assessments that the EDPB encourages in the Opinion).[8]

As to what that assessment should involve, the EDPB encourages supervisory authorities to focus on two areas: whether personal data relating to the training data can be extracted from the model itself and whether output produced when querying the model relates to data subjects whose personal data was included in the training data set.[9] In each case, the question is whether the personal data can be obtained with reasonable means, and in order for the model to be considered anonymous the likelihood of obtaining the data through those means must be ‘insignificant’.[10] The EDPB stresses that a “thorough evaluation” of the risks of identification is likely to be required.

Helpfully, the EDPB identifies measures that might reduce the risk of identification, as well as factors that supervisory authorities should take into account in evaluating the residual risk of identification, including the design of the AI model itself, the selection of data sources used for training the model, the design of the training process itself and measures designed to limit personal data included in model outputs (e.g. output filters).

One point that stands out in particular is the need for comprehensive documentation. Providers who wish to make claims that their models are anonymous should be prepared to produce documentation to support that position, including documentation on the specific measures used at each stage of the model lifecycle to reduce the risk of identification.

It is worth noting that the EDPB appears to diverge from the approach taken by a number of supervisory authorities, notably the Hamburg DPA in its discussion paper on LLMs[11], which have expressed the view that LLMs themselves do not contain personal data, although their outputs may do so. This may be because the Opinion is not limited to LLMs specifically and therefore does not assume that data is necessarily stored within the model in tokenised form. However, the EDPB’s reference to whether personal data can be extracted from the output of a model as a factor in determining whether the model is anonymous suggests that the EDPB’s view is at odds with that of the Hamburg DPA and likeminded supervisory authorities. This is likely to give rise to serious issues in practice, and in particular whether and how controllers can give effect to data subjects’ rights under Chapter III of the GDPR in relation to AI models that are not considered anonymous on the EDPB’s view.

When can legitimate interests be relied on in developing and deploying AI models?

The second question addressed by the EDPB is whether, and in which circumstances, controllers can rely on the legitimate interests basis[12] for developing or deploying AI models.

Perhaps the most important point to take away is that the EDPB does not rule out controllers relying on legitimate interests, either in general or in any specific case. In particular, the EDPB does not rule out the possibility of relying on legitimate interests for training AI models with data derived from web-scraping. However, as with the question on anonymity of AI models, the Opinion does not give concrete examples of cases where controllers can rely on the legitimate interests basis. Instead, the EDPB stresses the requirement for a case-by-case assessment, adopting the three-step test in Article 6(1)(f) GDPR (i.e. identifying a legitimate interest pursued by the controller or a third party; establishing necessity of the processing for pursuit of that interest; and balancing the legitimate interest against the interests, rights and freedoms of the data subjects). Much of the EDPB’s analysis here draws on its prior work on legitimate interests, including its guidelines from earlier this year[13].

One interesting point to note in the context of lawfulness is that the EDPB gives violation of intellectual property rights as an example of a factor that may be relevant when evaluating whether the controller can rely on legitimate interests. This echoes a similar point made by the ICO in its first call for evidence on generative AI[14] and in its outcomes report[15], in the context of the lawfulness principle. This is questionable. It is true that (as the EDPB notes) the CJEU has clarified that the interest pursued by the controller must not be contrary to law[16], but that is not to say that any violation of intellectual property rights in pursuing that interest renders the processing unlawful within the framework of GDPR. It should be noted here that the owners of the intellectual property rights may well not (and often will not) be the data subjects. Does training an AI model with personal data in breach (even inadvertent breach) of a licence for that data render the processing unlawful? What about the use of third party software to train an AI model in breach (even inadvertent breach) of a licence for that software? Such an approach would represent a remarkable expansion of EU data protection law into areas that have nothing to do with the protection of personal data, and in which data protection law does not belong.

In relation to the necessity limb, the EDPB’s assessment sets a high bar, although this is broadly consistent with the EDPB’s prior guidelines on legitimate interests. One potential difficulty for those developing AI models is the EDPB’s position that, “if the pursuit of the purpose is also possible through an AI model that does not entail processing of personal data, then processing personal data should be considered as not necessary”.[17] A number of AI models, including LLMs, require an extremely large training corpus, and for practical purposes this necessitates training those models using data scraped from publicly available websites. This will, in many cases, necessarily include personal data. If those training LLMs and similar foundation models are required to demonstrate to supervisory authorities, every single time and on a case-by-case basis, that it was not feasible to train the model without processing personal data, this will act as a significant impediment to current model training activities. It would have been helpful if the EDPB had done more to recognise the practical reality facing those training foundation models, when considering the necessity limb. How supervisory authorities now apply the necessity limb in practice will be of critical importance.

Much of this section of the Opinion is given over to the balancing test, and two points in particular: data subjects’ reasonable expectations and mitigating measures that may be employed by controllers. In relation to reasonable expectations, the EDPB repeats a point made in its own prior guidance that the fulfilment of transparency requirements under GDPR is not sufficient in itself to consider that data subjects reasonably expect the processing in question. This continual downplaying of the significance of data protection notices is unhelpful; after all, what is the point of the transparency requirements if not to inform data subjects’ expectations as to how their personal data will be processed? The EDPB also repeats a point made in its prior guidelines on legitimate interests, that mitigating measures should not be confused with measures that the controller is legally required to adopt anyway, an unhelpful and unnecessary distinction that is difficult to apply in practice.

In relation to web-scraping specifically, those looking for a categorical statement from the EDPB as to whether and when this is in line with data subjects’ reasonable expectations may be disappointed: the EDPB does not express a firm view either way, but does explain that the steps taken to inform data subjects should be considered. The EDPB does not elaborate on this, which is a pity given that in many cases of web-scraping informing data subjects about the use of their data to train AI models (beyond making a notice generally available to the public) is practically impossible.

In relation to mitigating measures, the EDPB gives examples of measures that facilitate the exercise of individuals’ rights (including rights of objection and erasure) and enhanced transparency measures. The former in particular are likely to be extremely challenging to implement in practice, especially in relation to personal data derived from web-scraping, where the controller has no prior relationship with the data subject. The EDPB’s recommendations in relation to web-scraping specifically may be more helpful: in the development phase, the EDPB recommends that controllers consider, for example, excluding content from websites that are likely to present particularly high risk or from websites that have objected to scraping by using mechanisms such as robots.txt or ai.txt. Similarly, in the deployment phase, the EDPB recommends that controllers consider technical measures to prevent the output of personal data (such as through regurgitation of training data) and also measures to facilitate the exercise by individuals of their rights, in particular in relation to erasure of personal data (controllers may see a glimmer of light in the EDPB’s reference to the erasure of personal data from model output data, rather than from the model itself).

What are the implications of unlawful processing of personal data in the development of an AI model?

The final question addressed by the EDPB concerns the impact of unlawful processing of personal data, during the development of an AI model, on the lawfulness of use of the model in the deployment phase.

Here, the EDPB considers three scenarios. In the first scenario, a controller unlawfully processes personal data to develop an AI model, the personal data is retained in the model and it is subsequently processed by the same controller. In this scenario, the EDPB’s position is that the power of the supervisory authority to impose corrective measures on the initial processing would, in principle, affect the subsequent processing. However, whether the development and deployment phases of an AI model are separate processing activities, and the impact of unlawfulness in the development phase on processing in the deployment phase, is to be assessed on a case-by-case basis (that phrase again). In other words, the EDPB stops short of saying that a supervisory authority can require a controller to delete or stop using an AI model that has been unlawfully trained on personal data, but appears not to rule that out.

The second scenario is the same as the first, except that the controller using the model in the deployment phase is different from the controller who developed the model. The EDPB’s view here is the least conclusive of the three scenarios – it stresses the need for (you guessed it) a case-by-case assessment, and in particular the degree of due diligence carried out by the deployer on the original processing carried out by the developer. The EDPB appears here to allow more flexibility than in the first scenario, but does not rule out the possibility of corrective measures relating to the initial processing also affecting the subsequent processing. One point is clear, however: those acquiring AI models will need to carry out careful due diligence on developers of AI models, and will need to document their findings and should be prepared to share them with supervisory authorities. Acquirers of AI models will also need to consider any contractual protection that may be required in the event that a corrective measure relating to the developer’s processing has an impact on the acquirer’s subsequent use of the model.

The third scenario involves unlawful processing in the development phase of an AI model, in circumstances where the model itself is anonymised and personal data is subsequently processed in the deployment phase. Here, the EDPB’s position is that the GDPR does not apply to the operation of the model, and that the unlawfulness in the training stage does not affect the subsequent processing of personal data. It does not matter whether the subsequent processing is carried out by the developer of the AI model or by a third party controller. There is, in other words, no general doctrine of ‘fruit of the poisonous tree’ that would enable a supervisory authority to require a controller to delete or stop using an anonymised AI model, merely because that model has been trained unlawfully with personal data. However – and here we come full circle – the EDPB emphasises the need for supervisory authorities to examine thoroughly a controller’s claim that its model is in fact anonymous.

[1] Opinion 28/204 on certain data protection aspects related to the processing of personal data in the context of AI models, available here.

[2] Opinion, paragraph 26.

[3] Ibid, paragraph 21.

[4] Ibid, paragraph 17.

[5] Ibid, paragraph 29.

[6] Ibid, paragraph 31.

[7] Case C-582/14, Breyer.

[8] Ibid, paragraph 34.

[9] Ibid, paragraph 38.

[10] Ibid, paragraph 43.

[11] Available here.

[12] Article 6(1)(f) GDPR.

[13] Guidelines 1/2024 on processing personal data based on Article 6(1)(f) GDPR, available at https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2024/guidelines-12024-processing-personal-data-based_en .

[14] https://ico.org.uk/about-the-ico/what-we-do/our-work-on-artificial-intelligence/generative-ai-first-call-for-evidence/

[15] https://ico.org.uk/about-the-ico/what-we-do/our-work-on-artificial-intelligence/response-to-the-consultation-series-on-generative-ai/

[16] Case C-621/22, Koninklijke Nederlandse Lawn Tennisbond, paragraph 49; Opinion, footnote 54.

[17] Opinion, paragraph 73.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these issues.

Please contact the Gibson Dunn lawyer with whom you usually work, or any leader or member of the firm’s Artificial Intelligence or Privacy, Cybersecurity & Data Innovation practice groups:

Artificial Intelligence:
Keith Enright – Palo Alto (+1 650.849.5386, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Robert Spano – London/Paris (+33 1 56 43 13 00, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])
Frances A. Waldmann – Los Angeles (+1 213.229.7914, [email protected])

Privacy, Cybersecurity & Data Innovation:
Ahmed Baladi – Paris (+33 1 56 43 13 00, [email protected])
Ashlie Beringer – Palo Alto (+1 650.849.5327, [email protected])
Joel Harrison – London (+44 20 7071 4289, [email protected])
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, [email protected])
Lore Leitner – London (+44 20 7071 4987, [email protected])
Vera Lukic – Paris (+33 1 56 43 13 00, [email protected])
Rosemarie T. Ring – San Francisco (+1 415.393.8247, [email protected])

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

The U.S. Court of Appeals for the Fifth Circuit has granted a stay pending appeal of a recent district court order that preliminarily enjoined enforcement of the Corporate Transparency Act (CTA).[1]

The stay renders the district court’s order ineffective while the government appeals it. FinCEN responded the same day providing an extension of the reporting deadline for most reporting companies until January 13, 2025.[2] Therefore, the CTA is enforceable but with new timelines, more fully set out below. Please note that certain reporting deadlines were not explicitly extended, and in parsing FinCEN’s release it appears that the filing deadline for entities newly created or registered between September 24 and December 2, 2024 remains set at 90 days from such entity’s formation.

An update on case developments since our December 16, 2024 Client Alert can be found immediately below. For additional background information, please refer to the remainder of this Client Alert or our Client Alerts issued on December 5, December 9, and December 16, 2024.

On December 13, the Department of Justice, on behalf of the Financial Crimes Enforcement Network (FinCEN), filed a motion in the Fifth Circuit asking that court to stay the district court’s nationwide preliminary injunction against enforcement of the CTA, pending appeal of that order.[3]

On December 23, the Fifth Circuit granted the government’s request and stayed the district court’s order pending appeal.[4] The Fifth Circuit panel consisted of Judges Stewart, Haynes, and Higginson. Judge Haynes joined the order in part and disagreed in part, noting her agreement that a nationwide injunction was inappropriate but that she would deny the stay pending appeal with respect to the parties.[5]

The panel agreed with the government that it was likely to succeed on the merits of its appeal because, in its view, the CTA falls within the scope of Congress’s power under the Commerce Clause: The CTA “regulates anonymous ownership and operation of businesses”—”‘part of an economic class of activities that have a substantial effect on interstate commerce.’”[6] Moreover, the court credited the government’s argument that a facial challenge to the CTA was unlikely to succeed because the Act “at least operates constitutionally when it requires that corporations engaged in business operations affecting interstate commerce disclose their beneficial owner and applicant information.”[7]

Turning to the other factors that courts consider when evaluating stay requests, the panel concluded that the government demonstrated irreparable harm because it was enjoined from effectuating a statute enacted by Congress, and the equities weighed in favor of a stay because companies’ reporting costs would be minimal compared to the government’s interest in combatting financial crime and protecting national security.[8] It also noted that although the injunction would be lifted shortly before the January 1, 2025 reporting deadline, businesses have had nearly four years since the CTA’s enactment and one year since FinCEN announced the reporting deadline to prepare.[9]

Late on December 23, 2024, FinCEN announced that it “recognizes that reporting companies may need additional time to comply given the period when the preliminary injunction had been in effect” and so has extended the reporting deadlines for most companies to January 13, 2025.

Additionally, on December 24, 2024, the plaintiffs filed an emergency petition for rehearing en banc, which is currently pending.[10] The plaintiffs are asking the en banc Fifth Circuit to act on that petition by January 6, 2024, and the plaintiffs indicated that they may also seek relief in the U.S. Supreme Court prior to January 13, 2024.[11]

What the Stay Means for Entities Subject to the CTA

Now that the district court’s order has been stayed, the CTA and FinCEN’s beneficial ownership information (BOI) Reporting Rule are enforceable again. Based on FinCEN’s reporting extensions on December 23, the following are the operative Reporting Rule deadlines for non-exempt reporting companies as noted in the FinCEN announcement[12]:

Category	New Reporting Deadline	Original Reporting Deadline
Entities created or registered prior to 2024	January 13, 2025	January 1, 2025
Entities created or registered between January 1 and September 3, 2024	The original 90-day reporting deadline for these entities had already passed as of the district court’s December 3, 2024 stay order. FinCEN did not extend the original reporting deadline for these entities.
Entities created or registered between September 4 and 24, 2024 (referred to by FinCEN as entities created or registered “on or after September 4, 2024 that had a filing deadline between December 3, 2024 and December 23, 2024”)	January 13, 2025	90 days from creation or registration
Entities created or registered between September 24 and December 2, 2024[13]	90 days from creation or registration (no extension provided)	90 days from creation or registration
Entities created or registered between December 3 and 23, 2024	21 days after the original reporting deadline	90 days from creation or registration
Entities created or registered between December 24 and 31, 2024	90 days from creation or registration (no extension provided)	90 days from creation or registration
Entities created or registered on or after January 1, 2025	30 days from creation or registration (no extension provided)	30 days from creation or registration
Entities that qualify for disaster relief extensions	For any entity that qualifies for a disaster relief extension, FinCEN has provided that the later of January 13, 2025 and the original reporting deadline (as extended pursuant to disaster relief) will apply.

blank space

Entities that believe they may be subject to the Reporting Rule should closely monitor this matter, and consult with their CTA advisors as necessary, to understand their obligations under the CTA and the Reporting Rule under the new reporting deadlines set out above.

Additional Background

The CTA, enacted in 2021, requires corporations, limited liability companies, and certain other entities created (or, as to non-U.S. entities, registered to do business) in any U.S. state or tribal jurisdiction to file a “BOI” report with FinCEN identifying, among other information, the natural persons who are beneficial owners of the entity.[14] A regulation, the Reporting Rule, helps implement the CTA by specifying compliance deadlines—including the original January 1, 2025 deadline for companies created or registered to do business in the United States before January 1, 2024—and detailing what information must be reported to FinCEN.[15]

The December 3, 2024 Ruling

On December 3, 2024, in ruling on a lawsuit challenging the constitutionality of the CTA and Reporting Rule on various grounds, Judge Amos L. Mazzant of the U.S. District Court for the Eastern District of Texas granted plaintiffs’ motion for a preliminary injunction.[16] Unlike another court that had held the CTA unconstitutional,[17] Judge Mazzant preliminarily enjoined enforcement of the CTA and Reporting Rule nationwide.[18] Moreover, the court invoked its power under the Administrative Procedure Act’s stay provision, 5 U.S.C. § 705, to “postpone the effective date of” the Reporting Rule.[19]

Government’s Initial Response[20]

On December 5, the Department of Justice, on behalf of the Department of the Treasury, filed a notice of appeal from the court’s opinion and order to the U.S. Court of Appeals for the Fifth Circuit.[21]

FinCEN also posted a statement to its website.[22] In sum, FinCEN noted that, because of the court’s order, “reporting companies are not currently required to file their beneficial ownership information with FinCEN and will not be subject to liability if they fail to do so while the preliminary injunction remains in effect. Nevertheless, reporting companies may continue to voluntarily submit beneficial ownership information reports.” FinCEN also noted the appeal filed by the Department of Justice.

[1] A prior alert by Gibson Dunn explaining the district court’s ruling is available at https://www.gibsondunn.com/corporate-transparency-act-enforcement-preliminarily-enjoined-nationwide. See Texas Top Cop Shop, Inc. et al. v. Garland et al., No. 4:24-CV-478, Dkt. 30 (E.D. Tex. Dec. 3, 2024).

[2] https://www.fincen.gov/boi.

[3] Texas Top Cop Shop, Inc. v. Garland, No. 24-40792, Dkt. 21 (5th Cir. Dec. 13, 2024).

[4] Texas Top Cop Shop, Inc. v. Garland, No. 24-40792, Dkt. 140-2 (5th Cir. Dec. 23, 2024).

[5] Id. at 2 n.1.

[6] Id. at 3 (quoting Gonzales v. Raich, 545 U.S. 1, 17 (2005)).

[7] Id. at 5.

[8] Id. at 5–7.

[9] Id. at 7 n.7.

[10] Texas Top Cop Shop, Inc. v. Garland, No. 24-40792, Dkt. 143 (5th Cir. Dec. 24, 2024).

[11] Texas Top Cop Shop, Inc. v. Garland, No. 24-40792, Dkt. 142 (5th Cir. Dec. 24, 2024).

[12] https://www.fincen.gov/boi.

[13] FinCEN’s notice did not expressly address or provide an extension for entities created or registered between these dates.

[14] See William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283, Div. F., § 6403 (adding 31 U.S.C. § 5336). Prior alerts by Gibson Dunn explaining the Corporate Transparency Act are available at: https://www.gibsondunn.com/top-12-developments-in-anti-money-laundering-enforcement-in-2023; https://www.gibsondunn.com/the-impact-of-fincens-beneficial-ownership-regulation-on-investment-funds; https://www.gibsondunn.com/the-corporate-transparency-act-reminders-and-key-updates-including-fincen-october-3-faqs.

[15] 31 C.F.R. § 1010.380.

[16] Texas Top Cop Shop, Inc. et al. v. Garland et al., No. 4:24-CV-478, Dkt. 30 (E.D. Tex. Dec. 3, 2024).

[17] Nat’l Small Business United v. Yellen, 721 F. Supp. 3d 1260 (N.D. Ala. 2024); see https://www.gibsondunn.com/corporate-transparency-act-declared-unconstitutional-what-it-means-for-you.

[18] Id. at 77.

[19] Id. at 78.

[20] See Gibson Dunn’s December 9 Client Alert describing the government’s initial response to the district court ruling, available at https://www.gibsondunn.com/us-government-appeals-and-fincen-issues-guidance-about-nationwide-preliminary-injunction-of-corporate-transparency-act-enforcement.

[21] Texas Top Cop Shop, Inc. et al. v. Garland et al., No. 4:24-CV-478, Dkts. 32, 34 (E.D. Tex. Dec. 6, 2024).

[22] https://fincen.gov/boi.

The following Gibson Dunn lawyers assisted in preparing this update: Kevin Bettsteller, Stephanie Brooker, Matt Gregory, Justin Newman, Dave Ware, Shannon Errico, Sam Raymond, Chris Jones, and Connor Mui.

Gibson Dunn has deep experience with issues relating to the Bank Secrecy Act, the Corporate Transparency Act, other AML and sanctions laws and regulations, and challenges to Congressional statutes and administrative regulations.

For assistance navigating white collar or regulatory enforcement issues, please contact the authors, the Gibson Dunn lawyer with whom you usually work, or any leader or member of the firm’s Anti-Money Laundering, Administrative Law & Regulatory, Investment Funds, Real Estate, or White Collar Defense & Investigations practice groups.

Please also feel free to contact any of the following practice group leaders and members and key CTA contacts:

Anti-Money Laundering:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, [email protected])
M. Kendall Day – Washington, D.C. (+1 202.955.8220, [email protected])
David Ware – Washington, D.C. (+1 202-887-3652, [email protected])
Ella Capone – Washington, D.C. (+1 202.887.3511, [email protected])
Sam Raymond – New York (+1 212.351.2499, [email protected])
Chris Jones – Los Angeles (+1 213.229.7786, [email protected])

Administrative Law and Regulatory:
Stuart F. Delery – Washington, D.C. (+1 202.955.8515, [email protected])
Eugene Scalia – Washington, D.C. (+1 202.955.8673, [email protected])
Helgi C. Walker – Washington, D.C. (+1 202.887.3599, [email protected])
Matt Gregory – Washington, D.C. (+1 202.887.3635, [email protected])

Investment Funds:
Kevin Bettsteller – Los Angeles (+1 310.552.8566, [email protected])
Shannon Errico – New York (+1 212.351.2448, [email protected])
Greg Merz – Washington, D.C. (+1 202.887.3637, [email protected])

Real Estate:
Eric M. Feuerstein – New York (+1 212.351.2323, [email protected])
Jesse Sharf – Los Angeles (+1 310.552.8512, [email protected])
Lesley V. Davis – Orange County (+1 949.451.3848, [email protected])
Anna Korbakis – Orange County (+1 949.451.3808, [email protected])

White Collar Defense and Investigations:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, [email protected])
Winston Y. Chan – San Francisco (+1 415.393.8362, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
F. Joseph Warin – Washington, D.C. (+1 202.887.3609, [email protected])

Join us for an insider view of what to expect at the SEC in the new administration. During this 60-minute webcast we discuss our expectations for the regulatory agenda of the U.S. Securities and Exchange Commission in 2025 and beyond. This will impact all public companies, funds, and financial market participants.

Our panelists include Gibson Dunn Partner Brian Lane, who served as Counsel to SEC Chairman Arthur Levitt and was the Director of the Division of Corporation Finance from 1996 to 1999; Gibson Dunn Partner Tom Kim, who served as Chief Counsel and Associate Director of the Division of Corporation Finance from 2007 to 2013, and as Counsel to SEC Chairman Christopher Cox from 2006 to 2007; Gibson Dunn Partner Tina Samanta, who has represented clients in investigations conducted by the SEC and the Financial Industry Regulatory Authority; and Gibson Dunn Counsel Lauren Cook Jackson, who is an expert in broker-dealer regulation and regularly represents registrants in investigations and enforcement proceedings.

Key topics covered include:

Crypto – what are the possible paths forward for issuers and intermediaries? Is there a best path? What about “tokenization” of securities?
Climate disclosures – will any version of the final rule ever take effect? What about other ESG disclosures?
Gensler-era rulemakings in general – what should be revisited and revised?
Areas of reform for public companies, investment companies, broker-dealers and Wall Street?
Is the SEC too big?
What to expect from the new chairman-designee and a Republican-majority Commission

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour in the General Category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

PANELISTS:

Thomas J. Kim is a partner in the Washington D.C. office of Gibson, Dunn & Crutcher, LLP, where he is a member of the firm’s Securities Regulation and Corporate Governance Practice Group. Mr. Kim focuses his practice on a broad range of SEC disclosure and regulatory matters, including capital raising and tender offer transactions and shareholder activist situations, as well as corporate governance, environmental social governance and compliance issues. He also advises clients on SEC enforcement investigations – as well as boards of directors and independent board committees on internal investigations – involving disclosure, registration, corporate governance and auditor independence issues. Mr. Kim has extensive experience handling regulatory matters for companies with the SEC, including obtaining no-action and exemptive relief, interpretive guidance and waivers, and responding to disclosures and financial statement reviews by the Division of Corporation Finance. Mr. Kim served at the SEC for six years as the Chief Counsel and Associate Director of the Division of Corporation Finance, and for one year as Counsel to the Chairman.

Brian Lane, a partner with Gibson, Dunn & Crutcher, is a corporate securities lawyer with extensive expertise in a wide range of SEC issues. He counsels companies on the most sophisticated corporate governance and regulatory issues under the federal securities laws. He is a nationally recognized expert in his field as an author, media commentator, and conference speaker. Mr. Lane ended a 16-year career with the Securities and Exchange Commission (“SEC”) as the Director of the Division of Corporation Finance where he supervised over 300 attorneys and accountants in all matters related to disclosure and accounting by public companies (e.g. M&A, capital raising, disclosure in periodic reports and proxy statements). In his practice, Mr. Lane advises a number of companies undergoing investigations relating to accounting and disclosure issues.

Tina Samanta, is a partner in the New York office of Gibson, Dunn & Crutcher. She is a member of the firm’s Litigation, Securities Enforcement, White Collar Defense and Investigations, and Securities Litigation Practice Groups. Her practice focuses on representing financial institutions, corporations, and individuals in sensitive and high-stakes securities-related investigations and litigation. She has represented clients in investigations conducted by the Securities and Exchange Commission, the Financial Industry Regulatory Authority, the New York Attorney General’s Office, and numerous other regulatory authorities. She has also represented a diverse range of clients in all phases of litigation, including trial, before federal and state courts across the country. Tina is a frequent speaker and author on matters relating to enforcement of the securities laws. She is a co-author of the Securities Enforcement chapter in the Practicing Law Institute Treatise, Securities Litigation: A Practitioner’s Guide.

Lauren Cook Jackson is counsel in the Washington D.C. office of Gibson, Dunn & Crutcher. Ms. Jackson’s practice focuses on securities regulatory compliance and enforcement matters. She serves as regulatory compliance counsel to retail and institutional broker-dealers and investment advisers. She has also represented global financial institutions, public companies, broker-dealers, investment advisers, private fund issuers, swap dealers, and commercial commodities traders as well as other regulated entities and professionals in responding to examinations, investigations, and enforcement proceedings brought by securities regulators and self-regulatory organizations including: the SEC, CFTC, FINRA, NYSE, DOJ, OCC, CBOE, CME, NFA, NASAA task force groups, and state securities divisions and attorneys general. Ms. Jackson regularly assists clients in conducting internal investigations into potential violations of state and federal securities laws and in identifying steps necessary to obtain compliance with such regulations, as well as self-reporting to securities regulators when required. She similarly has extensive experience designing and advising on the execution of large-scale remediation programs that balance the concerns and priorities of a firm’s internal constituents, mitigate potential follow-on litigation risk, and fulfill the requirements of relevant regulatory undertakings.

From the Derivatives Practice Group: The CFTC approved a final rule regarding safeguarding and investment of customer funds by FCMs and DCOs and another final rule codifying the no-action position in CFTC staff letter 19-17 regarding separate account treatment by FCMs. The CFTC also has suggestions on your New Year’s resolution.

New Developments

Customer Advisory: Avoiding Fraud May be Your Best Resolution. A new CFTC customer advisory suggests adding “spotting scams” to your list of New Year’s resolutions. The Office of Customer Education and Outreach’s Avoiding Fraud May be Your Best Resolution says that with scammers robbing billions of dollars from Americans through relationship investment scams, resolving to be careful about who you trust online, staying informed, and learning all you can about trading risks are admirable 2025 resolutions. [NEW]
CFTC Approves Final Rule on Margin Adequacy, Treatment of Separate Accounts of a Customer by Futures Commission Merchants. On December 20, 2024, the CFTC announced a final rule to implement requirements for futures commission merchants related to margin adequacy and the treatment of separate accounts of a customer. The rule finalizes the Commission’s proposal, published in the Federal Register in March, to codify the no-action position in CFTC staff letter 19-17 regarding separate account treatment. [NEW]
CFTC Approves Final Rule Regarding Safeguarding and Investment of Customer Funds. On December 17, the CFTC announced that it approved a final rule amending the CFTC’s regulations that govern how futures commission merchants and derivatives clearing organizations safeguard and invest customer funds held for the benefit of customers engaging in futures, foreign futures, and cleared swaps transactions. The amendments revise the list of permitted investments in CFTC Regulation 1.25 and make other related changes and specifications. The amendments also eliminate the CFTC requirement that an FCM deposit customer funds with depositories that provide the CFTC with read-only electronic access to such accounts. The compliance date for the revisions is 30 days after the final rule is published in the Federal Register, except for the revisions to the Segregation Investment Detail Reports (“SIDR”) specified in CFTC Regulations 1.32, 22.2(g)(5), and 30.7(l)(5), and the revisions to the customer risk disclosure statement required under CFTC Regulation 1.55. The compliance date for the revisions to the SIDR and the risk disclosure statement is March 31, 2025. [NEW]
CFTC Commissioner Kristin N. Johnson Announces Reports and Recommendations Advanced by MRAC in 2024. The Market Risk Advisory Committee (“MRAC”) held a public meeting Dec. 10 during which the MRAC adopted three sets of recommendations for the CFTC’s consideration. The reports and accompanying recommendations address (i) U.S. Treasury markets with a focus on effective risk management practices for the cash-futures basis trade, (ii) modernization of regulation governing cyber resilience and critical third-party service providers for central counterparties, and (iii) the potential benefits and limitations of formally adopting obligations to employ legal entity identifiers for beneficial account holders of certain intermediaries. Commissioner Johnson also announced that Danielle Abada, Christopher Lamb and Nita Somasundaram have joined her staff [NEW]
CFTC Grants QC Clearing LLC DCO Registration. On December 17, 2024, the CFTC announced that it issued QC Clearing LLC an Order of Registration as a derivatives clearing organization under the Commodity Exchange Act. QC Clearing LLC permitted to clear, in its capacity as a DCO, fully collateralized positions in futures contracts, options on futures contracts, and swaps. [NEW]
CFTC Staff Issues Advisory Regarding Form 304 Submission Format Beginning January 15, 2025. On December 12, the CFTC Division of Market Oversight issued an advisory notifying all merchants and dealers of cotton holding or controlling positions for future delivery in cotton (traders) that beginning next year they must submit the regulatory filing identified as “Form 304” through the CFTC’s online filings portal. The advisory notes that all traders who are subject to CFTC Regulation 17 CFR 19.00(a) beginning January 15, 2025, Form 304 must be submitted through the CFTC’s online filings portal, which has been updated for traders’ use. Form 304 should continue to be submitted via email through January 14, 2025.
CFTC Staff Issues Advisory Related to the Use of Artificial Intelligence by CFTC-Registered Entities and Registrants. On December 5, the CFTC’s Divisions of Clearing and Risk, Data, Market Oversight, and Market Participants issued a staff advisory on the use of artificial intelligence in CFTC-regulated markets by registered entities and registrants. The advisory is intended to remind CFTC-regulated entities of their obligations under the Commodity Exchange Act and the CFTC’s regulations as these entities begin to implement AI. CFTC staff noted that it is closely tracking the development of AI technology and AI’s potential benefits and risks and that it values its ongoing dialogue with CFTC-regulated entities and intends to monitor these entities’ use of AI as part of the agency’s routine oversight activities. According to the CFTC, the advisory is informed, in part, by public comments received in response to the staff’s January 25, 2024 Request for Comment on AI.
CFTC Releases FY 2024 Enforcement Results. On December 4, the CFTC announced record monetary relief of over $17.1 billion for fiscal year 2024. With the resolution of digital asset cases that resulted in the agency’s largest recovery ever, this record amount included $2.6 billion in civil monetary penalties and $14.5 billion in disgorgement and restitution. In FY 2024, the agency brought 58 new actions including, in the CFTC’s words, precedent-setting digital asset commodities cases, its first actions addressing fraud in voluntary carbon credit markets, complex manipulation cases in various markets, and significant compliance cases – including its largest compliance case ever. The CFTC also said that it continued to vigorously litigate pending actions, resulting in significant litigation victories and recoveries.

New Developments Outside the U.S.

ESMA Consults on the Internal Control Framework for Some of its Supervised Entities. On December 19, ESMA launched a consultation on draft Guidelines related to the Internal Control Framework for some of its supervised entities. ESMA said that the proposed draft Guidelines build on the Internal Control Guidelines currently in place for Credit Rating Agencies and extend them to include also Benchmark Administrators, and Market Transparency Infrastructures (Trade Repositories, Data Reporting Services Providers and Securitization Repositories). The draft Guidelines outline ESMA’s expectations for the components and characteristics of an effective internal control system, intended to ensure: a strong framework, detailing the internal control environment and informational aspects, and effective internal control functions, including compliance, risk management, and internal audit. The draft Guidelines also explain how ESMA applies proportionality in its expectations regarding the internal controls for a supervised entity. According to ESMA, the consultation is primarily aimed at ESMA supervised entities and prospective applicants for ESMA supervision. [NEW]
ESMA Releases Last Policy Documents to Get Ready for MiCA. On December 17, ESMA published its last package of final reports containing Regulatory Technical Standards and guidelines ahead of the full entry into application of the Markets in Crypto Assets Regulation. Specifically, the package includes Regulatory Technical Standards on market abuse and guidelines on reverse solicitation, suitability, crypto-asset transfer services, qualification of crypto-assets as financial instruments and maintenance of systems and security access protocols. [NEW]
ESMA Consults on Proposals to Digitalize Sustainability and Financial Disclosures. On December 13, ESMA published a Consultation Paper seeking stakeholders’ views on how the European Single Electronic Format can be applied to sustainability reporting. The proposals also aim to ease the burden associated with financial reporting. Interested stakeholders are invited to submit their feedback by March 31, 2025.
ESMA Consults on Open-Ended Loan Originating Alternative Investment Funds. On December 12, ESMA published a consultation paper on draft regulatory technical standards on open-ended loan originating Alternative Investment Funds (“AIFs”) under the revised Alternative Investment Fund Managers Directive (“AIFMD”). AIFMD review has introduced some harmonized rules on loan originating funds. The goal of these rules is to provide a common implementing framework by determining the elements and factors that Alternative Investment Fund Managers need to consider when making the demonstration to their Competent Authorities that the loan originated AIFs they manage can be open-ended.
ESMA Consults on Technical Advice on Listing Act Implications. On December 12, ESMA launched a consultation to gather feedback following changes to the Market Abuse Regulation (“MAR”) and Market in Financial Instruments Directive II (“MiFID II”) introduced by the Listing Act. Regarding MAR, ESMA is inviting feedback on: a non-exhaustive list of the protracted process and the relevant moment of disclosure of the relevant inside information (together with some principles to identify the moment of disclosure for protracted not listed processes); a non-exhaustive list of examples where there is a contrast between the inside information to be delayed and the latest public announcement by the issuer; and a methodology and preliminary results for identifying trading venues with a significant cross-border dimension, for the purposes of establishing a Cross Market Order Book Mechanism. Regarding MiFID II, ESMA’s proposals cover: a systematic review of the relevant provisions in Commission Delegated Regulation 2017/565 to ensure that a Multilateral Trading Facility (“MTF”) (or a segment of it) to be registered as small and medium-sized enterprises growth market complies with the relevant requirements in the revised MiFID II; and some conditions to meet the registration requirements for a segment of an MTF, as specified in the revised MiFID II.
ESAs Provide Guidelines to Facilitate Consistency in the Regulatory Classification of Crypto-Assets by Industry and Supervisors. On December 10, the European Supervisory Authorities (the “ESAs”) published joint Guidelines intended to facilitate consistency in the regulatory classification of crypto-assets under Markets in Crypto Asset Regulation. The Guidelines include a standardized test to promote a common approach to classification as well as templates market participants should use when communicating to supervisors the regulatory classification of a crypto-asset.
IOSCO Publishes Final Report on Regulatory Implications and Good Practices on the Evolution of Market Structures. On November 29, IOSCO published its Final Report on the Evolution in the Operation, Governance, and Business Models of Exchanges. According to IOSCO, the Final Report addresses significant changes in exchange business models and market structures, highlighting the impact of increased competition, technological advancements, and cross-border activity on exchanges. Additionally, it outlines a set of six good practices for regulators to consider in the supervision of exchanges that cover three key areas: (1) Organization of Exchanges and Exchange Groups (2) Supervision of Exchanges and Trading Venues within Exchange Groups and (3) Supervision of Multinational Exchange Groups.

New Industry-Led Developments

FRTB Implementation Challenges: Capitalization of Funds. On December 13, ISDA published a second whitepaper on the capitalization of equity investment in funds (“EIIFs”) under the Fundamental Review of the Trading Book (“FRTB”) framework. This paper builds upon an earlier ISDA publication in 2022 that highlighted the overly conservative capital requirements and operational complexities resulting from the proposed Basel III framework associated with EIIFs. Since then, several jurisdictions have implemented the FRTB (Canada and Japan), while others have finalized their FRTB rules (the EU and the UK) or are consulting on the final rules (the US). This topic continues to be a globally important issue for the industry, with many unresolved concerns related to the treatment of EIIFs.
ISDA Responds to HM Treasury on Financial Services Growth and Competitiveness Strategy. On December 12, ISDA submitted its response to HM Treasury’s call for evidence on its financial services growth and competitiveness strategy. In the response, ISDA focused on innovation, technology, international partnerships and trade and sustainable finance. ISDA also urged the UK government to progress its review of markets and infrastructure regulation and retain its focus as a world leading host for central counterparties. [NEW]
Joint Associations Send Letter on UK CCP Equivalence and Recognition. On December 12, ISDA and eleven other trade associations representing a broad group of market participants sent a letter to Commissioner Albuquerque requiring that the European Commission extends the equivalence decision for UK Central Counterparties in a non-time-limited manner and well in advance of March 31, 2025. The current time-limited equivalence decision is set to expire on June 30, 2025.
ISDA Publishes Paper on Compliance Requirements under MIFIR. On December 9, ISDA published a paper that maps out an approach to post-trade transparency under the revised Markets in Financial Instruments Regulation for reporting single-name credit default swaps referenced to global systemically important banks, supporting meaningful transparency and implementation practicability.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus – New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki , New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

An annual update of observations on new developments and highlights of considerations for calendar-year filers preparing their Annual Reports on Form 10-K for 2024 and proxy statements for annual meetings in 2025.

Each year we offer our observations on new developments and highlight select considerations for calendar-year filers as they prepare their Annual Reports on Form 10-K. This year, we are also including a discussion of select proxy statement considerations. This alert touches upon recent rulemaking from the U.S. Securities and Exchange Commission (the “SEC” or “Commission”), emerging trends among reporting companies, recent comment letters issued by the staff of the SEC’s Division of Corporation Finance (the “Staff”) and developments in the securities litigation and SEC enforcement landscape.

Despite the forthcoming changes in presidential administration and Commission leadership, public companies continue to be subject to rules adopted and guidance issued during Gary Gensler’s chairmanship. While we anticipate that changes in Commission leadership will likely result in shifts in the SEC’s disclosure review focus and enforcement priorities, we believe public companies are wise to stay the course and react to changes in policy or practice with respect to SEC and investor disclosures only after such changes are implemented.

An index of the topics described in this alert is provided below.

I. New Disclosure Requirements for 2024 Form 10-Ks and 2025 Proxy Statements
     A. New Form 10-K Disclosure Requirements
           1. Discuss Insider Trading Policies and Procedures in the Form 10-K (and Proxy
           Statement)
           2. File Insider Trading Policies and Procedures with the Form 10-K
           3. iXBRL Tagging for Cybersecurity Disclosures
     B. New Proxy Statement Disclosure Requirements
           1. Option Award Grant Timing Disclosures
           2. Discuss Insider Trading Policies and Procedures in the Proxy Statement (and
           Form 10-K)
II. Disclosure Trends and Considerations for the 2024 Form 10-K
     A. Cybersecurity
     B. Human Capital
     C. Climate Change and ESG
     D. Generative Artificial Intelligence
     E. Geopolitical Conflict
     F. Issues for China-based Companies
     G. Inflation and Interest Rate Concerns
III. Disclosure Trends and Considerations for the 2025 Proxy Statement
     A. Officer Exculpation
     B. Director Time Commitments (Overboarding)
     C. Director Independence Determinations
     D. Pay vs. Performance
     E. Continued SEC Scrutiny of Perquisites
     F. Nasdaq Board Diversity Rules
IV. SEC Comment Letter Trends
     A. Management’s Discussion and Analysis
     B. Non-GAAP Financial Measures
     C. Segment Reporting
V. Securities Litigation
VI. SEC Enforcement
     A. Defense Against Cybersecurity Risks
     B. Use of Emerging Technologies
     C. Internal Controls
     D. Enforcement Priorities in 2025
VII. Other Reminders and Considerations
     A. EDGAR Next
     B. Disclosure of Significant Segment Expenses in Notes to Financials
     C. Clawback Policies and Checkboxes
     D. Filing Requirement for “Glossy” Annual Report
     E. Cover Page XBRL Disclosures
VIII. Looking Forward

I. New Disclosure Requirements for 2024 Form 10-Ks and 2025 Proxy Statements

The pace of SEC rulemaking regarding public company disclosures slowed in 2024 compared to prior years, particularly the period of breakneck rulemaking that began when Chair Gensler became the Chair of the Commission in 2021 and continued through the end of 2023. The main disclosure requirements that became effective in 2024 resulted from final rules adopted by the SEC in December 2022.

While the SEC’s Regulatory Flexibility Agendas for Spring and Fall 2024 continued to include a bevy of new rulemaking projects, only a few impacting the disclosure obligations of public companies made it to the proposed or final rule stage. When the Trump-appointed Chair, currently expected to be former SEC Commissioner Paul Atkins, takes over at the SEC, several of the rulemaking projects that currently remain under consideration (e.g., board diversity, human capital) are likely to be relegated to the back burner or abandoned altogether.

Set forth below are discussions of the most significant new disclosure requirements that public companies need to consider heading into 2025.

A. New Form 10-K Disclosure Requirements

1. Discuss Insider Trading Policies and Procedures in the Form 10-K (and Proxy Statement)

Pursuant to Item 408(b) of Regulation S-K, companies with a December 31 fiscal year end will be required to disclose whether they have adopted insider trading policies and procedures governing the purchase, sale, and other dispositions of their securities by directors, officers, and employees, or the company itself, that are reasonably designed to promote compliance with insider trading laws, rules, and regulations, and any listing standards applicable to the company. If a company has not adopted such insider trading policies and procedures, it must explain why it has not done so.

Form 10-K vs. Proxy Statement

The information required by Item 408(b) must be included in Part III, Item 10 of Form 10-K[1] every year (either directly or by forward incorporation by reference to the proxy statement) and in the proxy statement for any meeting involving the election of directors.

Because companies are permitted to forward incorporate Form 10-K Part III information by reference to a proxy statement filed within 120 days of the end of the year covered by the Form 10-K, companies may decide to simply include the disclosure in the proxy statement as is commonly done with other Part III information. Companies that decide to go this route should make sure that the insider trading disclosure in the proxy statement is adequately covered by the incorporation by reference language included in Item 10 of Form 10-K. To comply with Exchange Act Rule 12b-23, companies should identify in the Form 10-K the information intended to be incorporated as well as the section of the proxy statement in which that information can be found.

Based on a review of the 95 S&P 500 companies that had filed an insider trading policy as of November 22, 2024, we compiled several observations that are set forth in this alert. For information about the results of an earlier survey based on our review of the insider trading policies filed by S&P 500 companies as of June 30, 2024, see our client alert “Early Insights from Insider Trading Policies Filed by S&P 500 Companies under the SEC’s New Exhibit Requirement“ (the “September 2024 Insider Trading Policy Survey”).[2]

Out of the above-mentioned 95 companies, 56 have filed both their proxy statement and their Form 10-K.[3] Of these 56 companies, 95% included the disclosure in their proxy statement, with 57% including the disclosure only in the proxy statement (and incorporating by reference in the Form 10-K); 32% including the disclosure in the proxy statement and Form 10-K; and 9% having a deficient Form 10-K because they did not include or incorporate by reference the disclosure. The remaining 5% of the 56 companies had a deficient proxy statement because they included the disclosure only in the Form 10-K.

Content of Item 408(b) Disclosure

Companies seem to take varying approaches to the content of their Item 408(b) disclosure. While some of the companies that included the disclosure in both the Form 10-K and the proxy statement had the same or virtually the same disclosure in both filings, others varied it, with some companies largely tracking the language provided in Item 408(b) in the Form 10-K, referring readers to the policies and procedures filed as exhibits to the Form 10-K, but providing more detailed disclosure in their proxy statement, and other companies including more detailed disclosure in the Form 10-K than the proxy statement. A majority of the companies that included the disclosure only in the proxy statement included more detailed disclosure than the language provided in Item 408(b), in many cases by including the key terms of the policy and weaving into the discussion the hedging policy disclosure required by Item 407(i).

“Policies and procedures governing … the registrant itself”

As mentioned above, Item 408(b) requires a company to disclose whether it has adopted insider trading policies and procedures governing transactions in company securities by the company itself, and, if so, to file the policies and procedures, or, if not, to explain why.

Of the 95 S&P 500 companies that had filed their insider trading policy as of November 22, 2024, a majority (69%) did not address insider trading policies or procedures governing companies’ transactions in their own securities.[4] Twenty-six percent of the surveyed companies addressed this requirement by including in their primary insider trading policy a brief sentence or two about the company’s policy of complying with applicable laws when trading in its own securities. Four percent of the surveyed companies filed a separate company repurchase policy, either as a separate exhibit (3%) or with the company’s primary insider trading policy as a single exhibit (1%).

Comparing these findings to the results of our survey of insider trading policies as of June 30, 2024 shows that more companies are complying with the requirement to file policies applicable to company transactions. In fact, almost half of the companies that filed their insider trading policy exhibits after August 30, 2024 complied with the requirement, as compared with 22% of companies that had filed as of June 30, 2024.

2. File Insider Trading Policies and Procedures with the Form 10-K

Pursuant to the exhibit requirements in Item 601(b)(19) of Regulation S-K and the new insider trading rule in Item 408(b)(2), calendar year-end companies are required to file with their 2024 Form 10-K “[a]ny” “insider trading policies and procedures governing the purchase, sale, and/or other dispositions of the registrant’s securities by directors, officers and employees, or the registrant itself, that are reasonably designed to promote compliance with insider trading laws, rules and regulations, and any listing standards applicable to the registrant.”

In September 2024, we published our September 2024 Insider Trading Policy Survey. The discussion below covers some of the questions raised by the new exhibit requirement and looks at how some filers handled these issues.

Ancillary Materials to Primary Insider Trading Policy

For many companies, there is not simply one document setting forth every policy applicable to directors, officers and employees that is “reasonably designed to promote compliance with insider trading laws, rules and regulations, and [applicable] listing standards.” A company’s primary insider trading policy is frequently accompanied by:

appendices or other ancillary documents setting forth additional details, such as a schedule listing the people subject to additional trading windows or preclearance procedures, additional guidelines applicable to Rule 10b5-1 trading arrangements, or frequently asked questions;
training materials used to promote compliance with insider trading laws, rules, regulations, and listing standards by directors, officers, and employees; and/or
specific instructions for how directors, officers, and employees can obtain preclearance or any other approvals referenced in the policy (e.g., who to contact, what systems to use).

Similarly, for the convenience of its users, historically some policies hyperlinked to other information relevant to the policy, such as applicable definitions, examples of what constitutes material non-public information (“MNPI”), and a routinely updated schedule of quarterly trading blackout windows.

When preparing to file Exhibit 19 to Form 10-K, companies will want to consider whether any of these ancillary materials should be filed with the company’s primary insider trading policy. In the absence of guidance from the SEC, one reasonable approach would be to file any ancillary materials that impose additional substantive requirements on directors, officers, and employees, but omit ancillary materials that simply repeat or provide examples or interpretations of the requirements set forth in the main policy.

Based on the insider trading policies filed as of November 22, 2024, a significant majority (86%) of the companies filed only a single insider trading policy and no other related policies or documents (even where the insider trading policy referenced other related policies).[5] In the small number of cases where multiple policies were filed, the additional policies were often supplemental guidelines or policies covering topics typically not applicable to all employees at larger companies (e.g., trading windows, preclearance procedures, 10b5-1 plans).

Unwritten Procedures

Item 408(b)(2) seems to presume the policies and procedures are in writing, but nowhere has the SEC addressed what is to be done to comply with the exhibit requirement in Item 601(b)(19) if the policy or, more likely, procedures are not written. In the absence of guidance from the SEC, to the extent companies have policies or procedures that are not written, they will need to decide whether to (1) memorialize their previously unwritten policies or procedures in writing (either through a detailed description or a more high-level summary) so they can be filed or (2) leave the policies or procedures unwritten and forego filing.

Personal Information in Policies

Many insider trading policies have historically included the names and contact information for the individuals responsible for administering the policy. In anticipation of the filing requirement, many companies have removed that information from the policy altogether. We also believe it is reasonable to retain the information in the internal, non-public facing policy but to redact the information from the exhibit filed with the Form 10-K pursuant to Item 601(a)(6), which allows companies to redact information “if disclosure of such information would constitute a clearly unwarranted invasion of personal privacy (e.g., disclosure of bank account numbers, social security numbers, home addresses, and similar information).”

3. iXBRL Tagging for Cybersecurity Disclosures

Beginning with the 2024 Form 10-K, the required cybersecurity disclosures that calendar year-end companies first began including in their 2023 Forms 10-K pursuant to Item 106 of Regulation S-K will need to be tagged in Inline XBRL (“iXBRL”), including by block text tagging narrative disclosures and detail tagging quantitative amounts.[6] The SEC has stated that companies must use the “Cybersecurity Disclosure (CYD)” taxonomy tags within iXBRL to tag these disclosures.[7] Companies need to be aware that significant judgment will be required to apply these tags. Not only will companies be required to determine the provision of Item 106 to which each part of the narrative disclosure is responsive, but companies will also need to determine which flags to mark as “true” or “false.”

Importantly, under the CYD taxonomy, there is a flag for “Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant,” and it is our understanding that to properly apply the flag, each company must select “true” or “false.” As discussed in Section II.A. (Cybersecurity) below, the requirement to describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant caused consternation among many companies and resulted in wide variety of responses during the first year of compliance. With the iXBRL requirement going into effect, companies that have addressed Item 106(b)(2) by including slightly vague or ambiguous disclosure in Item 1C or by cross-referencing their risk factors will need to carefully consider how they will handle these new tagging requirements.

B. New Proxy Statement Disclosure Requirements

1. Option Award Grant Timing Disclosures

The SEC adopted new rules requiring companies to disclose their policies and practices related to the timing of granting option awards (including stock appreciation rights) and the relationship between grants and the release of MNPI. Specifically, pursuant to Item 402(x) of Regulation S-K, companies must explain how the board decides when to grant these awards (e.g., whether they follow a set schedule), whether the board or compensation committee considers MNPI when deciding the timing and terms of such awards (and if so, how they consider such MNPI) and whether the company has timed the release of MNPI to influence the value of executive compensation. In addition, a new table is required to be included for option awards granted during the last fiscal year to a named executive officer within four business days before or one business day after the filing of a Form 10-Q or Form 10-K, or the filing or furnishing of a Form 8-K that discloses MNPI. Companies are required to include the narrative policies and practices disclosure regardless of whether the company has actually made grants of option awards close in time to the release of MNPI. Although these rules apply only to options and similar awards, we expect many companies to include, or expand on existing, narrative disclosures regarding their policies and practices related to the timing of full value awards as well (i.e., restricted stock units, restricted stock, and performance stock units).

2. Discuss Insider Trading Policies and Procedures in the Proxy Statement (and Form 10-K)

As a result of the overlapping obligations, this proxy statement requirement is discussed above in the section titled “New Form 10-K Disclosure Requirements.”

II. Disclosure Trends and Considerations for the 2024 Form 10-K

A. Cybersecurity

As previously discussed in our client alert “SEC Adopts New Rules on Cybersecurity Disclosure for Public Companies,” on July 26, 2023, the SEC adopted a final rule requiring public companies to provide current disclosure of material cybersecurity incidents and annual disclosure regarding cybersecurity risk management, strategy, and governance.

Under new Item 106, which is required to be addressed in new Item 1C of Form 10-K, public companies must include disclosures in their annual reports regarding their (1) cybersecurity risk management and strategy, including with respect to their processes for identifying, assessing, and managing cybersecurity threats and whether risks from cybersecurity threats have materially affected them; and (2) cybersecurity governance, including with respect to oversight by their boards and management.[8]

The new rule first applied to annual reports on Form 10-K for fiscal years ending on or after December 15, 2023, so most companies provided the required disclosure for the first time in 2024. Gibson Dunn surveyed disclosures made by 97 S&P 100 companies in response to Item 106 requirements as of November 30, 2024.[9] Set forth below is a summary of key trends and insights based on our analysis of these filings. The full results of this survey are included in our alert titled “Cybersecurity Disclosure Overview: A Survey of Form 10-K Cybersecurity Disclosures by the S&P 100 Companies.”

While certain disclosure trends have emerged under Item 106, we note that there is significant variation among companies’ cybersecurity disclosures, reflecting the reality that effective cybersecurity programs must be tailored to each company’s specific circumstances, such as its size and complexity of operations, the nature and scope of its activities, industry, regulatory requirements, the sensitivity of data maintained, and risk profile. Companies must strike a careful balance in their disclosures, providing sufficient decision-useful information for investors, while taking care not to reveal sensitive information that could be exploited by threat actors.[10] We expect company disclosures to continue to evolve as their practices change in response to the ever-evolving cybersecurity threat landscape and as common disclosure practices emerge among public companies.

The key disclosure trends we observed include the following:

Materiality. The phrasing used by companies for this disclosure requirement varies widely. Specifically, in response to the requirement to describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the company, the largest group of companies (40%) include disclosure in Item 1C largely tracking Item 106(b)(2) language (at times, subject to various qualifiers); 38% vary their disclosure from the Item 106(b)(2) requirement in how they address the forward-looking risks; and 22% of companies do not include disclosure specifically responsive to Item 106(b)(2) directly in Item 1C, although a substantial majority of these companies cross-reference to a discussion in Item 1A “Risk Factors.”
Board Oversight. Most companies delegate specific responsibility for cybersecurity risk oversight to a board committee and describe the process by which such committee is informed about such risks. Ultimately, however, the majority of surveyed companies report that the full board is responsible for enterprise-wide risk oversight, which includes cybersecurity.
Cybersecurity Program. Companies commonly reference their program alignment with one or more external frameworks or standards, with the National Institute of Standards and Technology (NIST) Cybersecurity Framework being cited most often. Companies also frequently discuss specific administrative and technical components of their cybersecurity programs, as well as their high-level approach to responding to cybersecurity incidents.
Assessors, Consultants, Auditors or Other Third Parties. As required by Item 106(b)(1)(ii), nearly all companies discuss retention of assessors, consultants, auditors or other third parties, as part of their processes for oversight, identification, and management of material risks from cybersecurity threats.
Risks Associated with Third-Party Service Providers and Vendors. In line with the requirements of Item 106(b)(1)(iii), all companies outline processes for overseeing risks associated with third-party service providers and vendors.
Drafting Considerations.
- Most companies organize their disclosure into two sections, generally tracking the organization of Item 106, with one section dedicated to cybersecurity risk management and strategy and another section focused on cybersecurity governance. Companies typically include disclosures responsive to the requirement to address material impacts of cybersecurity risks, threats and incidents in the section on risk management and strategy.
- The average length of disclosure among surveyed companies is 980 words, with the shortest disclosure at 368 words and the longest disclosure at 2,023 words. The average disclosure runs about a page and a half.

Risk Factors. A substantial majority of companies include a cross-reference to their cybersecurity-related risk factor(s) in Item 1A “Risk Factors” or to risk factors included in Item 1A more generally.

B. Human Capital

Human capital resource disclosures by public companies have continued to be a focus since the SEC adopted the new rules in 2020, not only for companies making the disclosures, but employees, investors, and other stakeholders reading them. As we have done for the past several years, we recently published a survey of the human capital resource disclosures from the S&P 100, available in our client alert titled “Four Years of Evolving Form 10-K Human Capital Disclosures.” The alert also provides practical considerations for companies as we head into 2025.

Overall, our findings indicate that companies are generally making only minor changes to their disclosures year over year, and these minor changes generally included shortening of company disclosures, maintaining or decreasing the number of topics covered, and including slightly less quantitative information in some areas.[11] Specifically, we identified the following trends regarding the S&P 100 companies’ human capital disclosures compared to the previous year:

Length of disclosure. Fifty-seven percent of surveyed companies decreased the length of their disclosures, 34% increased the length of their disclosures, and the length of the remaining 9% remained the same.
Number of topics covered. Forty-one percent of surveyed companies decreased the number of topics covered, 13% increased the number of topics covered, and the remaining 46% covered the same number of topics.
Breadth of topics covered. Across all companies, the prevalence of 10 topics increased, nine topics decreased, and nine topics remained the same.
- The most significant year-over-year increases in frequency involved Culture Initiatives (30% to 35%) and Pay Equity (48% to 50%) disclosures.
- The most significant year-over-year decrease involved COVID-19 disclosures, which declined in frequency from 34% to 1%. Other year-over-year decreases related to disclosures addressing Diversity Targets and Goals (21% to 14%), Diversity in Promotion (29% to 26%), Quantitative Diversity Statistics regarding Gender (63% to 60%), and Community Investment (28% to 25%).
Most common topics covered. This year, the topics most commonly discussed generally remained consistent with the previous two years. For example, Talent Development, Diversity and Inclusion, Talent Attraction and Retention, Employee Compensation and Benefits, and Monitoring Culture remained the five most frequently discussed topics. The topics least discussed this most recent year, however, changed slightly from that of the previous year as COVID-19 disclosures, and Diversity Targets and Goals dropped into the five least frequently covered topics.
Industry trends. Within the technology and finance industries, the trends that we saw in the previous year regarding the frequency of topics disclosed generally remained the same.

C. Climate Change and ESG

The SEC adopted final climate disclosure rules in March 2024.[12] The rules established new disclosure requirements under Regulation S-K related to climate-related risks, governance, and strategy and greenhouse gas emissions (for certain large filers), as well as new financial statement reporting requirements in Regulation S-X related to severe weather events, carbon or energy products, and climate-related targets or transition plans.[13] Following the consolidation of several legal challenges in the Eighth Circuit, the SEC voluntarily stayed the rules in April 2024 pending the litigation’s outcome.[14]

While the litigation is ongoing and the rules do not apply to the upcoming Form 10-K, reporting companies should remain thoughtful about how existing SEC rules may nonetheless require disclosure on many of these topics, including in the risk factors section (related to material climate-related risks), the business section (related to, for example, material climate-related regulatory developments or changes to business strategy), and management’s discussion and analysis (“MD&A”) section (related to, for example, material costs incurred from unique events or invested in climate-related research and development).[15] It can also be prudent to assess the consistency of any sustainability-related disclosure in the Form 10-K with current or anticipated reporting on these topics in non-U.S. or voluntary filings, as mandatory sustainability reporting regulations continue to be adopted outside the United States and may create new areas of legal risk. In particular, companies that are preparing to report under the European Union’s Corporate Sustainability Reporting Directive should consider whether the results of their double materiality assessment or other analyses also require an update to the Form 10-K, including the risk factors discussion.[16]

The Division of Enforcement has also maintained its focus on sustainability-related disclosures and practices despite the dissolution of the standalone ESG Task Force earlier this year.[17] In September 2024, a multinational beverage company agreed to pay a $1.5 million civil penalty to settle SEC claims regarding past Form 10-K statements on testing of the recyclability of the company’s single-use beverage pods. The SEC alleged that statements concerning the successful testing of the recyclability of the pods incomplete and inaccurate by not including that two of the largest recycling companies had expressed concerns about the commercial feasibility of curbside recycling of small format materials and had indicated that at that time they did not intend to accept the pods at their facilities. Notably, the SEC asserted violations of only Section 13(a) of the Securities Exchange Act of 1934 and Rule 13a-1. This standard does not require that the disclosures be material or misleading, or that they be made with any intent—only that the disclosures included in an issuer’s SEC filings be complete and accurate. This enforcement action reinforces that even voluntary or immaterial disclosure on these and other topics may be the subject of regulatory scrutiny and should be appropriately vetted for completeness before filing.

D. Generative Artificial Intelligence

As artificial intelligence (“AI”), including generative AI, becomes increasingly prevalent in the marketplace and incorporated into business operations, companies should assess whether they have adequate AI-related disclosure. Specifically, companies should consider the ways in which the company’s strategy, productivity, market competition and demand for the company’s products, investments and the company’s reputation, as well as legal and regulatory risks, could be affected by AI. To the extent material, disclosure about how the company uses AI and the risks related to its use should be provided in the description of business section, risk factors, MD&A, and the financial statements (as well as the discussion of the board’s role in risk oversight in the proxy statement), as applicable.

When making AI-related disclosures, companies should be careful of general language that could be interpreted as “AI Washing.”[18] As noted by Director Erik Gerding in the Division of Corporation Finance’s announcement in June, the Staff will consider how companies are describing AI-related opportunities and risks, including, to the extent material, whether or not the company: (1) clearly defines what it means by AI and how the technology could improve the company’s results of operations, financial condition and future prospects; (2) provides tailored, rather than boilerplate, disclosure about material risks related to AI; (3) focuses on the company’s current or proposed use of AI; and (4) has a reasonable basis for its claims when discussing AI prospects.[19]

In recent comment letters, the Staff has asked companies to provide additional context to their AI-related disclosure, including to explain the basis of AI-related performance claims and to provide specific descriptions of the AI technology being used by the company, such as the development, implementation and source of the technology, and risks related to such use.[20]

E. Geopolitical Conflict

Public companies should continue to consider the evolving developments related to the continued conflicts between Russia and Ukraine and in the Middle East, as well as continued tensions between China and the United States, including as to whether risks associated with these developments are adequately discussed in the risk factors, as well as their direct and indirect impacts on their business, operating results, and financial condition.

F. Issues for China-based Companies

As discussed in our client alert “Considerations for Preparing Your 2023 Form 10-K,” companies with operations in the People’s Republic of China (the “PRC”) should review the Division of Corporation Finance’s sample comment letter[21] highlighting three focus areas for periodic disclosures related to China-specific matters, including those arising from the Holding Foreign Companies Accountable Act (the “HFCAA”), the Uyghur Forced Labor Prevention Act, and specific government-related operational risks. In addition to posing questions regarding HFCAA disclosures, the sample letter includes comments directed at risk factors and MD&A disclosure.

Director Gerding of the Division of Corporation Finance communicated in June that the Staff would continue to focus on China-based companies and to elicit disclosure from companies on material risks they face from the PRC intervening in, or exercising control over, their operations in the PRC.[22] Director Gerding also noted that the Staff continues to believe that companies should provide more prominent, specific, and tailored disclosures about China-specific matters so that investors have the information they need to make informed investment and voting decisions.

G. Inflation and Interest Rate Concerns

While inflationary pressures have eased and interest rates have decreased as compared to 2023, companies should continue to consider whether their disclosures regarding inflation impacts and risks and uncertainty regarding inflation or future rate changes are adequately discussed, including in light of announced plans from President-elect Trump regarding the implementation of tariffs on U.S. imports as discussed below. Depending on the effect on a company’s operations and financial condition, additional disclosure in risk factors, MD&A, or the financial statements may be necessary.

In June, Director Gerding stressed that material ongoing impacts of inflation, including particularized risks, should continue to be disclosed and companies should not simply discuss high-level trends.[23] Additionally, given the market disruptions in the banking industry that began in 2023, the Staff also indicated that it would continue to scrutinize updated disclosures related to interest rate risk and liquidity risk.[24]

The President-elect has frequently reiterated plans to implement tariffs on U.S. imports of up to 20% on all imports generally, with higher rates for select U.S. trade partners, and has recently communicated that he will impose tariffs of 25% on imports entering the United States from Canada and Mexico, and an additional 10% tariff on imports from China, as one of his first executive orders. Implementation of these tariffs could adversely affect efforts to stem inflationary pressures in the United States and correspondingly influence interest rates. Companies should continue to monitor the risks associated with these proposed policies and confirm that such risks are adequately addressed in their disclosures, including if such proposed plans have already begun to impact their business.

In recent comment letters relating to inflation, the Staff has focused on how current inflationary pressures have materially impacted a company’s operations, including by referring to statements regarding inflation made in a company’s quarterly filings, and sought disclosure to quantify the impact and to identify planned or taken efforts to mitigate the impact of inflation. If inflation is identified as a significant risk, the Staff asked companies to update disclosure if inflationary pressures have resulted in a material impact, to identify the types of inflationary pressures being faced and to quantify the impact of factors contributing to inflationary pressures.[25]

In recent comment letters relating to interest rates, the Staff has asked companies to expand their discussion of interest rates in the risk factors and MD&A sections to specifically identify the impact on the company’s business operations and to discuss specific risk policies and procedures used by the company to manage and monitor interest rate risk.[26]

It is also critical that companies confirm that their disclosures in “Item 7A. Quantitative and Qualitative Disclosures About Market Risk” are up-to-date and responsive to the requirements of Item 305 of Regulation S-K.

III. Disclosure Trends and Considerations for the 2025 Proxy Statement

A. Officer Exculpation

In August 2022, the Delaware General Corporation Law was amended to allow companies to amend their certificate of incorporation to exculpate certain officers from personal liability for monetary damages for breaches of fiduciary duty in a manner similar to, but more narrow than, what is currently permitted for directors.

Such exculpation provisions apply only to direct claims against officers alleging a breach of fiduciary duty of care and provide a basis for early dismissal of certain claims in the preliminary stages of litigation, before extensive and expensive discovery. Because insurance and indemnification already serve to protect officers’ assets in such cases, the company is the primary beneficiary of extending exculpation to officers. This protection must be implemented through an amendment to the company’s certificate of incorporation, requiring both board and shareholder approval.

Although companies initially faced uncertainty regarding the reception of these amendments by proxy advisory firms and institutional investors, most proposals have received strong investor support during 2023, and this support continued in 2024. Between the 2023 and 2024 proxy seasons, approximately 27% of all S&P 500 companies incorporated in Delaware proposed exculpation amendments; all but three (96%) received stockholder approval.[27] Institutional Shareholders Services tends to support these proposals on a case-by-case basis, while Glass Lewis tends to oppose them, absent a “compelling rationale.”

The adoption of officer exculpation amendments reflects evolving expectations around liability protections for corporate officers. Companies contemplating such amendments should consider whether to engage with shareholders in advance to address potential concerns.

B. Director Time Commitments (Overboarding)

Institutional investors are increasingly scrutinizing directors’ time commitments to ensure effective governance. While the primary focus remains adhering to strict numerical limitations on the number of public company boards a director should serve on (generally, no more than two boards for directors who are executive officers and no more than four boards for non-executive directors), there is an increasing push to require companies to disclose their internal director time commitment policies and demonstrate adherence to such policies.[28] With a view to demonstrating the company’s responsiveness to evolving investor expectations and commitment to robust corporate governance, companies should revisit their policy and the processes used by their nominating committee or board of directors to assess director candidates in determining to nominate them for election to the board of directors and consider whether any enhancements are appropriate.

C. Director Independence Determinations

Companies should take a fresh look at their vetting processes to support disclosures with respect to director independence determinations. In 2024, the SEC brought settled charges against a director for proxy rule violations after he was identified in the company’s proxy statement as independent despite maintaining a close personal relationship with an executive officer of the company. The director did not disclose this relationship to the board of directors, thereby allegedly causing the company’s proxy statement to contain materially misleading statements. This enforcement action highlights the need for rigorous diligence in assessing relationships and transactions that could compromise a director’s independence. In light of these developments, companies should assess their independence determination processes, including reviewing their annual directors’ questionnaires and considering whether there are any opportunities to enhance board or nominating committee oversight and related proxy disclosures.

D. Pay vs. Performance

Most companies have already complied with the SEC’s “pay versus performance” (“PvP”) disclosure rules in their annual 2023 and 2024 proxy statements. As companies begin to prepare their 2025 disclosures, we’ve highlighted some notable trends and developments below based on prior proxy seasons and comment letters from the Staff:

One additional year. Reminder that companies must add 2024 as an additional year to the PvP table and should not remove any years until after the PvP table contains five years total (three years for smaller reporting companies).
Relationship disclosures. Although the rule permits graphical, narrative, or a combination thereof to describe the relationship between compensation actually paid and the various performance metrics, the comment letters from the Staff indicate a preference for graphical depictions. Graphical depictions have also been the majority practice during the last two proxy seasons.
Metrics reporting. The Staff has placed an emphasis on ensuring (i) the compensation numbers included in the PvP table reconcile with those disclosed in the Summary Compensation Table, (ii) any Generally Accepted Accounting Principles (“GAAP”) numbers used, including net income, reconcile to the applicable numbers disclosed on the company’s Form 10-K, (iii) companies include clear descriptions of how they calculated any non-GAAP numbers included in the PvP disclosure, and (iv) the company-selected measure in the PvP table is included in the company’s list of the most important measures used to link pay and performance.
Reconciliations. As a reminder, footnote reconciliations of the amounts deducted and added to calculate compensation actually paid for years other than the most recent fiscal year are required only if material to an understanding of the PvP information reported for the most recent fiscal year. As such, many companies can streamline their PvP disclosures by omitting prior years’ footnote reconciliations. In line with such guidance, the Staff has indicated that if a company revises the compensation actually paid included for prior fiscal years, then footnote reconciliations for such prior years should be included.
Precise headings. The Staff has placed an emphasis on avoiding the use of vague terms in the headings of PvP table footnote reconciliations, such as “year-over-year.” Instead, the Staff prefers specific headings that track closely to the language of the rules, such as “prior fiscal year end to current fiscal year end” or “prior fiscal year end to vesting date.”
Peer group changes. As a reminder, if the peer group used for peer group total shareholder return (“TSR”) disclosures in the PvP table changes from the prior year, the footnote must include the reason for the change and a comparison of the company’s TSR with that of both the new peer group and the peer group from the prior year.

In light of the above, companies should review their PVP table and related disclosures to incorporate and consider whether any improvements are necessary to comply with the latest SEC guidance.

E. Continued SEC Scrutiny of Perquisites

The SEC continues to bring enforcement actions against companies relating to perquisite disclosure (as recently as this month), so companies may want to revisit their director and officer questionnaire and other disclosure control processes ahead of the upcoming proxy statement. Perquisites facing scrutiny include personal travel and commuting (including use of corporate aircraft), personal expenses, personal entertainment, personal transportation and personal security.

F. Nasdaq Board Diversity Rules

On December 11, 2024, the U.S. Court of Appeals for the Fifth Circuit vacated the SEC’s approval of Nasdaq’s board diversity disclosure rules, which previously required Nasdaq-listed companies to annually disclose a board diversity matrix with information about each of its director’s self-identified gender and demographic characteristics. Nasdaq has communicated that it does not intend to seek further review. As a result, companies will no longer be required to follow Nasdaq’s board diversity disclosure rules but may want to consider relevant investment community expectations when assessing any changes to their proxy disclosures.

IV. SEC Comment Letter Trends[29]

In 2024, comment letters from the Staff continued an emphasis on addressing disclosures in MD&A as well as the use of non-GAAP measures. Notably, following the adoption and subsequent stay of the SEC’s final climate disclosure rule in 2024, the number of comment letters from the Staff regarding companies’ climate-related disclosures decreased as the SEC reprioritized its focus areas.

A. Management’s Discussion and Analysis

Many of the comment letters addressing MD&A continued to focus on disclosures relating to results of operations, with the Staff often requesting that companies explain related disclosures with more specificity. The Staff has continued to focus on disclosures regarding material period-to-period changes in quantitative and qualitative terms as prescribed by Item 303(b) of Regulation S-K. For example, the Staff has commented on disclosures about factors contributing to period-on-period changes in financial line items, such as revenue, gross margin, cost of sales, expenses and operating cash flows, to request that companies provide both more quantitative detail regarding the extent to which each factor had contributed to the overall change in the line item, as well as qualitative discussion of the underlying factors attributable to such contributing factors.[30] The Staff often requested companies to “use more definitive terminology, rather than general or vague terms such as ‘primarily,’ to describe each contributing factor.”[31] The Staff has also continued to request that companies make disclosures about known trends and uncertainties affecting their results of operations.[32]

Another area that the Staff has continued to focus on is ensuring that key performance indicators (“KPIs”) are properly contextualized so that they are not misleading.[33] The Staff has, in certain circumstances, requested that companies provide additional disclosures regarding how KPIs are defined and calculated, why they are useful to investors and how they are used by management.[34] In addition, the Staff asked companies why KPIs or other performance metrics are discussed in earnings releases or investor presentations if not also discussed in their periodic reports or presented inconsistently.[35]

The Staff has also often asked companies to quantify and provide additional disclosure regarding significant components of financial condition and results of operations that have affected segment results.[36]

Two other key areas of MD&A that the Staff continued to focus on were critical accounting estimates and liquidity and capital resources. The Staff frequently noted that companies’ disclosures regarding critical accounting estimates were too general and requested that companies provide a more robust analysis, including both qualitative and quantitative information necessary to understand the estimation uncertainty and its impact on the financial statements, consistent with the requirement now set forth in Item 303(b)(3).[37] The Staff often indicated that these disclosures should supplement, not duplicate, the disclosures in footnotes to financial statements.[38] The Staff frequently commented on cash flows disclosures regarding enhancing the comparative analysis of the drivers of material changes period-on-period and the underlying reasons for such material changes, with a view to provide investors an understanding of trends and variability in cash flows.[39] The Staff also noted that such disclosures should not merely recite changes evident in the financial statements.[40]

B. Non-GAAP Financial Measures

The Staff has continued to express concerns regarding the improper use of non-GAAP measures in filings and issued several comments aligned with the Staff’s Compliance and Disclosure Interpretations (“C&DIs”).[41] Comments related to the latest C&DIs continued to focus on whether operating expenses are “normal” or “recurring” (Non-GAAP C&DI 100.01), and, therefore, whether exclusion from non-GAAP financial measures might be misleading.[42] The Staff has also asked companies about whether certain non-GAAP adjustments to revenue or expenses have made the adjustments “individually tailored” (Non-GAAP C&DI 100.04).[43] In addition to a continued focus on the topics covered under the C&DIs, the Staff continued to focus on a number of other matters relating to compliance with Item 10(e) of Regulation S-K, including the prominence of non-GAAP measures, reconciliations to GAAP measures and the usefulness and purpose of particular non-GAAP measures.

C. Segment Reporting

The Staff has continued to comment on a number of segment reporting disclosures. Examples of common comments include whether a company’s operating segments are properly categorized and the reasoning behind the aggregation of similar segments (and the factors used to identify different segments). The Staff also continued to focus on the disclosure of segment profit or loss measures and, in some cases, commenting that a measure consolidating segment profit or loss reflected a non-GAAP measure and should not be included in the financial statements.[44] Similarly, the Staff also commented that when a company presents a measure consolidating segment profit or loss outside of the notes in the financial statements, it is a non-GAAP measure and must comply with Item 10(e) and the Non-GAAP C&DIs.[45]

V. Securities Litigation

Companies should be aware of the following recent developments at the Supreme Court. First, earlier this year, the Supreme Court issued its opinion in Macquarie Infrastructure Corp. v. Moab Partners, L.P.¸601 U.S. 257 (2024), about whether Section 10(b) liability can be based on failure to disclose information required by Item 303. Second, the Supreme Court previously was poised to issue a decision in Facebook, Inc. v. Amalgamated Bank, regarding when risk factor disclosures made pursuant to Item 105 of Reg. S-K can be false or misleading under Section 10(b). However, after hearing oral argument, the Supreme Court issued an order in late November dismissing that appeal without issuing an opinion. Macquarie is discussed below.

Macquarie

On April 12, 2024, the Supreme Court unanimously decided Macquarie, holding that an issuer does not violate Section 10(b) or Rule 10b-5 merely by failing to disclose material information—even if that information is required to be disclosed under Item 303.[46] Instead, an omission is actionable under Section 10(b) only if it renders an affirmative statement by the issuer misleading.[47]

Plaintiff claimed that Macquarie violated Section 10(b) by failing to disclose under Item 303 that a new regulation would impact Macquarie’s business going forward.[48] The Court disagreed because plaintiff failed to “plead any statements rendered misleading” by the alleged omission.[49] Because Rule 10b-5 requires only “disclosure of information necessary to ensure that statements already made are clear and complete,” it covers “half-truths,” not “pure omissions.”[50]

While a company may not be held liable under Section 10(b) for a pure omission of information required under Item 303, companies should be mindful that Item 303 violations may be actionable under other provisions of the federal securities laws.

VI. SEC Enforcement

Throughout the past year, the SEC continued bringing enforcement actions against public companies for making allegedly misleading statements within their financial reporting and disclosures. Several themes and trends were apparent from the types of situations and disclosures underlying the Commission’s enforcement actions.

A. Defense Against Cybersecurity Risks

The SEC brought actions against several companies for either allegedly overstating the effectiveness of their respective cybersecurity programs and measures to defend against potential future intrusions, or for allegedly misstating the extent to which known cybersecurity incidents compromised company data. For example, at the end of 2023, the SEC charged SolarWinds for allegedly “overstating . . . cybersecurity practices and understating or failing to disclose known risks” in the years preceding a major cyberattack the company underwent in 2020.[51] Separately, later in 2024, the Commission brought settled charges against four public companies for allegedly understating to investors the extent to which cyberattacks had damaged their infrastructure or compromised their data.[52] The Commission alleged that several of these companies had “hypothetically or generically” framed cybersecurity risk factors even though the alluded-to risks had “already materialized” through known cyber intrusions, and this warranted more specific and deliberate disclosures to investors.

B. Use of Emerging Technologies

Representing somewhat of an inverse of the Commission’s trend of bringing enforcement actions involving alleged misstatements about an entity’s ability to defend against technological threats such as cyberattacks, the SEC also brought enforcement actions involving alleged misstatements about the extent to which entities could marshal emerging technologies to their advantage. For example, it announced settled fraud charges against a publicly traded South Korean crypto asset company for allegedly misrepresenting the extent to which it used blockchain technologies to settle transactions.[53]

Separately, the Commission brought settled charges against investment advisers and a hedge fund for making allegedly misleading disclosures about their purported use of artificial intelligence to improve investment decisions.[54] Though these enforcement actions concerned statements made by financial firms, their lessons can extend to public companies, many of which will inevitably find use cases of their own for artificial intelligence, and will accordingly need to consider disclosure of such capabilities and attendant risks.

C. Internal Controls

As in prior years, the SEC brought actions against companies for allegedly failing to maintain adequate internal accounting and disclosure controls. For example, in June 2024, the Commission brought settled charges against a global provider of business communication and marketing services for allegedly failing to implement internal accounting controls sufficient to restrict access to the company’s information technology systems, or disclosure controls sufficient to provide management with relevant cybersecurity information with which to make appropriate disclosure decisions.[55]

However, a key court decision in the SolarWinds litigation in July 2024 marked what might be a turning point in the SEC’s penchant for finding internal accounting controls violations. There, the United States District Court for the Southern District of New York largely dismissed charges the Commission brought against SolarWinds regarding its cybersecurity controls. On the SEC’s internal accounting controls claim, the court found the claim failed because the cybersecurity controls did not relate to the company’s accounting or finance controls. On the SEC’s disclosure controls and procedures claim, the court found that though the company had misclassified the severity of two cybersecurity incidents, such misclassifications were isolated and could not by themselves support a claim that the controls were inadequate absent evidence of systemic problems with the company’s disclosure process, or a more prolific pattern of misstatements.[56]

D. Enforcement Priorities in 2025

As discussed below, SEC leadership will look different in 2025, and enforcement priorities may change significantly. It is not known what will happen to existing cases in the pipeline. We anticipate many cases will move ahead uninterrupted, while others will be reevaluated by SEC leadership and quietly closed. Suffice it to say, we expect the next 12 months to be a period of significant transition within the Enforcement Division of the SEC.

VII. Other Reminders and Considerations

Set forth below is a discussion of a few other recent rule changes, as well as reminders and considerations to keep in mind as companies prepare their annual reports on Form 10-K and proxy statements.

A. EDGAR Next

Those responsible for making SEC filings should be aware of the significant upcoming changes to the Electronic Data Gathering, Analysis, and Retrieval (“EDGAR”) System. On September 27, 2024, the SEC adopted amendments to Regulation S-T and Form ID to make technical changes to the EDGAR filer access and account management processes (referred to by the SEC as EDGAR Next). While there will be a steep learning curve associated with these significant procedural changes to EDGAR, they are expected to ultimately result in a filing system that is easier for filers and the individuals acting on their behalf to manage. EDGAR Next is currently in a beta testing period and will go live on March 24, 2025, though legacy EDGAR can still be used to make filings through September 12, 2025. EDGAR Next will, among other things, require filers to designate individuals to manage the filers’ EDGAR accounts and file on their behalf. To access EDGAR and make filings, these designated individuals will be required to have their own individual account credentials and complete multifactor authentication.

For a detailed discussion of the amendments to the EDGAR access rules, including an outline of the implementation timeline and an explanation of the steps to take now to prepare for the transition to EDGAR Next, please see our client alert titled “EDGAR Next: Preparing for Upcoming Changes to the EDGAR Access Rules.”

B. Disclosure of Significant Segment Expenses in Notes to Financials

Attorneys responsible for preparing and reviewing Form 10-K filings should also be aware of a recent change in accounting standards that will affect calendar year filers for the first time in the 2024 Form 10-K. On November 27, 2023, the Financial Accounting Standards Board (“FASB”) issued an Accounting Standards Update designed to provide more detailed information about companies’ reportable segment expenses and performance. Companies must now disclose significant segment expenses provided to the chief operating decision maker (“CODM”) and included in each reported measure of segment profit or loss, along with other segment items and their composition. If a company does not disclose significant expense categories and amounts for one or more of its reportable segments, it needs to explain the nature of the expense information the CODM uses to manage operations. The update clarifies that if the CODM uses multiple measures of segment profit or loss, more than one measure can be disclosed in the segment footnote, but at least one measure should be the measure that is most consistent with the measurement principles used in measuring the corresponding amounts in the financial statements. Companies are also required to disclose the CODM’s title and position and explain how the CODM uses these measures in assessing performance and allocating resource. Entities with a single reportable segment must comply with both the new and existing disclosure requirements. The updated guidance is effective for annual periods beginning after December 15, 2023.

In connection with these segment disclosures in the financial statement footnotes, which will provide investors and analysts a broader view of each segment’s operating results, companies should consider whether the discussion in MD&A should be updated to provide additional context about how management views the business conducted by each segment.

C. Clawback Policies and Checkboxes

As a reminder, in connection with the SEC’s adoption of clawback rules in October 2022, a few significant requirements were added that affect Form 10-K filings and proxy statements.

Form 10-K Cover Page Checkboxes. Two new checkboxes were added to the Form 10-K cover page, which require companies to indicate whether (i) the financial statements included in the filing reflect the correction of an error to previously issued financial statements, and (ii) any such corrections are restatements that required a recovery analysis pursuant to Rule 10D-1(b). A number of interpretive questions have arisen with respect to the applicability of the checkboxes in various contexts, so companies should carefully consider whether either of those boxes should be checked.
Clawback Policy Exhibit with Form 10-K. Companies are now required to file their clawback policy as Exhibit 97 to the Form 10-K.
Discussion of Application of Clawback Policy. Item 402 of Regulation S-K was amended to require companies to disclose how they have applied their recovery policies. If, during its last completed fiscal year, a company either completed a restatement that required recovery, or there was an outstanding balance of excess incentive-based compensation relating to a prior restatement, such company must disclose the information required by Item 402 for each restatement in any Form 10-K (either directly or by forward incorporation by reference to the proxy statement) or proxy or information statements that include executive compensation disclosure.

D. Filing Requirement for “Glossy” Annual Report

As a reminder, in June 2022 the SEC adopted amendments requiring that annual reports sent to shareholders pursuant to Exchange Act Rule 14a-3(c), otherwise known as “glossy” annual reports, must also be submitted to the SEC in PDF format using EDGAR Form Type ARS. Because these electronic submissions include the graphics and stylistic presentations of glossy annual reports, the file sizes can be very large, and companies are well advised to conduct a test filing sufficiently in advance of the live filing.

E. Cover Page XBRL Disclosures

On September 7, 2023, the SEC published a sample comment letter regarding XBRL disclosures.[57] The sample comment letter included a comment regarding how common shares outstanding are reported on the cover page as compared to on the company’s balance sheet. The comment addressed instances in which companies “present the same data using different scales (presenting the whole amount in one instance and the same amount in thousands in the second).” Accordingly, companies should consider presenting their outstanding share data consistently throughout their Form 10-K.

VIII. Looking Forward

Much is expected to happen between now and Inauguration Day. On December 4, 2024, President-elect Trump announced that he has selected former SEC Commissioner Paul Atkins to lead the SEC. SEC Commissioner Lizárraga has announced his intention to resign on January 17, 2025, and current SEC Chair Gensler will resign at noon on January 20, 2025.

On January 20 or 21, 2025, we expect the new Chief of Staff to formally instruct the executive agencies to refrain from proposing or issuing new rules, consistent with prior action taken by the Biden Administration and first Trump Administration. The Trump Administration will name an Acting Chair (likely Commissioner Uyeda). Commissioners Uyeda and Peirce are former Counsels to Atkins when he was a Commissioner. The Acting Chair will have a 2-1 majority. In the near-term, we would expect the Acting Chair to make certain personnel decisions, including removing existing Directors of Divisions, appointing new Acting Directors, and making decisions about how the Staff administers the laws.

The 2024 Form 10-K and 2025 proxy statement will require a number of new disclosures and considerations. As always, we recommend that companies start drafting their disclosures earlier rather than later, particularly where disclosures will require coordination among different teams or where benchmarking against peer disclosures may be appropriate.

[1] Foreign Private Issuers are required to disclose similar information in Item 16J of Form 20-F.

[2] For the purposes of the September 2024 Insider Trading Policy Survey, we limited our review to Exhibit 19 filings and did not review the companies’ disclosures in the body of the proxy statement or Form 10-K addressing Item 408(b)(1). The group of 49 S&P 500 companies in the September 2024 Insider Trading Policy Survey includes 23 companies that made Item 408(b) disclosures and 26 companies that were not subject to the disclosure requirements but voluntarily filed their insider trading policies and procedures with a Form 10-K filed prior to June 30, 2024.

[3] The remaining 39 companies include (1) early voluntary filers that filed their insider trading policy as an exhibit to their Form 10-K but did not address the Item 408(b) requirement in their Form 10-K or proxy statement and (2) other non-calendar year companies that filed their fiscal 2024 Form 10-Ks more recently but have not yet filed their proxy statement as of November 22, 2024.

[4] For the purposes of our September 2024 Insider Trading Policy Survey, we limited our review to Exhibit 19 filings and did not review the companies’ disclosures in the body of the proxy statement or Form 10-K addressing Item 408(b)(1).

[5] Under Item 408(b)(2), if all of a company’s insider trading policies and procedures are included in its code of ethics that is filed as an exhibit to the company’s Form 10-K, that satisfies the exhibit requirement. However, many companies do not file their code of ethics and instead rely on one of the alternative means of making the code available allowed under Item 406(c)(2) and (3).

[6] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC Release No. 34-97989 (July 26, 2023), available at https://www.sec.gov/files/rules/final/2023/33-11216.pdf (“For Item 106 of Regulation S-K and Item 16K of Form 20-F, all registrants must begin tagging responsive disclosure in Inline XBRL beginning with annual reports for fiscal years ending on or after December 15, 2024.”)

[7] See the Cybersecurity Disclosure Taxonomy Guide (September 16, 2024), available at https://www.sec.gov/data-research/standard-taxonomies/operating-companies.

[8] Foreign private issuers are required to make similar annual disclosures pursuant to Item 16K of Form 20-F.

[9] As of November 30, 2024, three S&P 100 companies had not yet filed annual reports on Form 10-K for fiscal years ending on or after December 15, 2023.

[10] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216 (July 26, 2023) at 60-63.

[11] Data provided is as of November 10, 2024 and is based on the companies currently included within the S&P 500, so some statistics are slightly different than they were in the prior surveys. The categorization data necessarily involves subjective assessment and should be considered approximate.

[12] See “SEC Adopts Rules to Enhance and Standardize Climate-Related Disclosures for Investors” (Mar. 6, 2024), available at https://www.sec.gov/newsroom/press-releases/2024-31.

[13] For a further discussion of the climate reporting requirements, please see our prior client alert “SEC Adopts Sweeping New Climate Disclosure Requirements for Public Companies,” Gibson Dunn (Mar. 2024), available at https://www.gibsondunn.com/sec-adopts-sweeping-new-climate-disclosure-requirements-for-public-companies/.

[14] For a further discussion of the legal challenges to the climate reporting requirements, please see our prior blog posts “Fifth Circuit Stay of the SEC’s Climate Disclosure Rule Dissolved,” Gibson Dunn (Mar. 2024), available at https://themonitor.gibsondunn.com/fifth-circuit-stay-of-the-secs-climate-disclosure-rule-dissolved/ and “Eighth Circuit Establishes Briefing Schedule for SEC Climate Disclosure Rules Litigation,” Gibson Dunn (May 2024), available at https://themonitor.gibsondunn.com/eighth-circuit-establishes-briefing-schedule-for-sec-climate-disclosure-rules-litigation/.

[15] Prior to adopting the climate disclosure rules, the SEC issued guidance in 2010 explaining how current SEC reporting requirements could already require discussion of climate-related matters. See “Commission Guidance Regarding Disclosure Related to Climate Change” (Feb. 8, 2010), available at https://www.sec.gov/files/rules/interp/2010/33-9106.pdf.

[16] For a further discussion of this legislation and what to do to prepare, see “Webcast: What Does the CSRD Mean for U.S. Businesses?” Gibson Dunn (Nov. 2024), available at https://www.gibsondunn.com/webcast-what-does-the-csrd-mean-for-u-s-businesses/ and “European Corporate Sustainability Reporting Directive (CSRD): Key Takeaways from Adoption of the European Sustainability Reporting Standards,” Gibson Dunn (Aug. 2023), available at https://www.gibsondunn.com/european-corporate-sustainability-reporting-directive-key-takeaways-from-adoption-of-european-sustainability-reporting-standards/.

[17] For a discussion of the dissolution of the ESG Task Force, see “Gibson Dunn Environmental, Social and Governance Update (September 2024),” Gibson Dunn, (Oct. 2024), available at https://www.gibsondunn.com/gibson-dunn-esg-monthly-update-september-2024/.

[18] See “Chair Gary Gensler on AI Washing” (March 18, 2024), available at https://www.sec.gov/newsroom/speeches-statements/sec-chair-gary-gensler-ai-washing.

[19] See “The State of Disclosure Review” (June 24, 2024), available at https://www.sec.gov/newsroom/whats-new/gerding-state-disclosure-review-062424.

[20] Ardent Health Partners, LLC (link); Astera Labs, Inc. (link); Brand Engagement Network Inc. (link); iBio, Inc. (link); OneStream, Inc. (link); Rubrik, Inc. (link); Safe Pro Group Inc. (link).

[21] Available at https://www.sec.gov/rules-regulations/staff-guidance/disclosure-guidance/sample-letter-companies-regarding-china.

[22] See note 19.

[23] Id.

[24] Id.

[25] Casey’s General Stores, Inc. (link); Concentra Group Holdings Parent, Inc. (link); International Paper Company (link); Mueller Water Products, Inc. (link); Proficient Auto Logistics, Inc. (link).

[26] First Commonwealth Financial Corporation (link); Fulton Financial Corporation (link); FT 11735 (link); Glacier Bancorp, Inc.(link); Managed Portfolio Series (link); Premier Financial Corp. (link); Synovus Financial Corp. (link); The Sherman-Williams Company (link); WaFd, Inc. (link).

[27] Information is derived from the Institutional Shareholder Services voting analytics database.

[28] For example, State Street Global Advisors has emphasized the importance of disclosing the company’s director time commitment policy in its 2024 proxy voting guidelines and has indicated that it may vote against nominating and governance committee chairs at S&P 500 companies that fail to adequately disclose their annual director overboarding review process and related numerical limits. Additionally, in 2023, BlackRock voted against directors at 297 companies due to overboarding concerns.

[29] For additional discussion of comment letter trends, see “SEC Reporting Update – Highlights of trends in 2024 SEC staff comment letters” (September 12, 2024), available at https://www.ey.com/en_us/technical/accountinglink/sec-reporting-update-highlights-of-trends-in-2024-sec-staff-comment-letters1.

[30] Corsair Gaming, Inc. (link); GoDaddy Inc. (link); Gogo Inc. (link); Foot Locker, Inc. (link); Newell Brands Inc. (link); Payoneer Global Inc. (link); PetiQ, Inc. (link); Warner Bros. Discovery, Inc. (link); Workday, Inc. (link).

[31] Corsair Gaming, Inc. (link); GoDaddy Inc. (link); Gogo Inc. (link); Workday, Inc. (link).

[32] See note 29.

[33] Id.

[34] Consensus Cloud Solutions, Inc. (link); Martin Midstream Partners L.P. (link).

[35] Gen Digital Inc. (link); HBT Financial, Inc. (link); NCR Atleos Corporation (link).

[36] See note 29. Spectrum Brands Holdings, Inc. (link).

[37] CommScope Holding Company, Inc. (link); Community Bank System, Inc.(link); Gibraltar Industries, Inc. (link); Fidus Investment Corporation (link); HEICO Corporation (link); Methode Electronics, Inc. (link); Turning Point Brands, Inc. (link).

[38] CommScope Holding Company, Inc. (link); Community Bank System, Inc. (link); Gibraltar Industries, Inc. (link); Fidus Investment Corporation (link); HEICO Corporation (link); Methode Electronics, Inc. (link); Turning Point Brands, Inc. (link).

[39] AudioCodes Ltd. (link); Cencora, Inc. (link); Flywire Corporation (link); International Paper Company (link); Lyft, Inc. (link); Traeger, Inc. (link); Turning Point Brands, Inc. (link).

[40] AudioCodes Ltd. (link); Cencora, Inc. (link); Flywire Corporation (link); International Paper Company (link); Lyft, Inc. (link); Sea Limited (link); Traeger, Inc. (link); Turning Point Brands, Inc. (link).

[41] See note 19; Lumentum Holdings Inc. (link); Newell Brands Inc. (link); Penumbra, Inc. (link); Spectrum Brands Holdings, Inc. (link).

[42] Lumentum Holdings Inc. (link); Newell Brands Inc. (link); Spectrum Brands Holdings, Inc. (link); Penumbra, Inc. (link).

[43] Bar Harbor Bank & Trust (link); GoHealth, Inc. (link); Peoples Bancorp Inc. (link); The Cooper Companies, Inc. (link); WaFd, Inc. (link); Wheels Up Experience Inc. (link).

[44] See note 29; nVent Electric plc (link); Orthofix Medical Inc. (link); Pentair plc (link); Warner Bros. Discovery, Inc. (link).

[45] APTIV PLC (link); International Paper Company (link); StandardAero, Inc. (link).

[46] 601 U.S. at 265.

[47] Id.

[48] See id. at 260, 265.

[49] Id. at 265 (emphasis added).

[50] Id. at 264 (emphasis added).

[51] SEC Press Release, “SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures” (Oct. 30, 2023), available at https://www.sec.gov/newsroom/press-releases/2023-227.

[52] SEC Press Release, “SEC Charges Four Companies With Misleading Cyber Disclosures” (Oct. 22, 2024), available at https://www.sec.gov/newsroom/press-releases/2024-174.

[53] SEC Press Release, “Terraform and Kwon to Pay $4.5 Billion Following Fraud Verdict” (June 11, 2024), available at https://www.sec.gov/news/press-release/2024-73.

[54] SEC Press Release, “SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence” (Mar. 18, 2024), available at https://www.sec.gov/news/press-release/2024-36; SEC Press Release, “SEC Charges Rimar Capital Entities and Owner Itai Liptz for Defrauding Investors by Making False and Misleading Statements About Use of Artificial Intelligence” (Oct. 10, 2024), available at https://www.sec.gov/newsroom/press-releases/2024-167.

[55] SEC Press Release, “SEC Charges R.R. Donnelley & Sons Co. with Cybersecurity-Related Controls Violations” (June 18, 2024), available at https://www.sec.gov/news/press-release/2024-75.

[56] Opinion and Order, SEC v. SolarWinds Corp. and T. Brown, 1:23-cv-09518-PAE (S.D.N.Y. July 18, 2024) at 104, 107.

[57] Available at https://www.sec.gov/corpfin/sample-letter-companies-regarding-their-xbrl-disclosures.

The following Gibson Dunn lawyers assisted in preparing this update: Aaron Briggs, Gina Hancock, Elizabeth Ising, Michael Kahn, Julia Lapitskaya, Brian Lutz, James Moloney, Mark Schonfeld, Michael Titera, David Woodcock, Lauren Assaf-Holmes, Spencer Bankhead, Clinton Eastman, Lucy Hong, Rob Kelley, David Korvin, Stella Kwak, Risa Nakagawa, Antony Nguyen, Meghan Sherley, Geoff Walter, Mike Ulmer, and Timothy Zimmerman.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Regulation and Corporate Governance, Executive Compensation and Employee Benefits, or Capital Markets practice groups, or any of the following practice leaders and members:

Securities Regulation and Corporate Governance:
Elizabeth Ising – Co-Chair, Washington, D.C. (+1 202.955.8287, [email protected])
James J. Moloney – Co-Chair, Orange County (+1 949.451.4343, [email protected])
Lori Zyskowski – Co-Chair, New York (+1 212.351.2309, [email protected])
Aaron Briggs – San Francisco (+1 415.393.8297, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, [email protected])
Brian J. Lane – Washington, D.C. (+1 202.887.3646, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Michael Scanlon – Washington, D.C.(+1 202.887.3668, [email protected])
Michael A. Titera – Orange County (+1 949.451.4365, [email protected])

Executive Compensation and Employee Benefits:
Sean C. Feller – Los Angeles (+1 310.551.8746, [email protected])
Krista Hanvey – Dallas (+1 214.698.3425, [email protected])
Kate Napalkova – New York (+1 212.351.4048, [email protected])
Gina Hancock – Dallas (+1 214.698.3357, [email protected])

Capital Markets:
Andrew L. Fabens – New York (+1 212.351.4034, [email protected])
Hillary H. Holmes – Houston (+1 346.718.6602, [email protected])
Stewart L. McDowell – San Francisco (+1 415.393.8322, [email protected])
Peter W. Wardle – Los Angeles (+1 213.229.7242, [email protected])

Pizzuto v. Homology Meds., Inc., No. 1:23-CV-10858, 2024 WL 1436025
(D. Mass. Mar. 31, 2024)

Case Highlight

In a securities fraud action earlier this year, an executive’s statement made in an email to a single research analyst was alleged to be false or misleading. In Pizzuto v. Homology Meds (“Pizzuto”), plaintiffs brought a securities class action complaint against Homology Medicines Inc. (“Homology”), a biopharmaceutical company, alleging that the company’s statements regarding the safety and efficacy of its gene therapy treatment were false and misleading. Among the challenged statements was one made by Homology’s Chief Communication Officer (“CCO”) in an email to a research analyst in response to an inquiry about a Facebook post. Specifically, one of Homology’s trial patients had posted about her test results and treatment publicly on Facebook. Although the Facebook post was removed and/or made private within a few hours, analysts reacted quickly to the post. When a research analyst emailed Homology’s CCO inquiring about the post, the CCO replied: “Some Facebook post. Nothing fundamental changed for [Homology] but unfortunately, our stock price.” The plaintiffs alleged that this statement was “affirmatively false or materially misleading” because the post represented “a materially adverse development in the [phase 1] trial data.” Ultimately, the court held that the CCO’s email “was a generic expression of corporate optimism, or ‘puffery’ about how Homology was doing” and, as such, was “immaterial as a matter of law.”

Key Takeaways

Although Homology was not held liable based on its CCO’s email, this case highlights the risk posed by executive emails. Executive emails have come up previously in securities fraud actions in the context of assessing scienter, but rarely are challenged themselves as false or misleading. But it is clear from Pizzuto that the plaintiffs’ bar does not discriminate against the medium in which the alleged misstatements are made and, thus, executives at public companies should take caution that a statement in an email to an analyst may potentially serve as a basis for a future securities fraud claim under Section 10(b). Pizzuto thus serves as a friendly reminder that executives should exercise caution when sending emails to the street—even if the email is directed to a single analyst. Companies should consider holding regular securities litigation training sessions with executives who frequently interface with the market and, as a general practice, in-house or outside counsel should review executive emails to the street to reduce the risk of future securities litigation exposure.

This newsletter has been prepared by the Life Sciences and Securities Litigation teams of Gibson Dunn. For further information, please contact the Gibson Dunn lawyer with whom you usually work, or any of us by email:

Life Sciences:

Ryan Murr – Partner, San Francisco ([email protected])
Branden Berns – Partner, San Francisco ([email protected])

Securities Litigation:

Jessica Valenzuela – Partner, Palo Alto ([email protected])
Jeff Lombard – Of Counsel, Palo Alto ([email protected])
Brian Lutz – Partner, San Francisco ([email protected])
Craig Varnen – Partner, Los Angeles ([email protected])
Monica Loseman – Partner, Denver, New York ([email protected])

Gibson Dunn’s Workplace DEI Task Force aims to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).

Key Developments:

On December 11 and 12, 2024, Do No Harm, represented by Consovoy McCarthy PLLC, filed two new lawsuits challenging scholarship programs. Do No Harm filed a complaint against the Society of Military Orthopaedic Surgeons (“SOMOS”), the U.S. Navy, and the Department of Defense, challenging a jointly-run scholarship program that allegedly provides funding to female students and students of racial backgrounds that are “underrepresented in orthopaedics.” See Do No Harm v. Society of Military Orthopaedic Surgeons, No. 1:24-cv-03457-RBW (D.D.C. 2024). According to Do No Harm, the program excludes white, male applicants and therefore violates Section 1981 and the equal protection component of the Fifth Amendment. Do No Harm also filed a complaint against the University of Colorado challenging its Underrepresented Minority Visiting Elective Scholarship program. See Do No Harm v. Univ. of Colorado, No. 1:24-cv-03441 (D. Colo. 2024). The complaint alleges that the university provides a $2,000 scholarship to visiting medical students in its Radiation Oncology Department, and claims that the scholarship violates the Equal Protection Clause and Title VI because it is only available to students who identify as Black, Native American, Hispanic/Latino, Pacific Islander, LGBT+, or who are from a disadvantaged socioeconomic background.

On December 2, 2024, the U.S. Department of Labor sent a letter to America First Legal (AFL), confirming that the Office of Federal Compliance Programs (OFCCP) “held an informal compliance conference with Southwest Airlines” in relation to a complaint AFL filed with the agency in January 2024. AFL’s complaint quotes Southwest’s public announcements concerning DEI and alleges that Southwest “appears to be unlawfully considering sex, race, and color in its hiring practices.” According to DOL’s letter, Southwest “understands that OFCCP regulations do not permit quotas, preferences, or set asides.” The DOL letter references certain federal rules and regulations, including Executive Order 11246, which “requires Government contractors to take affirmative action to ensure that equal opportunity is provided in all aspects of their employment.” The letter states that these rules and regulations operate as “benchmark[s],” and “are not to be interpreted as a ceiling or floor for the employment of particular groups of persons.” The letter also represents that Southwest agrees to “take appropriate measures” and “remedy any unlawful discrimination” if it fails to meet a utilization goal or hiring benchmark. The letter states that “such remedies may include,” among other things, “broadening recruitment and outreach to increase the diversity of applicant pools, and/or instituting training and/or apprenticeship programs to increase promotion opportunities and applications from underrepresented groups.” On December 13, DOL sent a nearly identical letter to AFL in response to a similar complaint AFL filed against American Airlines.

On December 9, the Wisconsin Institute for Law & Liberty (WILL) sent a letter to the board of directors for the Green Bay Area Public School District, threatening legal action if the school district does not abandon an alleged discriminatory policy “prioritizing” literacy resources for Black, Hispanic, and Native American students. WILL claims that the district’s policy violates Title VI and the Fourteenth Amendment. WILL sent the letter on behalf of a mother of a white student “who suffers from dyslexia” and has allegedly received “less favorable” educational services because of the district policy.

On December 9, the U.S. Supreme Court voted 7-2 to deny a petition for review of the temporary COVID-19-era admissions policy implemented at three competitive Boston public schools. Boston Parent Coalition for Academic Excellence Corp. v. School Comm. for the City of Boston et al., No. 23-1137 (2024). Under the policy, 80% of admissions spots were allocated to high-performing students in Boston zip codes with the lowest median family incomes. The policy resulted in fewer admissions for white and Asian American students, and a parent coalition sought reversal of the First Circuit’s decision that the policy did not violate the Fourteenth Amendment’s Equal Protection Clause. The First Circuit had affirmed the district court’s finding that the Coalition failed to show any relevant disparate impact on white and Asian American students, holding that the policy considered geography, family income, and the student’s GPA—not race—in selecting students for admission. Dissenting from the Court’s decision not to hear the case, Justice Alito, joined by Justice Thomas, wrote that the First Circuit’s decision was flawed because Boston’s policy intentionally discriminated against white and Asian students, citing evidence that the Boston School Committee “put race front and center when it came time to vote on the proposal several weeks later,” including “kick[ing] off with a lengthy statement from ‘anti-racist activist’ Dr. Ibram X. Kendi.” According to Justice Alito, the Committee Chairperson “mocked th[e] names” of three citizens who spoke at the public meeting and “whose names suggested they were of Asian descent.” Justice Alito also cited a series of allegedly anti-white text messages sent by members of the school committee. Justice Gorsuch wrote separately explaining his concurrence in the Court’s denial of certiorari, stating that although he shares Justice Alito’s “significant concerns,” Boston had already “replaced the challenged admissions policy.” Justice Gorsuch stated that “lower courts facing future similar cases would do well to consider” the issues raised in Justice Alito’s concurrence.

On December 10, Students for Fair Admissions (SFFA) filed a complaint against the United States Air Force Academy in the U.S. District Court for the District of Colorado, alleging that the Academy considers race in admissions decisions in violation of the equal protection component of the Fifth Amendment. Students for Fair Admissions v. U.S. Air Force Acad., No. 1:24-cv-03430 (D. Colo. Dec. 10, 2024). SFFA alleges that the Academy impermissibly considers the race of applicants to achieve explicit statistical goals for the racial makeup of each incoming class. SFFA claims that the Academy’s admissions decisions “treat race as a ‘plus factor,’” in violation of Students for Fair Admissions v. President & Fellows of Harvard College. SFFA also alleges that the Academy’s justifications for considering race in admissions—that prioritizing diversity assists with recruiting and retaining top talent and preserves unit cohesion and the Air Force’s legitimacy—are flawed and not meaningfully furthered by the Academy’s admissions policies. SFFA seeks both declaratory relief and a permanent injunction preventing the Academy from considering race in admissions.

On December 11, the Fifth Circuit, sitting en banc, vacated an SEC order approving Nasdaq’s Board Diversity Rules, which required listed companies to disclose board diversity information and to either have at least two board members who satisfied Nasdaq’s definition of “diverse” or to explain why they do not. Writing for a 9-8 majority, Judge Oldman stated that the SEC acted arbitrarily and capriciously in concluding that the Rules were consistent with disclosure requirements of Sections 6(b)(5) and 6(b)(8) of the Securities Exchange Act of 1934 (the “Act”), thus triggering approval under Section 19(b)(2)(C)(i). The en banc majority held that the Rule was not “related to the purposes of the Act simply because it would compel disclosure of information about exchange-listed companies” and that, instead, it must relate to the Act’s primary purpose of “limiting speculation, manipulation, and fraud, and removing barriers to exchange competition.” The court concluded that the Rule is satisfied only “investor demand for any and every kind of information about exchange-listed companies” and that such a purpose was “not remotely similar” to the goals of the Act. In addition, the court held that there was little support for the assertion of a link between the “racial, gender, and sexual composition of a company’s board and the quality of its governance.” As further support for its holding, the majority held that the major-questions doctrine foreclosed the SEC’s interpretation of the Act, reasoning that the Rule involves a novel exercise of statutory power on one of the most “politically divisive issues in the Nation.” In dissent, Judge Higginson concluded that it “was not arbitrary and capricious for the SEC to allow, as consistent with the purposes of the Act, this private ordering disclosure rule about corporate leadership composition” in light of the record evidence indicating investor interest in board diversity. In a press statement, Nasdaq indicated that it will not seek further review of the Fifth Circuit’s decision. Gibson Dunn represented Nasdaq in this matter.

On December 11, a South Carolina resident of Chinese, Cuban, and Spanish descent filed a complaint against Governor Henry McMaster in federal court, alleging that membership on the state’s Commission for Minority Affairs is unlawfully restricted on the basis of race. Under South Carolina Code Section 1-31-10, the Governor is responsible for appointing the Commission’s nine members, of whom a “majority . . . must be African American.” The plaintiff, who alleges she “is ready, willing, and able to serve” on the Commission, seeks declaratory and injunctive relief on the ground that the racial quota violates the Fourteenth Amendment.

The Equal Protection Project (EPP) has filed civil rights complaints with the U.S. Department of Education’s Office for Civil Rights (OCR) against three public universities. On November 14, the EPP challenged the University of Minnesota College of Design’s “BIPOC Design Justice Initiative” as unlawfully discriminatory under the Fourteenth Amendment and Title VI because it allegedly “conditions eligibility for participation” on “a student’s race, ethnicity, and skin color.” The organization filed a similar Title VI and Fourteenth Amendment challenge against Northern Illinois University’s Center for Black Studies, which sponsors and promotes the “Black Male Achievement Program” and “Black Male Initiative.” And on December 11, EPP filed a complaint against the University of Rhode Island for offering 51 different scholarships that “discriminate based on race and/or sex” in alleged violation of Title VI, Title IX, and the Fourteenth Amendment.

On December 10, EPP received a letter from OCR providing notice of OCR’s dismissal of EPP’s complaint against Western Kentucky University. EPP had alleged that Western Kentucky’s Athletics Minority Fellowship discriminated based on race and national origin, but OCR dismissed the complaint after Western Kentucky discontinued the Fellowship and removed any reference to it from the university’s website.

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

Law360, “DEI Attacks, Hybrid Work, Paid Leave: 2024’s Workplace Shifts” (December 18): Law360’s Anne Cullen reports on the “major evolutions in workplaces in 2024,” including a dramatic escalation in challenges to employers’ diversity, equity and inclusion programs. According to Jason Schwartz, co-leader of Gibson Dunn’s labor and employment practice group, “[t]here’s been a huge demand for DEI-related advice and a huge uptick in DEI-related litigation.” Cullen notes that Gibson Dunn’s DEI Task Force is tracking 58 DEI-related cases filed in 2024 alone, and Schwartz predicts that lawsuits seeking to dismantle workplace DEI efforts “will be even more accelerated next year.” Schwartz says that “[t]here’s a lot of interest by clients to do audits of their DEI programs to make sure they’re compliant and they’re not taking on too much risk in the current environment,” but he notes that most employers “are revising their programs and communications, but not completely backing away.”
Reuters, “DOJ v. DEI: Trump’s Justice Department Likely to Target Diversity Programs” (December 10): Andrew Goudsward of Reuters reports that President-elect Donald Trump is expected to throw the weight of the Justice Department behind challenges to DEI programs in higher education. Goudsward reports that Trump has tapped lawyer Harmeet Dhillon to oversee the DOJ’s Civil Rights Division, which was created in 1957 to enforce federal antidiscrimination laws. In announcing Dhillon’s nomination, Trump emphasized her past work “suing corporations who use woke policies to discriminate against their workers.” Goudsward speculates that Dhillon’s appointment may not have a direct effect on private entities’ DEI programming, as the Division generally lacks the authority to enforce federal antidiscrimination laws against private employers. Goudsward also writes that the Equal Employment Opportunity Commission—the sole federal agency with that power—may retain a Democratic majority until 2026. However, Goudsward notes that the Division “can bring employment discrimination cases against state and local governments.”
The Guardian, “Trump Promises a Crackdown on Diversity Initiatives. Fearful Institutions Are Dialing Them Back Already” (December 5): Reporting for The Guardian, Alice Speri writes that institutions are bracing for an increase in threats to DEI initiatives under the incoming presidential administration. Speri says that President-elect Donald Trump and his advisors have threatened to withhold funding from universities that maintain DEI initiatives, and have “pledged to dismantle diversity offices across federal agencies, scrap diversity reporting requirements and use civil rights enforcement mechanisms to combat diversity initiatives.” According to Speri, this messaging has led institutions to reevaluate their programming, with some worrying that the federal policies will have a “domino effect on other states, on foundations, [and] on individual donors.” David Glasgow, the executive director of the Meltzer Center for Diversity, Inclusion, and Belonging, says that “people who do this work are nervous and anxious about what might be restricted but their commitment is still there, so it’s really about trying to figure out what they’re going to be able to do.”
PoliticoPro, “Companies Feel the Squeeze As Republicans Intensify Attacks on ESG, DEI” (December 10): Politico’s Jordan Wolman reports that companies continue to reassess and scale back DEI and environmental sustainability efforts in anticipation of increased hostility under the upcoming Trump administration and Republican Congress, as well as in response to “questions about companies’ ability to articulate clear financial justifications for such programs.” An October report from nonprofit think tank The Conference Board reveals that although companies are walking back public discussion of and support for DEI initiatives, many of their actual diversity efforts will remain in place: the study found that 60 percent of executives view the political and social climate as challenging, yet fewer than 10 percent of firms plan to reduce DEI resources over the next three years.
National Bureau of Economic Research (NBER), “Long-Term Effects of Affirmative Action Bans” (December 1): NBER’s Leonardo Vasquez reports on new research on state-level bans of affirmative action in higher education. Economists Francisca M. Antman (University of Colorado), Brian Duncan (University of Colorado), and Michael Lovenheim (Cornell University) examined outcomes for underrepresented groups in four states—Texas, California, Washington, and Florida—that have implemented affirmative action bans. Antman, Duncan, and Lovenheim found the bans were correlated with reduced educational attainment for Black and Hispanic students, and some labor market consequences. For example, according to the authors, in states with bans, Hispanic women were less likely to complete college, earned less, and had lower employment rates than peers in states without bans. Black men, on the other hand, reportedly had higher employment rates and earned more relative to white men. However, the researchers cautioned that other contextual factors are at work in determining the impact of affirmative action bans on college attendance.

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

Alexandre v. Amazon.com, Inc., No. 3:22-cv-1459 (S.D. Cal. 2022); No. 24-3566 (9th Cir.): On September 29, 2022, white, Asian, and Native Hawaiian plaintiffs, on behalf of a putative class of past and future Amazon “delivery service partner” program applicants, challenged an Amazon program that provides $10,000 grants to qualifying delivery service providers who are “Black, Latinx, and Native American entrepreneurs.” Plaintiffs alleged the program violates California state anti-discrimination laws. On May 23, 2024, Judge Michael M. Anello granted Amazon’s motion to dismiss based on the plaintiffs’ lack of standing and failure to state a claim. The plaintiffs appealed to the Ninth Circuit.
- Latest update: On December 4, 2024, Amazon filed its answering brief arguing that the district court properly held that the plaintiffs lacked standing, and that even if they had standing, they failed to state a claim. On December 11, a coalition of organizations led by the Lawyers’ Committee for Civil Rights Under Law filed an amicus brief in support of Amazon, arguing that the plaintiffs lack standing and that allowing the claims to proceed would undermine the congressional intent of Section 1981.
Do No Harm v. Lee II, No. 3:24-cv-01334 (M.D. Tenn. 2024): On November 7, 2024, Do No Harm sued Tennessee Governor Bill Lee, seeking to enjoin Tennessee laws that require the governor to consider racial minorities for appointment to the Board of Chiropractic Examiners and the Board of Medical Examiners. Do No Harm alleges that this racial consideration requirement violates the Equal Protection Clause. This case mirrors Do No Harm v. Lee, currently on appeal in the Sixth Circuit, which seeks to enjoin a law requiring consideration of racial minority candidates for the Board of Podiatric Medical Examiners (No. 3:23-cv-01175-WLC (M.D. Tenn. 2023)).
- Latest update: On December 5, 2024, Do No Harm moved for a preliminary injunction.
American Alliance for Equal Rights v. Southwest Airlines Co., No. 24-cv-01209 (N.D. Tex. 2024): On May 20, 2024, American Alliance for Equal Rights (AAER) filed a complaint against Southwest Airlines, alleging that the company’s ¡Latanzé! Travel Award Program, which awards free flights to students who “identify direct or parental ties to a specific country” of Hispanic origin, unlawfully discriminates based on race. AAER seeks a declaratory judgment that the program violates Section 1981 and Title VI, a temporary restraining order barring Southwest from closing the next application period (set to open in March 2025), and a permanent injunction barring enforcement of the program’s ethnic eligibility criteria. On August 22, 2024, Southwest moved to dismiss, arguing that the case was moot because the company had signed a covenant with AAER that eliminated the challenged provisions from future program application cycles.
- Latest update: On December 6, 2024, the court granted in part and denied in part Southwest’s motion to dismiss. The court concluded that Southwest’s covenant to eliminate the program rendered moot any claims for declaratory or injunctive relief. However, the court held that it had jurisdiction over the plaintiff’s claims for one cent in nominal damages and allowed those claims to proceed. The court rejected Southwest’s argument that Southwest mooted those claims through an “unsuccessful tender of one cent to [AAER].”
Landscape Consultants of Texas, Inc. v. City of Houston, No. 4:23-cv-3516–DH (S.D. Tex. 2023): White-owned landscaping companies challenged the City of Houston’s government contracting set-aside program for “minority business enterprises” as violating the Fourteenth Amendment and Section 1981.
- Latest update: On November 29, 2024, plaintiffs and Defendant Midtown Management District filed cross-motions for summary judgment. Midtown Management argued that the plaintiffs failed to show the constitutionality of the programs. The City of Houston filed its own motion for summary judgment on November 30, contending that the plaintiffs lack standing and that the programs satisfy the requirements of the Equal Protection Clause.

2. Employment discrimination and related claims:

Smith v. Ally Financial Inc., 3:24-cv-00529 (W.D.N.C. 2024): A former employee sued Ally Financial Inc., asserting violations of Title VII and Section 1981. The plaintiff claims that Ally failed to promote him, instead promoting a white woman, a Black woman, and a Black man. The plaintiff also claims that Ally executives unlawfully considered race and gender when making promotion and hiring decisions, pointing to a statement on the company’s website describing Ally’s goal to achieve “a collective environment of different voices and perspectives.”
- Latest update: On December 10, 2024, the plaintiff filed a stipulation of voluntary dismissal of all claims based on alleged emotional injuries or pain and suffering. The plaintiff’s claims for damages based on lost wages and loss of professional and career development opportunities remain pending.

3. Board of Director or Stockholder Actions:

Craig v. Target Corp., No. 2:23-cv-00599-JLB-KCD (M.D. Fl. 2023): America First Legal sued Target and certain Target officers on behalf of a shareholder, claiming the board falsely represented that it monitored social and political risk, when instead it allegedly focused only on risks associated with not achieving ESG and DEI goals. The plaintiffs allege that Target’s statements violated Sections 10(b) and 14(a) of the Securities Exchange Act of 1934 and that Target’s May 2023 Pride Month campaign triggered customer backlash and a boycott that depressed Target’s stock price.
- Latest update: On December 4, 2024, the district court denied defendant’s motion to dismiss, concluding that the plaintiffs sufficiently pleaded both their Section 10(b) and Section 14(b) claims.

The following Gibson Dunn attorneys assisted in preparing this client update: Jason Schwartz, Mylan Denerstein, Blaine Evanson, Molly Senger, Zakiyyah Salim-Williams, Matt Gregory, Zoë Klein, Cate McCaffrey, Alana Bevan, Jenna Voronov, Emma Eisendrath, Felicia Reyes, Allonna Nordhavn, Janice Jiang, Laura Wang, Maya Jeyendran, Kristen Durkan, Ashley Wilson, Lauren Meyer, Kameron Mitchell, Chelsea Clayton, Albert Le, Emma Wexler, Heather Skrabak, and Godard Solomon.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, [email protected])

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, [email protected])

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, [email protected])

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, [email protected])

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, [email protected])

Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, [email protected])

We are pleased to provide you with Gibson Dunn’s ESG update covering the following key developments during November 2024. Please click on the links below for further details.

I. GLOBAL

COP29 highlights: United Nations (UN) climate talks conclude with climate pledge for developing countries, climate financing goals, and disclosure initiatives

In late November, delegates at COP29, the UN’s annual climate summit, agreed to provide annual funding of $300 billion for developing countries. While the total is three times the previous goal of $100 billion, the funding fell short of the $1 trillion in assistance sought by the recipient countries. The nearly 200 delegate countries further set a goal to scale climate financing from public and private sources to at least $1.3 trillion by 2035. Delegates also agreed to standards for a UN-backed global carbon market to facilitate carbon credit trading.

At COP29, the Global Reporting Initiative (GRI) and CDP signed a memorandum of understanding demonstrating their agreement to increase their technical alignment through streamlined disclosures and allow disclosing companies to use CDP’s annual questionnaire to report data in accordance with GRI’s environmental, social, and economic standards. Through the new agreement, GRI and CDP will increase the interoperability of their assessment tools in an effort to benefit the over 14,000 organizations that use GRI standards and more than 24,800 companies that disclose through CDP.

Institutional Shareholder Services Environmental, Social, and Governance (ISS ESG) launches customizable version of its Climate Impact Report

On November 21, 2024, ISS ESG launched a new version of its Climate Impact Report that investors can customize to better understand their climate impact. Investors can tailor the Scenario Alignment portion of the Climate Impact Report by choosing between a standard package, incorporating two models, or an advanced package, incorporating five models. The report will show investors outputs and charts developed from their chosen model, and up to 22 possible scenarios are available. This new offering features sectoral analysis and uses models from the International Energy Agency, the Network for Greening the Financial System, and the UN Environment Programme.

Glass Lewis publishes 2025 Proxy Voting Policy Guidelines

On November 14, 2024, proxy advisor Glass Lewis released its 2025 Proxy Voting Policy Guidelines for the U.S., UK, and Europe. These guidelines will apply to shareholder meetings held after January 1, 2025, and include additional guidance on board oversight of artificial intelligence, board responsiveness to shareholder proposals, and change-in-control provisions for executive compensation. The guidelines also describe how Glass Lewis will evaluate shareholder proposals on corporate use of artificial intelligence technology. View the policy guidelines by market here.

International Organization for Standardization (ISO) releases ESG Implementation Principles (IWA 48) for implementing ESG principles

ISO published IWA 48 in mid-November. These principles are meant to support companies’ efforts to implement ESG reporting practices into the organization and produce consistent, comparable, and reliable disclosures. While the framework is designed for organizations of all sizes and sectors, small and medium-sized enterprises, organizations in developing countries, and top-level decision-makers are expected to find the principles particularly beneficial. ISO aims to advance global adoption of ESG practices through its publication of IWA 48.

The International Financial Reporting Standards (IFRS) Foundation releases report detailing corporate climate disclosures

On November 12, 2024, the IFRS Foundation released a progress report detailing advancements in mandated and voluntary corporate climate-related disclosures. The IFRS Foundation is now responsible for recording companies’ disclosure progress following the disbanding of the Task Force on Climate-related Financial Disclosures (TFCD) disbanding in October 2023. The report focuses on how closely corporate climate-related disclosures align with the TCFD recommendations and whether reporting referenced the International Sustainability Standards Board (ISSB) standards. While 82% of reviewed companies disclosed information using at least one of the 11 TCFD recommendations, less than 3% disclosed in line with all 11 recommendations. Over 1,000 companies were noted as referencing the ISSB. The report also described progress towards ISSB reporting within legal or regulatory frameworks across 30 jurisdictions.

The International Auditing and Assurance Standards Board (IAASB) releases International Standard on Sustainability Assurance 5000 (ISSA 5000), updating general requirements for sustainability assurance engagements

On November 12, 2024, the IAASB released the ISSA 5000, which provides standalone, general requirements for external sustainability assurance engagements. The standard is designed to apply to disclosures for any sustainability topic across various frameworks and to be used by professional accountants as well as non-accountant assurance professionals. The ISSA 5000 is certified by the Public Interest Oversight Board, which oversaw the development of the standards. The Final Pronouncement of the ISSA 5000 is available here.

II. UNITED KINGDOM

UK Prime Minister launches Global Clean Power Alliance (Alliance) to accelerate energy transition

On November 19, 2024, UK Prime Minister Kier Starmer launched the Alliance at the G20 Summit in a joint statement with Brazil’s President Luiz Inácio Lula da Silva. The Alliance aims to support emerging and developing economies with the transition to clean energy and builds on commitments made at the COP28 climate summit to triple renewable energy capacity and double the global rate of energy efficiency. Founding members of the Alliance are Brazil, Australia, Barbados, Canada, Chile, Colombia, France, Germany, Morocco, Norway, Tanzania, and the African Union. The United States and the EU have also partnered with the UK on the initiative.

The Alliance will address the most critical energy transition issues through a series of “missions.” The first of these is the Finance Mission, co-led by the UK and Brazil, which focuses on unlocking private sector finance for renewable energy projects in developing nations.

UK Chancellor announces series of sustainable finance initiatives at inaugural Mansion House Speech

On November 14, 2024, Chancellor of the Exchequer Rachel Reeves announced the UK’s long-term sustainable finance framework through a series of policy measures and consultation publications. These initiatives were stated to align with the government’s aim to “harness the strengths of the financial services sector” to make the UK a “global leader in sustainable finance.” The Chancellor then proposed a set of integrity principles for voluntary carbon and nature markets at COP29 on November 15, 2024.

The Chancellor also announced a consultation seeking views of the value of implementing a green taxonomy in the UK, specifically whether it would be additional and complementary to existing sustainable finance policies. The consultation closes on February 6, 2025. In addition, the government plans to announce a transition plan consultation in the first half of 2025 alongside a consultation on UK Sustainability Reporting Standards disclosure requirements for “economically significant” companies in line with the ISSB standards.

HM Treasury publishes its consultation response on the regulation of ESG ratings providers

On November 14, 2024, HM Treasury (the UK Government’s economic and finance ministry) published a consultation response paper on a future regulatory regime for ESG ratings providers together with draft legislation which applies to both the UK and overseas based ESG ratings providers. This follows a previous consultation published on March 30, 2023, which closed on June 30, 2023. A new regulated activity will be introduced and ESG ratings providers will need to obtain authorization from the UK Financial Conduct Authority and comply with the regulatory regime on an on-going basis. The consultation remains open for comment until January 14, 2025. HM Treasury intends to present the final statutory instrument in Parliament in 2025.

UK to become one of the first countries to ban new coal mines

On November 14, 2024, the UK Government announced it will introduce legislation that will prohibit licences for new coal mines. This follows the closure on September 31, 2024, of the UK’s last coal-fired power station at Ratcliffe-on-Soar. There may be limited exceptions required for restoration or maintenance of safety. The announcement follows the UK Government’s commitment to release GBP 1.5 billion previously being withheld from former miners’ pensions following the privatization of British Coal in 1994. On November 29, 2024, over 100,000 former mineworkers received their first pension increase of 32%.

UK Government confirms the introduction of a clean industry bonus for offshore wind developers

On November 11, 2024, UK Prime Minister Kier Starmer announced the Clean Industry Bonus (CIB), an initiative aimed at encouraging offshore wind developers to invest in key industrial regions, coastal communities and oil and gas hubs. The CIB will provide GBP 27 million per gigawatt of offshore wind projects, with potential funding of up to GBP 200 million for projects between seven and eight gigawatts. This bonus aims to accelerate investment in sustainable, local suppliers specifically in industrial communities across Scotland, Wales, and Northern England.

Financial Reporting Council (FRC) announces consultation on UK Stewardship Code

On November 11, 2024, the FRC published a consultation on proposed revisions to the 2020 UK Stewardship Code. The consultation aims to streamline reporting requirements and reduce burdens for signatories whilst ensuring the Code provides a clearer focus on purpose of stewardship and the outcomes it intends to deliver. Key proposals set out in the consultation include (i) a revised definition of stewardship that emphasises the need to create long-term sustainable value for clients and beneficiaries as a key outcome of good stewardship; (ii) a reordered and streamlined reporting process including a new process for FRC evaluations which will focus on activities and outcomes rather than ongoing policies; (iii) two sets of Principles, one for asset owners and asset managers, and the other for service providers and (iv) new guidance to support effective implementation and help signatories with the transition to the new reporting arrangements. The consultation ends on February 19, 2025. An updated Stewardship Code is expected to be published in the first half of 2025 with an effective date of January 1, 2026.

UK Financial Conduct Authority (FCA) publishes pre-contractual disclosure examples for the Sustainability Disclosure Requirements and investment labels regime

On November 1, 2024, the FCA published non-exhaustive illustrative examples and approaches across a selection of labels to showcase how firms can meet the pre-contractual disclosure requirements with respect to sustainable investment products. The Sustainability Disclosure Requirements and investment labels regime entered into force on December 2, 2024, although firms have been using investment labels since July 31, 2024. A key concept of the new regime is that to qualify for a label, firms must meet specific criteria supported by disclosures.

III. EUROPE

European Financial Reporting Advisory Group (EFRAG) Sustainability Reporting Technical Expert Group approves draft of reporting standards for non-EU entities

Under Article 40a of the Accounting Directive as amended by the Corporate Sustainability Reporting Directive (CSRD), certain in-scope EU entities are required, starting with financial year 2028 (reporting in 2029), to publish and make accessible a sustainability report covering information at group level of their non-EU ultimate parent. For such reports the European Commission will adopt specific reporting standards, known as the Non-European Sustainability Reporting Standards (NESRS), by June 30, 2026, at the latest, to be developed by EFRAG.

On November 21, 2024, the EFRAG Sustainability Reporting Technical Expert Group (TEG) approved the first sector agnostic NESRS draft. The NESRS draft was prepared by tailoring the existing European Sustainability Reporting Standards (ESRS) to non-EU groups. The EFRAG Sustainability Reporting Board (SRB) will review these drafts in December 2024. Public consultation begins Q1 2025, lasting 120 days, with final drafts due by end of 2025.

The NESRS have lighter disclosure obligations than the ESRS. The NESRS require only impact materiality reporting, without the need for a financial materiality assessment. They allow excluding impacts of sales or services outside the EU from the sustainability report. However, unlike the ESRS, they lack transitional provisions for the first years of reporting. Taxonomy reporting is required at the EU undertaking level, consistent with the CSRD, but not under the NESRS.

For the avoidance of doubt, the NESRS will not apply to consolidated CSRD reporting by a non-EU parent in order to exempt the in-scope EU entities according to the Article 29a (8)/19a (9) Accounting Directive. For such reporting the full ESRS apply for the time being until standards for sustainability statements by non-EU undertakings have been developed in accordance with the Article 29b Accounting Directive.

ESG ratings: The Council of the European Union (Council) greenlights new regulation

On November 19, 2024, the Council adopted a regulation on ESG rating activities to enhance consistency, transparency, and comparability within the EU, boosting investor confidence in sustainable financial products. ESG ratings assess a company’s or financial instrument’s sustainability profile and related risks.

The new regulation aims to improve the reliability of ESG ratings by increasing transparency and operational integrity while preventing conflicts of interest. ESG rating providers in the EU must be authorized and supervised by the European Securities and Markets Authority (ESMA) and follow transparency requirements regarding their methodologies and information sources. Non-EU providers must either obtain endorsement from an EU-authorized provider or be included in the EU registry based on an equivalence decision.

European Commission publishes Commission Notice on the interpretation of certain legal provisions of the CSRD

On November 13, 2024, the European Commission finalized its sustainability reporting FAQ document initially published as a draft in August 2024; the final document contains only minor changes to the August draft. This document interprets certain provisions of the CSRD and other related directives and regulations.

The FAQs, now published in the Official Journal of the EU (C/2024/6792), intend to help companies implement legal requirements and ensure the comparability of sustainability information. They provide clarity on application requirements, exemptions, reporting formats, value chain reporting, use of estimates, third-country company reporting, and audit requirements.

Key topics include:

Application and exemption options from sustainability reporting.
First-time application of sustainability reporting and its format.
Reporting over the value chain and using estimates.
Reporting by third-country companies, focusing on Article 40a Accounting Directive.
Assurance on sustainability reporting.

European Commission provides further clarifications (FAQs) on the EU taxonomy for sustainable economic activities

On November 8, 2024, the European Commission published a new Commission Notice (C/2024/6691) on the interpretation and implementation of certain legal provisions of the EU taxonomy regulatory framework, followed by another draft Commission Notice on November 29, 2024. The Commission Notices contain FAQs to help stakeholders implement the EU taxonomy, a system for classifying sustainable economic activities. This effort is part of further simplifying the disclosure process and reducing administrative burdens for the undertakings applying the EU sustainable finance framework and complements the previous four Commission Notices (2022/C 385/01, 2023/C 211/01, C/2023/267, C/2023/305) that have been published on the EU Taxonomy and its Delegated Acts so far.

The new FAQs offer technical clarifications on general taxonomy requirements, specific activity criteria in the Taxonomy Climate and Environmental Delegated Acts, and the “do no significant harm” criteria. They also clarify the reporting obligations under both the Climate and Environmental Delegated Acts.

CSRD Transposition

The Belgian House of Representatives approved the draft bill transposing CSRD in Belgium on November 28, 2024. On November 30, 2024, Slovenia transposed the CSRD in its Companies Act (ZGD-1M). An overview of the transposition of CSRD into national laws can be found here.

In case you missed it…

On November 21, 2024, Gibson Dunn presented a webcast on the common challenges facing U.S. businesses subject to the CSRD. The webcast and related resources are available here.

IV. NORTH AMERICA

California solicits input on—and issues enforcement update for—future climate reporting

As described in our recent blog post, on December 16, the California Air Resources Board issued a request for public feedback and information regarding certain implementing regulations for Senate Bill (SB) 253 (the Climate Corporate Data Accountability Act) and SB 261 (the Climate-Related Financial Risk Act). The request for comments came less than two weeks after CARB’s recent enforcement notice, issued December 5, addressing the greenhouse gas emissions reporting requirements under SB 253.

Eleven state Attorneys General sue large institutional investors alleging a conspiracy to constrict the coal market

On November 27, 2024, 11 state Attorneys General alleged in a federal lawsuit in Texas that BlackRock, Inc., State Street Global Advisors, and The Vanguard Group illegally manipulated the coal market through their investments in publicly traded coal companies. Led by Texas Attorney General Ken Paxton, the group claims that the top three U.S. asset managers used their holdings to push coal companies to reduce their output in violation of U.S. antitrust law and state antitrust laws. In the filing, the plaintiffs consider past and present membership in climate coalitions, such as Climate Action 100+ and the Net Zero Asset Managers initiative, as evidence of collective influence indicating a threat to competition.

Shareholders of major food and drink manufacturers issue public letter requesting greater disclosure regarding healthiness of products

On November 21, 2024, shareholders sent a public letter calling on the chief executives of several large public companies in the food and beverage industry to boost transparency regarding the healthiness of their products. Investors urged the companies to adopt international nutrition profiling models as part of their public disclosures, in addition to particular healthiness metrics. Investors pointed to the impact of unhealthy food sales on productivity, economic growth, and financial returns from their investments as drivers for why such disclosure is needed.

Paul Atkins nominated to lead the U.S. Securities and Exchange Commission (SEC)

On November 21, 2024, the SEC announced that Chair Gary Gensler will resign from his role effective midnight on January 20, 2025. Gensler has served as SEC Chair since April 2021. On December 4, 2024, President-elect Donald Trump selected former SEC Commissioner (2002-2008) Paul Atkins as his intended nominee for SEC Chair. If appointed, Atkins is expected to represent a shift in priorities from the Gensler-led SEC. Atkins has served as co-chair of the Token Alliance of the Digital Chamber of Commerce since 2017. In response to the SEC’s proposed climate change disclosure rules in 2022, Atkins and other former SEC commissioners submitted a comment letter to the proposal, noting it “oversteps the Commission’s congressionally delegated regulatory authority” and that the SEC’s “rulemaking powers simply do not authorize it to require disclosure of the vast quantities of immaterial information.”

U.S. Department of Energy (DOE) releases first-ever clean energy blueprint

On November 18, 2024, the U.S. DOE released its first-ever national blueprint for the manufacturing sector to harness clean energy to build on American manufacturing growth. Titled “The National Blueprint for a Clean & Competitive Industrial Sector,” the blueprint is designed to be led by the private sector. It features five “whole-of-government strategies” to guide federal government involvement: (1) in the near term, accelerate commercially available, cost-effective lower carbon solutions; (2) demonstrate emerging solutions at commercial scale; (3) increase data use to drive emissions reductions and efficiency gains; (4) innovate and advance research to develop transformative processes and products for large greenhouse gas (GHG) emissions reductions; and (5) integrate across the product life cycle to minimize waste and reduce industrial products’ embodied GHG emissions. The blueprint was developed with input from other federal agencies, including the Environmental Protection Agency and Department of Commerce.

SEC charged Invesco Advisers, Inc. (Invesco) for making misleading statements regarding the percentage of assets that integrate ESG factors in investment decisions

On November 8, 2024, the SEC charged Invesco for misleading investors with marketing materials that misstated the percentage of “ESG integrated” assets under management, in violation of the Investment Advisers Act of 1940. In particular, between 2020 and 2022, Invesco claimed that ESG-integrated assets made up 70-94% of its parent company’s assets under management. The SEC order stated that Invesco lacked a clear definition of ESG integration and that the assets included a significant amount held in passive exchange-traded funds without consideration for ESG factors. Invesco agreed to settle the charges by paying a $17.5 million civil penalty.

Challenge to California’s climate disclosure laws progresses to discovery phase

On November 5, 2024, a federal judge in the U.S. District Court for the Central District of California denied a motion for summary judgment by business groups challenging the state’s new climate disclosure laws, Senate Bill (“SB”) 253 and SB 261. The plaintiffs, including the U.S. Chamber of Commerce and business groups, argued that California’s climate disclosure laws conflict with federal regulations and violate the First Amendment by compelling speech. The federal court did not address the merits of plaintiffs’ claims. Instead, the court allowed the case to proceed to the discovery phase for further factual development.

The climate disclosure laws were signed into law by California Governor Gavin Newsom on October 7, 2023. SB 253 requires certain companies to make annual greenhouse gas emissions disclosure, while SB 261 mandates biennial climate-related financial risk disclosure. For further details on SB 253 and SB 261, please see our client alerts on the adoption and amendment of the laws.

In case you missed it…

The Gibson Dunn Workplace DEI Task Force has published its updates for November summarizing the latest key developments, media coverage, case updates, and legislation related to diversity, equity, and inclusion.

V. APAC

Five firms adopt Hong Kong’s Code of Conduct for ESG Ratings and Data Products Providers (the Code)

As covered in our October update, the International Capital Market Association (ICMA) published a voluntary Code of Conduct that aims to establish and promote a globally consistent, interoperable, and proportionate voluntary code for providers offering ESG ratings and data products and services in Hong Kong. Five firms have now adopted the Code: Bloomberg, CDP, MioTech, Moody’s, and MSCI ESG Research LLC. The Code is modeled on international best practices and sponsored by the Hong Kong Securities and Futures Commission. It is closely aligned to the recommendations by the International Organization of Securities Commissions’ Report on “Environmental, Social and Governance (ESG) Ratings and Data Products Providers”.

Association of Southeast Asian Nations (ASEAN) stock exchanges to develop harmonized ESG data infrastructure

On November 27, 2024, representatives from stock exchanges across ASEAN met in Malaysia to develop the ASEAN-level ESG data infrastructure, known as the ASEAN-Interconnected Sustainability Ecosystem (ASEAN-ISE). The aim of ASEAN-ISE is to enable accurate, efficient and standardized ESG data collection, analysis, and reporting, to promote sustainable investment in the region. At the conference, ASEAN-ISE members agreed to issue a request for information (RFI) to identify solutions that will support the initiative in achieving its target outcomes over the next three years. In a joint statement, Indonesia Stock Exchange (IDX), the Philippine Stock Exchange (PSE), the Stock Exchange of Thailand (SET), and Singapore Exchange (SGX) said “[t]he RFI outlines the framework for a unified data infrastructure, emphasizing the development of an interconnected ecosystem to facilitate seamless ESG data exchange, ensuring a sustainable operating model that can promote market accessibility through an ESG lens.”

Hong Kong Monetary Authority (HKMA) launches Enhanced Competency Framework on Green and Sustainable Finance (ECF-GSF) (Professional Level)

On November 21, 2024, the HKMA launched its Professional Level ECF-GSF, aimed at helping mid- to senior-level banking practitioners “acquire specialised domain knowledge related to GSF and develop professional competencies in the GSF-related area.” The ECF-GSF sets out the competency standards for banking practitioners performing GSF-related functions in the banking industry in Hong Kong. The HKMA has been working with the banking industry and relevant professional bodies to implement an industry-wide framework across all levels of the banking industry. It hopes that this will enable more effective training for new entrants and professional development for existing practitioners, helping to maintain Hong Kong’s status as a leading international financial center. The ECF is not a mandatory licensing regime, but the HKMA strongly encourages banks to adopt it as a benchmark to enhance the level of core competence and on-going professional development amongst personnel.

Singapore joins EU and China in expanded green financing taxonomy

On November 14, 2024, Singapore joined the EU and China in an expanded taxonomy on green financing at the COP29 climate summit. With the publication of the new taxonomy, known as the Multi-Jurisdiction Common Ground Taxonomy (M-CGT), the bilateral EU-China CGT was expanded to include the Singapore-Asia Taxonomy (SAT). This will enhance the inter-operability of taxonomies across China, the EU, and Singapore. The M-CGT contains 110 economic activities across eight sectors that could be eligible for green financing. It serves as a technical reference document for financial institutions, corporations, investors and external reviewers, allowing them to assess what is considered green across the three jurisdictions. While noting that the M-CGT is not legally binding, the Monetary Authority of Singapore (MAS) said in a press release that “green bonds and funds that align with the M-CGT criteria can be considered by cross-border investors whose markets reference the taxonomies which are mapped to M-CGT, subject to applicable laws and regulations of each jurisdiction.”

The following Gibson Dunn lawyers prepared this update: Lauren M. Assaf-Holmes, Alexa Bussmann, Mitasha Chandok, Martin Coombes, Becky Chung, Ferdinand Fromholzer, Elizabeth Ising, Sarah Leiper-Jennings, Vanessa Ludwig, Johannes Reul, Helena Silewicz*, and Katie Tomsett.

*Helena Silewicz, a trainee solicitor in London, is not admitted to practice law.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Environmental, Social and Governance practice group:

ESG Practice Group Leaders and Members:
Susy Bullock – London (+44 20 7071 4283, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
Perlette M. Jura – Los Angeles (+1 213.229.7121, [email protected])
Ronald Kirk – Dallas (+1 214.698.3295, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202.955.8238, [email protected])
Robert Spano – London/Paris (+33 1 56 43 13 00, [email protected])

This update provides a chart of pay transparency laws with recent and upcoming effective dates that employers should review and monitor.

2024 has been the year of new state pay transparency laws, and there appears to be no end in sight. Most recently, on November 18, 2024, New Jersey Governor Philip D. Murphy signed a bill into law that will require New Jersey employers to disclose certain compensation and benefit information in internal and external job postings and advertisements. It is slated to take effect on June 1, 2025. These laws add to the growing panoply of states and localities that have previously enacted pay transparency laws, including California, Colorado, Connecticut, Hawaii, Nevada, New York City and State, Rhode Island, and Washington State.[1]

While state pay transparency laws generally require disclosure of compensation information in an effort to address potential gender and race pay gaps, each law is different, making nationwide compliance a complex task. For example, some states require the disclosure of a broad spectrum of compensation information—including in some instance healthcare benefits and stock options—while others only require the disclosure of a general pay range. This patchwork of laws can be particularly challenging where a position can be performed remotely, as remote work generally be performed anywhere, and many states’ laws are not entirely clear as to whether their scope includes positions generated in another state but which could, in theory at least, be performed anywhere.

Below is a chart of pay transparency laws with recent and upcoming effective dates that employers should review and monitor.

State	Effective Date	Relevant Statute	Covered Employers	What Must Be Disclosed	Whether Disclosures Are Required for Internal Postings	Remote Work Implications
Illinois	January 1, 2025	820 ILCS 112/10	Employers with 15+ employees. 820 ILCS 112/10(b-25).	Pay scale and benefits (see 820 ILCS 112/10), meaning the “wage or salary, or the wage or salary range, and a general description of the benefits and other compensation, including, but not limited to, bonuses, stock options, or other incentives” (see 820 ILCS 112/5).	Appears to apply to internal opportunities because employers must disclose to applicants “the pay scale and benefits to be offered for the position prior to any offer or discussion of compensation and at the applicant’s request, if a public or internal posting for the job, promotion, transfer, or other employment opportunity has not been made available to the applicant.” 820 ILCS 112/10(b-25) (emphasis added).	Applies to positions that “(i) will be physically performed, at least in part, in Illinois or (ii) will be physically performed outside of Illinois, but the employee reports to a supervisor, office, or other work site in Illinois.” 820 ILCS 112/10(b-25).
Maryland	October 1, 2024	Md. Code Ann., Lab. & Empl. § 3-301 et seq.	Any employer engaged in business in the state of Maryland. Md. Code Ann. § 3-301(b)(1).	Wage range and a general description of benefits and any other compensation offered for the position. Md. Code Ann. § 3-304.2(a)(2)(i).	Disclosures must be made in both public and internal postings. Md. Code Ann. § 3-304.2(a)(2)(i).	Applies only to positions that will be physically performed at least in part in Maryland. Md. Code Ann. § 3-304.2(a)(1).
Massachusetts	July 31, 2025	M.G.L.A. 149 § 105F	Employers with 25+ employees. M.G.L.A. § 105F(a).	Pay range (i.e., annual salary range or hourly wage range). M.G.L.A. §§ 105F(a)-(b).	Appears to apply to internal opportunities because pay range must be disclosed for “a particular and specific employment position in the posting of the position” (see M.G.L.A. § 105F(b), “a particular and specific employment position to an employee who is offered a promotion, or transfer, to a new position with different job responsibilities” (see M.G.L.A. § 105F(c)), and “a particular and specific employment position to an employee holding such position, or to an applicant for such position, upon request” (see M.G.L.A. § 105F(d)).	Statute does not expressly address.
Minnesota	January 1, 2025	Minn. Stat. § 181.173	Employers with 30+ employees. Minn. Stat. § 181.173 (1)(b).	Starting salary range or fixed pay rate and a general description of all benefits and other compensation, including but not limited to any health or retirement benefits. Minn. Stat. § 181.173(2).	The law does not specifically address internal postings, but it applies to “any solicitation intended to recruit job applicants for a specific available position.” Minn. Stat. § 181.173(1)(c).	Statute does not expressly address.
New Jersey	June 1, 2025	P.L.2024, c.91	Employers with 10+ employees over 20 calendar weeks that do business, employ persons, or take applications for employment within the state. P.L.2024, c.91 § 1(e).	Hourly wage or salary (or a range), and a general description of benefits and other compensation programs for which the employee would be eligible. P.L.2024, c.91 § 1(b). Employers must also announce or make known to all current employees in the affected department(s) opportunities for promotion that are advertised internally or externally. P.L.2024, c.91 § 1(a).	Disclosures are required in each posting for new jobs and transfer opportunities that are advertised by the employer either externally or internally. P.L.2024, c.91 § 1(b). Temporary help service firms and consulting firms are also required to provide pay and benefit information to applicants for temporary employment at the time of interview or hire. P.L.2024, c.91 § 1(d).	Statute does not expressly address.
Vermont	July 1, 2025	21 V.S.A. § 495o	Employers with 5+ employees. 21 V.S.A § 495o(c)(3).	Compensation (i.e., salary or hourly wage) or range of compensation. 21 V.S.A §§ 495o(a)(1), (c)(7)(A). If commission-based, must disclose that fact but not required to disclose the compensation or range of compensation. 21 V.S.A § 495o(a)(2)(A). If tip-based, must disclose that fact and the base wage (i.e., hourly rate not including tips) or range of base wages. 21 V.S.A §§ 495o(a)(2)(B), (c)(2).	The law applies to positions that are (1) open to internal and/or external candidates; and (2) positions into which current employees can transfer or be promoted. 21 V.S.A § 495o(c)(8).	Applies to “remote position[s] that will predominantly perform work for an office or work location that is physically located in Vermont.” 21 V.S.A § 495o(c)(8)(A).
Washington, D.C.	June 30, 2024	D.C. Code Ann. § 32-1451 et seq.	Employers with 1+ employee. D.C. Code Ann. § 32-1451(2).	Salary or hourly pay must be disclosed in job listings and position descriptions, and the existence of healthcare benefits must be disclosed to prospective employees before first interview. D.C. Code Ann. § 32-1453.01(a)(1)-(2).	Pay range must be made in all job listings and position descriptions. D.C. Code Ann. § 32-1453.01(a)(1).	Statute does not expressly address.

Text Here

[1] See, e.g., California Enacts Pay Transparency and Disclosure Requirements Effective January 1, 2023, Gibson Dunn (Oct. 11, 2022), https://www.gibsondunn.com/california-enacts-pay-transparency-and-disclosure-requirements-effective-january-1-2023/; New York State Enacts Pay Transparency Law, Gibson Dunn (Jan. 17, 2023), https://www.gibsondunn.com/new-york-state-enacts-pay-transparency-law/; Steps for Colorado Employers to Consider in Light of New Laws Taking Effect in 2024, Gibson Dunn (Dec. 29, 2023), https://www.gibsondunn.com/steps-for-colorado-employers-to-consider-in-light-of-new-laws-taking-effect-in-2024/; City Council Amends New York City Pay Transparency Law, Gibson Dunn (May 2, 2022), https://www.gibsondunn.com/city-council-amends-new-york-city-pay-transparency-law/.

The following Gibson Dunn lawyers assisted in preparing this update: Naima Farrell, Anna Casey, and Jenna Voronov.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding pay transparency laws. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Labor and Employment practice group:

Naima L. Farrell – Partner, Washington, D.C.
(+1 202.887.3559, [email protected])

Jason C. Schwartz – Co-Chair, Washington, D.C.
(+1 202.955.8242, [email protected])

Katherine V.A. Smith – Co-Chair, Los Angeles
(+1 213.229.7107, [email protected])

Jamie Thomas and John Cheah are the authors of “A Note about Jakarta Interbank Offered Rate (JIBOR) Transition” [PDF] published by the Asia Pacific Loan Market Association on December 16, 2024.

Following the presidential election in November, attorneys from Gibson Dunn’s Antitrust and Competition Law Practice Group explore current policies and priorities, and forecast how those may evolve with the new administration. The speakers discuss what companies can expect regarding merger enforcement, civil antitrust investigations and enforcement, and other policy initiatives.

PANELISTS:

Jamie France represents clients in antitrust merger and non-merger investigations before the U.S. Federal Trade Commission, U.S. Department of Justice Antitrust Division, state Attorneys General, and international competition authorities, as well as in complex private and government antitrust litigation. She also counsels clients on a range of antitrust merger and conduct matters. Jamie joined the firm after six years as an attorney in the Mergers IV Division of the Federal Trade Commission’s Bureau of Competition, where she served in lead roles on high-profile merger investigations and enforcement actions. Jamie has significant experience litigating merger challenges and was an integral member of the FTC’s trial teams on FTC v. Thomas Jefferson University, FTC v. Hackensack Meridian Health, FTC v. Sanford Health, FTC v. Advocate Health Care Network, and FTC v. Benco Dental Supply. She was twice honored with the FTC’s Janet D. Steiger Award for her contributions to the Sanford and Advocate litigations.

Admissions: District of Columbia Bar, New York Bar

Svetlana Gans focuses on complex consumer protection and competition matters before the Federal Trade Commission and Department of Justice Antitrust Division, and related Hill advocacy. Svetlana previously served in multiple roles at the Federal Trade Commission for almost a decade. Most recently, she served as the FTC chief of staff in the first Trump Administration and advisor to Acting FTC Chairman Maureen K. Ohlhausen on agency investigations and litigation, interagency coordination, and other matters. In addition to other work, Svetlana led the process reform, regulatory reform, agency transparency, and economic liberty initiatives for the Chairman’s Office. Prior to her elevation to Chief of Staff, Svetlana uniquely served as a senior attorney in both the Bureau of Competition and the Bureau of Consumer Protection, handling merger and consumer protection investigations and litigation.

In addition to her other volunteer work mentoring young lawyers and law students interested in consumer protection and antitrust law, Svetlana serves as an Officer of the ABA Antitrust Law Section and the Chairman of the Federalist Society Corporations, Securities, and Antitrust Executive Committee.

Admissions: District of Columbia Bar

Kristen Limarzi represent clients in merger and non-merger investigations before the DOJ, the Federal Trade Commission, and foreign antitrust enforcers, as well in as appellate and civil litigation. Prior to joining the firm, she served as a top enforcement official in the U.S. Department of Justice’s Antitrust Division, where, as Section Chief, she helped shape and implement the agency’s enforcement priorities and policies for both mergers and other business practices across industries.

Recognized as “Dealmaker of the Year” for 2023 by Global Competition Review, Kristen brings a practical approach to helping clients navigate the increasingly complex antitrust enforcement environment, employing her deep experience with agency practice to achieve successful results in an efficient manner.

Admissions: District of Columbia Bar

Michael Perry represents clients in merger and non-merger related investigations before the U.S. Federal Trade Commission and the U.S. Department of Justice, and complex private and government antitrust litigation. His practice spans a variety of industries, including healthcare and life sciences, energy, and technology, and he is experienced in issues at the intersection of antitrust and intellectual property law. Michael previously served as Counsel to the Director of the Federal Trade Commission’s Bureau of Competition from 2015 to 2016 and as an attorney in the agency’s healthcare division. During his tenure at the FTC, Michael played an integral role in many of the agency’s most significant antitrust enforcement actions, including FTC v. Actavis FTC v. Cephalon, FTC v. Sysco, and FTC v. St. Luke’s Health System.

Admissions: District of Columbia Bar, California Bar

Ryan Foley counsels clients on all aspects of antitrust law, with a focus on complex transactions. He has extensive experience representing clients in all phases of merger review before the U.S. Department of Justice Antitrust Division, Federal Trade Commission, and other competition authorities globally. He has expertise across a broad range of industries, including pharmaceuticals, technology, media, consumer products, and energy. Prior to joining Gibson Dunn, Ryan was the lead antitrust counsel for the Americas at Novartis, where he helped manage deal, litigation, government investigation, and compliance strategy for the global branded and generic pharmaceutical manufacturer.

Admissions: District of Columbia Bar, Virginia Bar

MCLE CREDIT INFORMATION:

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour in the General Category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

This hub brings together our analyses of the legal and industry impacts stemming from the presidential transition.

Explore insights on how policy changes are shaping key sectors and what businesses can do to navigate the evolving landscape. Check back regularly for future updates and informed perspectives as the transition unfolds.

To subscribe to future mailings, please click here.

5 Transition Tools Trump Could Use To Implement His Agenda – January 9, 2025
Webcast: Expectations for Antitrust in the Trump 2.0 Administration – December 16, 2024
DOGE Details: The Knowns and Unknowns of Trump’s Cost-Cutting Board – December 6, 2024
Regulatory Outlook for International Trade Following the 2024 Election – November 18, 2024
Tools of Transition: Procedural Devices That Could Help the President-Elect Implement His Agenda – November 15, 2024
Regulatory Outlook for Vehicle & Engine Emissions Standards Following the 2024 Presidential Election – November 12, 2024

A Survey of Disclosures from the S&P 100 During the Four Years Following Adoption of the Securities and Exchange Commission Rule.

Human capital resource disclosures by public companies have continued to be a focus since the U.S. Securities and Exchange Commission (the “Commission”) adopted the new rules in 2020, not only for companies making the disclosures, but employees, investors, and other stakeholders reading them. This alert updates the alert we issued in November 2023, “Form 10-K Human Capital Disclosures Continue to Evolve,” available here, and reviews disclosure trends among S&P 100 companies categorized into 28 topic areas. Each of these companies has now included human capital disclosure in their past four annual reports on Form 10-K. This alert also provides practical considerations for companies as we head into 2025.

Overall, our findings indicate that companies are generally making only minor changes to their disclosures year over year, and these minor changes generally included shortening of company disclosures, maintaining or decreasing the number of topics covered, and including slightly less quantitative information in some areas.[1] Specifically, we identified the following trends regarding the S&P 100 companies’ human capital disclosures compared to the previous year:

Length of disclosure. Fifty-seven percent of surveyed companies decreased the length of their disclosures, 34% increased the length of their disclosures, and the length of the remaining 9% remained the same.
Number of topics covered. Forty-one percent of surveyed companies decreased the number of topics covered, 13% increased the number of topics covered, and the remaining 46% covered the same number of topics.
Breadth of topics covered. Across all companies, the prevalence of 10 topics increased, nine topics decreased, and nine topics remained the same.
- The most significant year-over-year increases in frequency involved Culture Initiatives (30% to 35%) and Pay Equity (48% to 50%) disclosures.
- The most significant year-over-year decrease involved COVID-19 disclosures, which declined in frequency from 34% to 1%. Other year-over-year decreases related to disclosures addressing Diversity Targets and Goals (21% to 14%), Diversity in Promotion (29% to 26%), Quantitative Diversity Statistics regarding Gender (63% to 60%), and Community Investment (28% to 25%).
Most common topics covered. This year, the topics most commonly discussed generally remained consistent with the previous two years. For example, Talent Development, Diversity and Inclusion, Talent Attraction and Retention, Employee Compensation and Benefits, and Monitoring Culture remained the five most frequently discussed topics. The topics least discussed this most recent year, however, changed slightly from that of the previous year as COVID-19 disclosures, and Diversity Targets and Goals dropped into the five least frequently covered topics.
Industry trends. Within the technology and finance industries, the trends that we saw in the previous year regarding the frequency of topics disclosed generally remained the same.

I. Background on the Requirements

As we previously discussed in our client alert titled “Discussing Human Capital: A Survey of the S&P 500’s Compliance with the New SEC Disclosure Requirement One Year After Adoption,” available here, on August 26, 2020, the Commission voted three-to-two to approve amendments to Items 101, 103, and 105 of Regulation S-K, including the principles-based requirement to discuss a registrant’s human capital resources to the extent material to an understanding of the registrant’s business taken as a whole.[2] Specifically, public companies’ human capital disclosure must include “the number of persons employed by the registrant, and any human capital measures or objectives that the registrant focuses on in managing the business (such as, depending on the nature of the registrant’s business and workforce, measures or objectives that address the development, attraction, and retention of personnel).”

Notably, since 2021 the Commission’s agenda list has included new human capital disclosure rules that were expected to be more prescriptive than the current rules,[3] in part, because one of the main criticisms of the existing human capital rules is lack of comparability across companies. The future of these rules is even less clear now as Chair Gensler who pushed for these rules (along with other rules, such as climate change) announced that he will be leaving the SEC in January 2025 in light of the new incoming administration. In the meantime, as our survey demonstrates, while company human capital disclosures vary—which is expected under the principles-based regime—comparability across the disclosures exists. The next four sections show the relevant data from our survey.[4]

II. Disclosure Topics

Our survey classifies human capital disclosures into 28 topics, each of which is listed in the following chart, along with the number of companies that discussed the topic in each of 2021, 2022, 2023, and 2024. Each topic is described more fully in the sections following the chart.

A. Workforce Composition

Among S&P 100 companies, 58% included disclosures relating to workforce composition in one or more of the following categories:

Full-time/part-time employee split. While most companies provided the total number of full-time employees, only 14% of the companies surveyed included a quantitative breakdown of the number of full-time versus part-time employees or salaried versus hourly employees, consistent with the previous two years. Similarly, 66% of companies provided statistics on the number of seasonal employees and/or independent contractors or a breakdown of employees by business segment, job function, or geographical location, the same as the previous year, and up from and 60% in 2021.
Unionized employee relations. Of the companies surveyed, 38% stated that some portion of their workforce was part of a union, works council, or similar collective bargaining agreement.[5] These disclosures generally included a statement providing the company’s opinion on the quality of labor relations, and in many cases, disclosed the number of unionized employees.
Quantitative workforce turnover rates. Although a majority of companies discussed employee turnover and the related topics of talent attraction and retention in a qualitative way (as discussed in Section II.B. below), only 19% of companies surveyed provided specific employee turnover rates (whether voluntary or involuntary), consistent with the previous two years.

B. Diversity

Among S&P 100 companies, 97% included disclosures relating to diversity in one or more of the following categories:

Diversity and inclusion. This was the most common diversity-related disclosure topic, with 97% of companies including a qualitative discussion regarding the company’s commitment to diversity, equity, and inclusion (“DEI”), consistent with the previous two years and up slightly from 91% in 2021. The depth of these disclosures varied, ranging from generic statements expressing the company’s support of diversity in the workforce to detailed examples of actions taken to recruit and support underrepresented groups and increase the diversity of the company’s workforce.
Priorities within diversity. Companies disclosed different areas of focus for diversity efforts and programming within the organization. The most common disclosure was diversity in the company’s hiring practices (60% of companies in 2024, up dramatically from 47% in 2021), followed by diversity in the retention or development of the company’s current workforce (58% of companies in 2024, up slightly from 50% in 2021), diversity in the company’s promotion practices (26% of companies in 2024, down from a high of 31% in 2022), and finally diversity in the company’s suppliers (15% of companies in 2024, up slightly from 10% in 2021). A decreasing minority of companies also discussed, in qualitative or quantitative terms, the companies’ commitments to aspirational diversity goals or targets (14% of companies in 2024, down from a high of 24% of companies in 2022), with such decrease likely due to the heightened legal risk associated with DEI programs following the June 2023 United States Supreme Court decision in Students for Fair Admissions v. Harvard.
Quantitative diversity statistics. Many companies also included a quantitative breakdown of the gender or racial representation of the company’s workforce: 60% included statistics on gender and 56% included statistics on race or ethnicity (down slightly compared to 2023, but up significantly from 47% and 42%, respectively, in 2021). Companies generally provided gender statistics on both a global and U.S. basis, whereas nearly all companies provided race or ethnicity statistics for their U.S. workforce only. Most companies provided these statistics in relation to their workforce generally, regardless of position; however, an increased subset (40% in 2024, compared to 25% in 2021) included separate statistics for different classes of employees (e.g., managerial, vice president and above, etc.). Similarly, 12% of companies also provided separate statistics for their boards of directors (compared to 10% in each of 2023 and 2022 and 4% in 2021). Some companies also included numerical goals for gender or racial representation, either in terms of overall representation, promotions, or hiring—11% of companies included these diversity goals or targets (compared to 15% in 2023, 18% in 2022, and 14% in 2021).

C. Recruiting, Training, Succession

Among S&P 100 companies, 99% included disclosures relating to talent and succession planning in one or more of the following categories:

Talent attraction and retention. These disclosures were generally qualitative and focused on efforts to recruit and retain qualified individuals. While general statements regarding recruiting and retaining talent were very common, with 96% of companies including this type of disclosure (relatively flat in the prior two years, but up significantly from 66% in 2021), quantitative measures of retention, like workforce turnover rate, were uncommon, with only 19% of companies disclosing such statistics (as noted above).
Talent development. Disclosures related to talent development were the most common category, with 98% of companies including a qualitative discussion regarding employee training, learning, and development opportunities, up from 83% in 2021. This disclosure tended to focus on the workforce as a whole rather than specifically on senior management. Companies generally discussed training programs such as in-person and online courses, leadership development programs, mentoring opportunities, tuition assistance, and conferences. Some companies discussed quantitative figures related to talent development, such as the number of hours employees spent on learning and development or the company’s investment in development resources, with 19% of companies including this type of disclosure.
Succession planning. Only 33% of companies surveyed addressed their succession planning efforts, which may be a function of succession being a focus area primarily for executives rather than the human capital resources of a company more broadly. However, this is up from 27% of companies who discussed succession planning in 2021.

D. Employee Compensation[6]

Among S&P 100 companies, 92% included disclosures relating to employee compensation, up from 77% in 2021. All of those companies included a qualitative description of the compensation and/or benefits program offered to employees, with a small minority providing quantitative measures such as minimum or average wages or investment in benefits (17% of companies surveyed in 2024, up from 12% in 2021). Of the companies surveyed, 50% addressed pay equity practices or assessments (up from 37% in 2021), and substantially fewer companies included quantitative measures of the pay gap between racially or ethnically diverse and nondiverse employees or male and female employees (17% of companies surveyed in 2024, up from 12% in 2021).

E. Health and Safety

Among S&P 100 companies, 77% included disclosures relating to health and safety in one or both of the following categories:

Workplace safety. Of the companies surveyed, 55% included qualitative disclosures relating to workplace health and safety, down from 63% in 2022, typically consisting of statements about the company’s commitment to safety in the workplace generally and compliance with applicable regulatory and legal requirements. However, 9% of companies surveyed provided quantitative disclosures in this category, generally focusing on historical and/or target incident or safety rates or investments in safety programs. These quantitative disclosures tended to be more prevalent among industrial, energy, and manufacturing companies.
Employee mental health. In connection with disclosures about benefits provided to employees, including benefits intended to support employees’ general wellness or wellbeing, 54% of companies disclosed initiatives taken to support employees’ mental or emotional health and wellbeing, up from 37% in 2021.

F. Culture and Engagement

In addition to the many instances where companies included general descriptions of their commitment to company culture and values, 83% of S&P 100 companies discussed specific initiatives they were taking related to culture and engagement in one or more of the following categories:

Culture and engagement initiatives. Specific disclosures relating to practices and initiatives undertaken to build and maintain their culture and values have increased steadily each year, with 35% of the companies surveyed providing such disclosure, up from 18% in 2021. These companies most commonly discussed efforts to communicate with employees (e.g., through town halls, CEO outreach, trainings, or conferences and presentations) and to recognize employee contributions (e.g., awards programs and individualized feedback). Many companies also discussed culture in the context of diversity-related initiatives designed to help foster an inclusive culture.
Monitoring culture. Of the companies surveyed 69% provided disclosures about the ways that companies monitor culture and employee engagement, up from 54% in 2021. Companies generally disclosed the frequency of employee surveys used to track employee engagement and satisfaction, with some reporting on the results of these surveys, sometimes measured against prior year results or industry benchmarks, and ways in which company management or the board utilized survey results.
Flexible Work Opportunities. About one-third of S&P 100 companies describe flexible working arrangements, including remote or hybrid work or scheduling adjustments to accommodate different ways of working, with 34% of companies provided such disclosure in 2024, compared to 16% in 2021. Although many of these companies discussed this topic in previous years, past mentions of measures related to flexible work environments were generally in connection with COVID-related safety concerns, whereas recent discussions are increasingly related to talent acquisition and retention.
Community investment. Some companies disclosed information about community investment, partnerships, donations, or volunteer programs sponsored by the company, with 25% of companies surveyed providing such disclosure in 2024, compared to 28% in 2023 and 18% in 2021. Many companies discussed their community investment efforts as offshoots of or in conjunction with their diversity, equity, and inclusion efforts.

G. COVID-19

The number of S&P 100 companies that included information regarding COVID-19 and its impact on company policies and procedures or on employees dropped to only one companies making such disclosure, compared to 34% in 2023 and 70% in 2022. This sharp decline in COVID-19 disclosures is consistent with a more general trend of companies discussing COVID-19 less frequently as a result of its decreasing significance and illustrates the expected evolution of disclosure resulting from a principles-based framework.

H. Human Capital Management Governance and Organizational Practices

Just over half of S&P 100 companies (54% of those surveyed, compared to 40% in 2021) addressed their governance and organizational practices (such as oversight by the board of directors or a committee and the organization of the human resources function).

III. Industry Trends

One of the main rationales underlying the adoption of principles-based—rather than prescriptive—requirements for human capital disclosures is that the relative significance of various human capital measures and objectives varies by industry. This is reflected in the following industry trends that we observed:[7]

Technology Industries (E-Commerce, Internet Media & Services, Hardware, Software & IT Services, and Semiconductors). For the 22 companies in the Technology Industries, at least 63% discussed each of talent development and training opportunities, talent attraction, recruitment and retention, employee compensation, employee mental health, and diversity. Compared to the S&P 100 as a whole, relatively uncommon disclosures among this group included part-time and full-time employee statistics (5%), succession planning (9%), supplier diversity (5%), diversity in retention and development (41%), quantitative diversity statistics regarding race/ethnicity and gender (41% and 45%, respectively), and unionized employee relations (18%). However, these industries continued to see increased rates of disclosure compared to the S&P 100 for quantitative turnover rates (41%), flexible work opportunities (45%), culture initiatives (45%), and qualitative pay equity (59%).
Finance Industries (Asset Management & Custody Activities, Consumer Finance, Commercial Banks, and Investment Banking & Brokerage). For the 13 companies in the Finance Industries, a large majority continued to include quantitative diversity statistics regarding race (85%) and gender (92%) (matching that of the last two years) and qualitative disclosures regarding employee compensation (92%), and, compared to other industries, a relatively higher number discussed diversity in hiring (85%), employee mental health (77%), flexible work opportunities (69%), pay equity (69%), and quantified their pay gap (46%). Relatively uncommon disclosures among this group included part-time and full-time employee statistics, unionized employee relations, quantitative workforce turnover rates, diversity targets and goals, quantitative new hire diversity, supplier diversity, and workplace safety (in each case less than 16%).
Pharmaceutical Industries (Biotechnology & Pharmaceuticals). For the eight companies in the Pharmaceutical Industries, at least 87% discussed each of diversity, workplace safety, monitoring culture, talent attraction and retention, talent development, and employee compensation. Compared to the S&P 100 as a whole, relatively uncommon disclosures among this group included succession planning (13%), quantitative pay gap (0%), and diversity targets and goals (0%). However, these industries continued to see increased rates of disclosure compared to the S&P 100 for supplier diversity (38%), workplace safety (88%), culture initiatives (50%), and flexible work opportunities (75%).

IV. Disclosure Format

The format of human capital disclosures in S&P 100 companies’ annual reports on Form 10‑K continued to vary greatly.

Word Count. The length of the disclosures ranged from 106 to 1,809 words, with the following statistical trends in the past four years:

	2024	2023	2022	2021
Minimum word count	106	106	109	105
Maximum word count	1,809	2,094	1,995	1,931
Median	913	1,035	959	818
Mean	946	1,002	976	825

Metrics. The disclosure requirement specifically asks for a description of “any human capital measures or objectives that the registrant focuses on in managing the business” (emphasis added). Our survey revealed that companies are increasingly providing quantitative metrics, with 84% of companies providing disclosure in at least one of the quantitative categories we discuss above (compared to 87% in 2023, 80% in 2022, and 67% in 2021) and only 8% electing not to include any type of quantitative metrics beyond headcount numbers (compared to 7% in 2023, 10% in 2022 and 14% in 2021).

Graphics. Although the minority practice, 26% of companies surveyed also included tables, charts, graphics or similar formatting used to draw attention to particular elements, compared to 26% in 2023, 24% in 2022 21% in 2021, which were generally used to present statistical data, such as diversity statistics or breakdowns of the number of employees by geographic location.

Categories. Most companies organized their disclosures by categories similar to those discussed above and included headings to define the types of disclosures presented.

V. Upcoming Rulemaking and Investor Advisory Committee Recommendations

At its meeting on September 21, 2023, the Commission’s Investor Advisory Committee (“IAC”) approved subcommittee recommendations (the “IAC Recommendations”) to expand required human capital management disclosures.[8] The IAC Recommendations contain prescriptive disclosure requirements—many of which have been previously considered as part of the 2020 rulemaking—for various quantitative metrics in the business description of Form 10-K under Item 101(c) of Regulation S-K (including headcount, turnover, compensation, and demographic data) as well as narrative disclosure in Management Discussion and Analysis. For details regarding the IAC Recommendations, please refer to “Form 10-K Human Capital Disclosures Continue to Evolve,” available here.

According to the most recent Regulatory Flexibility agenda, a human capital management rule proposal that was originally slated for October 2021 was expected to be issued in October 2024.[9] However, no rule was ever proposed, and many expect regulatory priorities to change with the upcoming shift in the administration, including SEC Chair Gary Gensler’s upcoming departure on January 20, 2025. We therefore do not expect that the Commission will be adopting IAC’s recommendations in the near term as Republican commissions have in the past generally favored principles-based disclosure over prescriptive disclosure requirements.

VI. Comment Letter Correspondence

Comment letter correspondence from the staff of the Division of Corporation Finance (the “Staff”), which often helps put a finer point on principles-based disclosure requirements like this one, has shed relatively little light on how the Staff believes the new requirements should be interpreted. Consistent with what we found at this time in the prior three years, the comment letters, all of which involved reviews of registration statements, were generally issued to companies whose disclosures about employees were limited to the bare-bones items companies have discussed historically, such as the number of persons employed and the quality of employee relations. From these companies, the Staff simply sought a more detailed discussion of the company’s human capital resources, including any human capital measures or objectives upon which the company focuses in managing its business. There were also a few comment letters where the Staff asked companies to clarify statements in their human capital disclosures or expand their human capital disclosures based on related risks identified in their risk factors.[10] Based on our review of the responses to those comment letters, we have not seen a company take the position that a discussion of human capital resources was immaterial and therefore unnecessary.

VIII. Conclusion

Based on our survey, companies continue to be thoughtful about their human capital disclosures—expanding their disclosures in some areas (e.g., culture initiatives and pay equity) and reducing them in others (e.g., COVID-19, diversity targets and goals, diversity in promotion, and community investment)—in response to ever-changing circumstances. That is precisely what principles-based disclosure rules are designed to elicit.

To that end, as companies prepare for the upcoming Form 10-K reporting season, they should consider the following:

Confirm (or reconfirm) that the company’s disclosure controls and procedures support the statements made in human capital disclosures knowing that controls in the HR department may not be as rigorous as accounting controls. These disclosures create legal liability risks and should be treated accordingly.

Companies may want to compare their own disclosures against what their industry peers did these past four years, including specifically any notable changes to disclosures made in the past year.

Remind stakeholders internally that these disclosures likely will continue to evolve. This is especially true with the change in administration that could result in companies focusing on fewer or different issues. The types of measures and objectives that a company focuses on in managing its business and that are material to each company may also change in response to current events, as was shown by essentially the complete removal of COVID-19 related disclosures from 10-K filings the past two years and the decrease in disclosures relating to diversity targets and goals over the same period.

If you continue to disclose targets, expect the SEC staff to ask you to disclose the progress that management has made. You may wish to reconsider the utility in disclosing specific targets.
Addressing in the upcoming disclosure, if not already disclosed, the progress that management has made with respect to any significant objectives it has set regarding its human capital resources as investors are likely to focus on year-over-year changes and the company’s performance versus stated goals.
Addressing significant areas of focus highlighted in engagement meetings with investors and other stakeholders. In a 2024 survey, human capital management was one of the top five issues (aside from financial performance) most important to investors when evaluating companies.[11]
Revalidating the methodology for calculating quantitative metrics and assessing consistency with the prior year. Former Chairman Clayton commented that he would expect companies to “maintain metric definitions constant from period to period or to disclose prominently any changes to the metrics.”

[1] Data provided is as of November 10, 2024 and is based on the companies currently included within the S&P 500, so some statistics are slightly different than they were in the prior surveys. The categorization data necessarily involves subjective assessment and should be considered approximate.

[2] See 17 C.F.R. § 229.101(c)(2)(ii).

[3] Agency Rule List – Spring 2024 Securities and Exchange Commission, Office of Information and Regulatory Affairs (2024), available here.

[4] Note that companies often include additional human capital management-related disclosures in their ESG/sustainability/social responsibility reports, on their websites, and in their proxy statements, but these disclosures are outside the scope of the survey, which is focused on disclosures included in Part I, Item 1 of annual reports on Form 10-K.

[5] While never expressly required by Regulation S-K, as a result of disclosure review comments issued by the Division of Corporation Finance over the years and a decades-old and since-deleted requirement in Form 1-A, it has been a relatively common practice to discuss collective bargaining and employee relations in the Form 10-K or in an IPO Form S-1, particularly since the threat of a workforce strike could be material.

[6] Our survey reviewed the employee compensation disclosures contained in Part I, Item 1 of each company’s Form 10-K and did not separately review any employee compensation information included in companies’ financial statements or the notes thereto.

[7] For purposes of our survey, we grouped companies in similar industries based on both their four-digit Standard Industrial Classification code and their designated industry within the Sustainable Industry Classification System. The industry groups discussed in this section cover 43% of the companies included in our survey.

[8] Available at https://www.sec.gov/files/spotlight/iac/20230921-recommendation-regarding-hcm.pdf.

[9] Agency Rule List – Spring 2024 Securities and Exchange Commission, Office of Information and Regulatory Affairs (2024), available here.

[10] See, e.g., comments issued to Concentra Group Holdings Parent, Inc. (available at https://www.sec.gov/Archives/edgar/data/2014596/000000000024003738/filename1.pdf) and PACS Group, Inc. (available at https://www.sec.gov/Archives/edgar/data/2001184/000000000024000134/filename1.pdf).

[11] See PwC’s Global Investor Survey 2024, available at https://www.pwc.com/gx/en/issues/c-suite-insights/global-investor-survey.html.

The following Gibson Dunn attorneys assisted in preparing this update: Brian Lane, Julia Lapitskaya, Ronald Mueller, Michael Titera, and Meghan Sherley.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Regulation and Corporate Governance or Labor and Employment practice groups, or any of the following practice leaders and members:

Labor and Employment:
Jason C. Schwartz – Co-Chair, Washington, D.C. (+1 202.955.8242, [email protected])
Katherine V.A. Smith – Co-Chair, Los Angeles (+1 213.229.7107, [email protected])

The Department of Justice has filed emergency motions for a stay pending appeal of a recent district court order that preliminarily enjoined enforcement of the Corporate Transparency Act (CTA).[1] The government has asked for a ruling by December 27, 2024. If the district court or Fifth Circuit Court of Appeals issues a stay pending appeal, the CTA and its January 1, 2025 reporting deadline could become enforceable once again.

An update on case developments since our December 9, 2024 Client Alert can be found immediately below. For additional background information, please refer to the remainder of this Client Alert or our Client Alerts issued on December 5 and December 9, 2024.

On December 11, the Department of Justice, on behalf of the Financial Crimes Enforcement Network (FinCEN), filed a motion in the U.S. District Court for the Eastern District of Texas requesting that the court stay its preliminary injunction pending the government’s appeal to the Fifth Circuit Court of Appeals.[2] The district court ordered the plaintiffs to respond to that stay motion by December 16.

In the meantime, on December 13, the government also filed a motion in the Fifth Circuit asking that court to stay the district court’s order pending appeal or, in the alternative, to narrow the scope of the court’s injunction to cover only the members of plaintiff National Federation of Independent Business (NFIB) rather than every reporting entity in the country.[3] The government argued that it was likely to succeed on the merits of its appeal, asserting that the CTA is a valid exercise of Congress’s commerce power because it regulates corporations, which engage in commercial activity.[4] At a minimum, the government argued, the district court erred in concluding that a facial challenge to the CTA would be successful because plaintiffs have not shown that the statute lacks legitimate applications.[5] The government also argued that the injunction irreparably harms its interests in fighting financial crime, and that the court’s nationwide remedy is overly broad because it extends beyond the plaintiffs.[6]

The government requested a ruling from the Fifth Circuit “no later than December 27, 2024, to ensure that regulated entities can be made aware of their obligation to comply before January 1, 2025.”[7] The Fifth Circuit set a briefing schedule calling for a response from the plaintiffs by December 17 and a reply from the government by December 19.

What the Stay Motion Means for Entities Subject to the CTA

As we previously described,[8] given the possibility of the district court’s order being stayed pending appeal, reporting entities’ legal obligations are subject to change on short notice. Either the district court or the Fifth Circuit could grant the government’s stay request before the end of the year. If the Fifth Circuit denies the government’s stay request, the government could request that relief from the Supreme Court. If the district court’s order is stayed pending appeal, the CTA’s beneficial ownership information (BOI) Reporting Rule will become enforceable again. If the district court’s order is narrowed to cover only the plaintiffs and members of the NFIB, the plaintiffs and NFIB’s approximately 300,000 members will receive the benefits of the preliminary injunction, but the law would become effective with respect to all other reporting entities.

The government’s stay applications in the district court and Fifth Circuit signal that if it succeeds in winning a stay of the district court’s order by December 27, there is a possibility that the government might try to enforce the January 1, 2025 reporting deadline for companies created or registered to do business in the United States before January 1, 2024. It also remains possible that FinCEN will extend that deadline.

Entities that believe they may be subject to the Reporting Rule should closely monitor this matter, and consult with their CTA advisors as necessary, to understand when, if at all, they need to comply with the Reporting Rule’s requirements and to allow for sufficient lead time to prepare BOI reports in advance of any filing deadline that may be re-established (with or without adjustment) in the future.

Additional Background

The CTA, enacted in 2021, requires corporations, limited liability companies, and certain other entities created (or, as to non-U.S. entities, registered to do business) in any U.S. state or tribal jurisdiction to file a “BOI” report with FinCEN identifying, among other information, the natural persons who are beneficial owners of the entity.[9] A regulation, the Reporting Rule, helps implement the CTA by specifying compliance deadlines—including a January 1, 2025 deadline for companies created or registered to do business in the United States before January 1, 2024—and detailing what information must be reported to FinCEN.[10]

The December 3, 2024 Ruling

On December 3, 2024, in ruling on a lawsuit challenging the constitutionality of the CTA and Reporting Rule on various grounds, Judge Amos L. Mazzant of the U.S. District Court for the Eastern District of Texas granted plaintiffs’ motion for a preliminary injunction.[11] Unlike another court that had held the CTA unconstitutional,[12] Judge Mazzant preliminarily enjoined enforcement of the CTA and Reporting Rule nationwide.[13] Moreover, the court invoked its power under the Administrative Procedure Act’s stay provision, 5 U.S.C. § 705, to “postpone the effective date of” the Reporting Rule.[14]

Government’s Initial Response[15]

FinCEN also posted a statement to its website.[17] In sum, FinCEN noted that, because of the court’s order, “reporting companies are not currently required to file their beneficial ownership information with FinCEN and will not be subject to liability if they fail to do so while the preliminary injunction remains in effect. Nevertheless, reporting companies may continue to voluntarily submit beneficial ownership information reports.” FinCEN also noted the appeal filed by the Department of Justice.

[1] A prior alert by Gibson Dunn explaining the district court’s ruling is available at https://www.gibsondunn.com/corporate-transparency-act-enforcement-preliminarily-enjoined-nationwide.

[2] Texas Top Cop Shop, Inc. et al. v. Garland et al., No. 4:24-CV-478, Dkt. 35 (E.D. Tex. Dec. 11, 2024)

[3] Texas Top Cop Shop, Inc. v. Garland, No. 24-40792, Dkt. 21 (5th Cir. Dec. 13, 2024).

[4] Id. at 9–11.

[5] Id. at 11–12.

[6] Id. at 14–21.

[7] Id. at 2.

[8] Supra https://www.gibsondunn.com/corporate-transparency-act-enforcement-preliminarily-enjoined-nationwide; https://www.gibsondunn.com/us-government-appeals-and-fincen-issues-guidance-about-nationwide-preliminary-injunction-of-corporate-transparency-act-enforcement.

[9] See William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283, Div. F., § 6403 (adding 31 U.S.C. § 5336). Prior alerts by Gibson Dunn explaining the Corporate Transparency Act are available at: https://www.gibsondunn.com/top-12-developments-in-anti-money-laundering-enforcement-in-2023; https://www.gibsondunn.com/the-impact-of-fincens-beneficial-ownership-regulation-on-investment-funds; https://www.gibsondunn.com/the-corporate-transparency-act-reminders-and-key-updates-including-fincen-october-3-faqs.

[10] 31 C.F.R. § 1010.380.

[11] Texas Top Cop Shop, Inc. et al. v. Garland et al., No. 4:24-CV-478, Dkt. 30 (E.D. Tex. Dec. 3, 2024).

[12] Nat’l Small Business United v. Yellen, 721 F. Supp. 3d 1260 (N.D. Ala. 2024); see https://www.gibsondunn.com/corporate-transparency-act-declared-unconstitutional-what-it-means-for-you.

[13] Id. at 77.

[14] Id. at 78.

[15] See Gibson Dunn’s December 9 Client Alert describing the government’s initial response to the district court ruling, available at https://www.gibsondunn.com/us-government-appeals-and-fincen-issues-guidance-about-nationwide-preliminary-injunction-of-corporate-transparency-act-enforcement.

[16] Texas Top Cop Shop, Inc. et al. v. Garland et al., No. 4:24-CV-478, Dkts. 32, 34 (E.D. Tex. Dec. 6, 2024).

[17] https://fincen.gov/boi.

The following Gibson Dunn lawyers assisted in preparing this update: Kevin Bettsteller, Stephanie Brooker, Matt Gregory, Justin Newman, Dave Ware, Sam Raymond, Chris Jones, and Connor Mui.

Please also feel free to contact any of the following practice group leaders and members and key CTA contacts:

From the Derivatives Practice Group: The CFTC will hold an open meeting on December 18 to discuss two Final Rules: the Final Rule on Real-Time Public Reporting Requirements and Swap Data Recordkeeping and Reporting Requirements, and the Final Rule on Regulations to Address Margin Adequacy and to Account for the Treatment of Separate Accounts by Futures Commission Merchants.

New Developments

CFTC Staff Issues Advisory Regarding Form 304 Submission Format Beginning January 15, 2025. On December 12, the CFTC Division of Market Oversight issued an advisory notifying all merchants and dealers of cotton holding or controlling positions for future delivery in cotton (traders) that beginning next year they must submit the regulatory filing identified as “Form 304” through the CFTC’s online filings portal. The advisory notes that all traders who are subject to CFTC Regulation 17 CFR 19.00(a) beginning January 15, 2025, Form 304 must be submitted through the CFTC’s online filings portal, which has been updated for traders’ use. Form 304 should continue to be submitted via email through January 14, 2025. [NEW]
CFTC to Hold a Commission Open Meeting December 18. On December 11, the CFTC announced the Commission will hold an open meeting Wednesday, December 18 at 9:30 a.m. – 12:00 p.m. (ET) at the CFTC’s Washington, D.C. headquarters. The Commission will consider the following: the Final Rule on Real-Time Public Reporting Requirements and Swap Data Recordkeeping and Reporting Requirements and the Final Rule on Regulations to Address Margin Adequacy and to Account for the Treatment of Separate Accounts by Futures Commission Merchants. [NEW]
CFTC Staff Issues Advisory Related to the Use of Artificial Intelligence by CFTC-Registered Entities and Registrants. On December 5, the CFTC’s Divisions of Clearing and Risk, Data, Market Oversight, and Market Participants issued a staff advisory on the use of artificial intelligence in CFTC-regulated markets by registered entities and registrants. The advisory is intended to remind CFTC-regulated entities of their obligations under the Commodity Exchange Act and the CFTC’s regulations as these entities begin to implement AI. CFTC staff noted that it is closely tracking the development of AI technology and AI’s potential benefits and risks and that it values its ongoing dialogue with CFTC-regulated entities and intends to monitor these entities’ use of AI as part of the agency’s routine oversight activities. According to the CFTC, the advisory is informed, in part, by public comments received in response to the staff’s January 25, 2024 Request for Comment on AI.
CFTC Releases FY 2024 Enforcement Results. On December 4, the CFTC announced record monetary relief of over $17.1 billion for fiscal year 2024. With the resolution of digital asset cases that resulted in the agency’s largest recovery ever, this record amount included $2.6 billion in civil monetary penalties and $14.5 billion in disgorgement and restitution. In FY 2024, the agency brought 58 new actions including, in the CFTC’s words, precedent-setting digital asset commodities cases, its first actions addressing fraud in voluntary carbon credit markets, complex manipulation cases in various markets, and significant compliance cases – including its largest compliance case ever. The CFTC also said that it continued to vigorously litigate pending actions, resulting in significant litigation victories and recoveries.
Commissioner Johnson Announces CFTC Market Risk Advisory Committee Meeting on December 10. On November 26, CFTC Commissioner Kristin N. Johnson, sponsor of the Market Risk Advisory Committee (“MRAC”) announced that the MRAC will hold a public meeting on Tuesday, Dec. 10, from 9:30 a.m. to 12:30 p.m. (EDT) at the CFTC’s Washington, D.C., headquarters. At the meeting, the MRAC will discuss current topics and developments in the areas of central counterparty risk and governance, market structure, climate-related risk, and innovative and emerging technologies affecting the derivatives and related financial markets.

New Developments Outside the U.S.

ESMA Consults on Proposals to Digitalize Sustainability and Financial Disclosures. On December 13, ESMA published a Consultation Paper seeking stakeholders’ views on how the European Single Electronic Format can be applied to sustainability reporting. The proposals also aim to ease the burden associated with financial reporting. Interested stakeholders are invited to submit their feedback by March 31, 2025. [NEW]
ESMA Consults on Open-Ended Loan Originating Alternative Investment Funds. On December 12, ESMA published a consultation paper on draft regulatory technical standards on open-ended loan originating Alternative Investment Funds (“AIFs”) under the revised Alternative Investment Fund Managers Directive (“AIFMD”). AIFMD review has introduced some harmonized rules on loan originating funds. The goal of these rules is to provide a common implementing framework by determining the elements and factors that Alternative Investment Fund Managers need to consider when making the demonstration to their Competent Authorities that the loan originated AIFs they manage can be open-ended. [NEW]
ESMA Consults on Technical Advice on Listing Act Implications. On December 12, ESMA launched a consultation to gather feedback following changes to the Market Abuse Regulation (“MAR”) and Market in Financial Instruments Directive II (“MiFID II”) introduced by the Listing Act. Regarding MAR, ESMA is inviting feedback on: a non-exhaustive list of the protracted process and the relevant moment of disclosure of the relevant inside information (together with some principles to identify the moment of disclosure for protracted not listed processes); a non-exhaustive list of examples where there is a contrast between the inside information to be delayed and the latest public announcement by the issuer; and a methodology and preliminary results for identifying trading venues with a significant cross-border dimension, for the purposes of establishing a Cross Market Order Book Mechanism. Regarding MiFID II, ESMA’s proposals cover: a systematic review of the relevant provisions in Commission Delegated Regulation 2017/565 to ensure that a Multilateral Trading Facility (“MTF”) (or a segment of it) to be registered as small and medium-sized enterprises growth market complies with the relevant requirements in the revised MiFID II; and some conditions to meet the registration requirements for a segment of an MTF, as specified in the revised MiFID II. [NEW]
ESAs Provide Guidelines to Facilitate Consistency in the Regulatory Classification of Crypto-Assets by Industry and Supervisors. On December 10, the European Supervisory Authorities (the “ESAs”) published joint Guidelines intended to facilitate consistency in the regulatory classification of crypto-assets under Markets in Crypto Asset Regulation. The Guidelines include a standardized test to promote a common approach to classification as well as templates market participants should use when communicating to supervisors the regulatory classification of a crypto-asset. [NEW]
IOSCO Publishes Final Report on Regulatory Implications and Good Practices on the Evolution of Market Structures. On November 29, IOSCO published its Final Report on the Evolution in the Operation, Governance, and Business Models of Exchanges. According to IOSCO, the Final Report addresses significant changes in exchange business models and market structures, highlighting the impact of increased competition, technological advancements, and cross-border activity on exchanges. Additionally, it outlines a set of six good practices for regulators to consider in the supervision of exchanges that cover three key areas: (1) Organization of Exchanges and Exchange Groups (2) Supervision of Exchanges and Trading Venues within Exchange Groups and (3) Supervision of Multinational Exchange Groups.
BoE Publishes Report on Its System-Wide Exploratory Scenario Exercise and Stress Test Results for UK CCPs. On November 29, the Bank of England (“BoE”) published a final report on its system-wide exploratory scenario (“SWES”) and the results of its 2024 supervisory stress test of UK central counterparties (“CCPs”). As part of the SWES exercise, 50 participating firms, including banks, insurers, pension schemes, hedge funds, asset managers and CCPs, had to assess how they would be impacted by a hypothetical stress scenario, including severe but plausible shocks to a wide range of market prices and indicators over 10 business days, including moves similar to those seen during the UK gilt market crisis in 2022 and the 2020 dash for cash. BoE noted key observations, including (1) the simulated market shocks generated significant liquidity needs for non-bank financial intermediaries, (2) financial participants’ collective actions amplify the initial shock, (3) the gilt repo market was central in helping to absorb the shock, but its capacity in times of stress remains limited, (4) the exercise confirms the resilience of UK CCPs to a stress scenario similar to the worst ever historical stress and (5) there were material differences between firms’ and CCPs’ expectations on projections of initial margin increases, with banks and non-bank financial intermediaries generally overestimating changes in CCP initial margin. The BoE indicated that its supervisory stress test of UK CCPs also confirmed the resilience of UK CCPs to a stress scenario similar to the worst ever historical stress and indicated (1) CCPs were found to experience greater mutualized losses in this exercise compared to previous ones, (2) the ability of clients of defaulting members to port positions has a material impact on the credit stress test results and (3) the exercise also considered the cost of liquidating concentrated positions held by defaulters, with results showing that including concentration costs (assuming no porting) can have a material impact on the depletion of resources.
ESMA Announces Further Guidance on Exclusion Criteria for the Selection of Consolidated Tape Providers. On November 25, ESMA clarified details for some of the documents that future applicants will be expected to provide when participating in the selection process for Consolidated Tapes Providers (“CTPs”). During the first stage of the selection procedure, the exclusion criteria will be used to assess if applicants can be invited to submit their applications in the second stage of the procedure. ESMA will require specific documentation from applicants, including a declaration of honor and valid evidence on exclusion criteria. ESMA’s publication includes an indicative overview of the relevant certificates issued in each EU Member State for such evidence.
ESMA Responds to the European Commission Consultation on Non-Bank Financial Intermediation. On November 22, ESMA sent its response to the European Commission consultation on assessing the adequacy of macroprudential policies for Non-Bank Financial Intermediation (“NBFI”). In its response, ESMA makes key proposals in several areas, including liquidity management, money market fund regulation, supervision and data, and coordination between competent authorities.

New Industry-Led Developments

FRTB Implementation Challenges: Capitalization of Funds. On December 13, ISDA published a second whitepaper on the capitalization of equity investment in funds (“EIIFs”) under the Fundamental Review of the Trading Book (“FRTB”) framework. This paper builds upon an earlier ISDA publication in 2022 that highlighted the overly conservative capital requirements and operational complexities resulting from the proposed Basel III framework associated with EIIFs. Since then, several jurisdictions have implemented the FRTB (Canada and Japan), while others have finalized their FRTB rules (the EU and the UK) or are consulting on the final rules (the US). This topic continues to be a globally important issue for the industry, with many unresolved concerns related to the treatment of EIIFs. [NEW]
Joint Associations Send Letter on UK CCP Equivalence and Recognition. On December 12, ISDA and eleven other trade associations representing a broad group of market participants sent a letter to Commissioner Albuquerque requiring that the European Commission extends the equivalence decision for UK Central Counterparties (“CCPs”) in a non-time-limited manner and well in advance of March 31, 2025. The current time-limited equivalence decision is set to expire on June 30, 2025. [NEW]
ISDA Publishes Paper on Compliance Requirements under MIFIR. On December 9, ISDA published a paper that maps out an approach to post-trade transparency under the revised Markets in Financial Instruments Regulation (“MIFIR”) for reporting single-name credit default swaps referenced to global systemically important banks, supporting meaningful transparency and implementation practicability. [NEW]
ISDA Responds to European Commission’s Consultation on Macroprudential Policies for NBFIs. On November 21, ISDA responded to the European Commission’s consultation on assessing the adequacy of macroprudential policies for NFBI. In the response, ISDA covers a range of key topics, including the need to consider the diversity of the NBFI sector, possible solutions to challenges in meeting collateral requirements, the importance of bank intermediation capacity, the need for deep and liquid core funding markets, enhanced data sharing among regulators and the vital role played by non-cleared derivatives markets, especially in times of stress.
ISDA Sends Letter to FASB on Hedge Accounting Improvements. On November 25, ISDA submitted a comment letter to the Financial Accounting Standards Board (“FASB”) in response to its exposure draft (ED) on File Reference No. 2024-ED200, Derivatives and Hedging (Topic 815) – Hedge Accounting Improvements. In the comment letter, ISDA explains it supports the FASB’s proposals in the ED and believes the ED achieves the FASB’s objective of improving the application and relevance of the derivatives and hedging guidance.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus – New York (212.351.3869, [email protected] )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

William R. Hallatt , Hong Kong (+852 2214 3836, [email protected] )

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki , New York (212.351.4028, [email protected] )

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

Every large corporation risks legal and regulatory scrutiny, and certain individuals within those organizations may also face personal exposure if their organization fails to maintain adequate corporate compliance. These gatekeepers — tasked with protecting their companies’ financial and reputational well-being — should remain alert to their own risk of liability for wrongdoing, failing to prevent it, or missteps taken in response to misconduct.

Discussion topics:

Recent trends and enforcement developments affecting gatekeeper liability
Best practices for in-house gatekeepers
Special topics for gatekeeper consideration

PANELISTS:

David Ware is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher. He is a member of the firm’s Securities Enforcement, Securities Litigation, Accounting Firm Advisory and Defense, and White Collar Defense and Investigations Practice Groups. David’s practice focuses on government investigations and enforcement actions, internal investigations, and litigation in the areas of auditing and accounting, securities fraud, and related aspects of federal regulatory and criminal law. He also counsels clients concerning compliance with SEC and PCAOB rules and standards. David serves as a member of the Auditing Standards Board, which promulgates auditing standards for private companies in the United States. He is admitted to practice in the District of Columbia and Massachusetts, as well as before the U.S. District Court for the District of Columbia and the U.S. Courts of Appeals for the First Circuit and Third Circuit.

Michael Scanlon is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher. He is a member of the firm’s Securities Regulation and Corporate Governance, Securities Enforcement, and Corporate Transactions Practice Groups, and has an extensive practice representing U.S. and foreign public company and audit firm clients on regulatory, corporate governance, and enforcement matters. Michael advises corporate clients on SEC compliance and disclosure issues, the Sarbanes-Oxley Act of 2002, and corporate governance best practices, with a particular focus on financial reporting matters. He frequently represents both accounting firms and public company clients on SEC and PCAOB accounting and auditing matters, including financial statement materiality and restatement issues, internal control issues, auditor independence, and other accounting-related disclosure issues. He also is experienced in conducting internal investigations involving accounting irregularities for management, audit committees, and other Board committees, and represents clients on these matters before the SEC. Michael also represents several public company boards of directors and audit committees, as well as not-for-profit organizations, with respect to corporate governance and other compliance matters. Michael is admitted to practice in the District of Columbia.

Allison Kostecka is of counsel in the Denver office of Gibson, Dunn & Crutcher. She practices in the firm’s Litigation Department, where she focuses on securities litigation, antitrust investigations and litigation, other complex commercial litigation, and data privacy. Allison represents companies in a range of complex, civil litigation matters. She has defended multiple companies in derivative lawsuits and securities class actions before federal and state courts. In addition, Allison has represented clients in a variety of antitrust and consumer protection matters before administrative bodies and federal courts. For over 10 years, she represented a large energy company in multiple federal court actions that exposed a fraudulently obtained, multi-billion dollar judgment against the company. In addition to working on extensive discovery, preliminary injunction actions, and both pre-and post-judgment motions practice related to this transnational matter, Allison was on both the trial and appellate teams for this matter. Allison is registered to practice law in the State of Colorado, as well as in the U.S. Courts of Appeal for the Sixth, Tenth, and Eleventh Circuits and the U.S. District Courts for the District of Colorado and the Northern District of Ohio.

MCLE CREDIT INFORMATION:

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour in the General Category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

Shukie Grossman was featured in Lexology Index as a Thought Leader in the USA – Private Funds – Formation [PDF] category. The article was published in December 2024.

This update discusses key trends and insights from our analysis of the cybersecurity disclosures made by 97 S&P 100 companies in their most recent Form 10-K filings in response to Regulation S-K Item 106.

I. Introduction

This alert highlights key trends and insights from our analysis of the cybersecurity disclosures made by 97 S&P 100 companies in their 2024 Form 10-K filings, as required by new Item 106 of Regulation S-K (“Item 106”), as of November 30, 2024.[1]

As discussed in a previous client alert, the Securities and Exchange Commission (“SEC” or “Commission”) adopted on July 26, 2023, a final rule requiring public companies to provide current disclosure of material cybersecurity incidents and annual disclosure regarding cybersecurity risk management, strategy, and governance. Under Item 106, which is required to be addressed in new Item 1C of Form 10-K, public companies must include disclosures in their annual reports regarding their (1) cybersecurity risk management and strategy, including with respect to their processes for identifying, assessing, and managing cybersecurity threats and whether risks from cybersecurity threats have materially affected them, and (2) cybersecurity governance, including with respect to oversight by their boards and management.[2] All public companies were required to comply with these disclosure requirements for the first time beginning with their annual reports on Form 10-K or 20-F for the fiscal year ending on or after December 15, 2023.

II. Executive Overview

While certain disclosure trends have emerged under Item 106, we note that there is significant variation among companies’ cybersecurity disclosures, reflecting the reality that effective cybersecurity programs must be tailored to each company’s specific circumstances, such as its size and complexity of operations, the nature and scope of its activities, industry, regulatory requirements, the sensitivity of data maintained, and risk profile. Companies must strike a careful balance in their disclosures, providing sufficient decision-useful information for investors, while taking care not to reveal sensitive information that could be exploited by threat actors.[3] We expect company disclosures to continue to evolve as their practices change in response to the ever-evolving cybersecurity threat landscape and as common disclosure practices emerge among public companies.

Below is an executive overview of the key disclosure trends we observed (discussed in detail in Section III below):

Materiality. The phrasing used by companies for this disclosure requirement varies widely. Specifically, in response to the requirement to describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the company, the largest group of companies (40%) include disclosure in Item 1C largely tracking Item 106(b)(2) language (at times, subject to various qualifiers); 38% vary their disclosure from the Item 106(b)(2) requirement in how they address the forward-looking risks; and 22% of companies do not include disclosure specifically responsive to Item 106(b)(2) directly in Item 1C, although a substantial majority of these companies cross-reference to a discussion in Item 1A “Risk Factors.”
Board Oversight. Most companies delegate specific responsibility for cybersecurity risk oversight to a board committee and describe the process by which such committee is informed about such risks. Ultimately, however, the majority of surveyed companies report that the full board is responsible for enterprise-wide risk oversight, which includes cybersecurity.
Cybersecurity Program. Companies commonly reference their program alignment with one or more external frameworks or standards, with the National Institute of Standards and Technology (NIST) Cybersecurity Framework being cited most often. Companies also frequently discuss specific administrative and technical components of their cybersecurity programs, as well as their high-level approach to responding to cybersecurity incidents.
Assessors, Consultants, Auditors or Other Third Parties. As required by Item 106(b)(1)(ii), nearly all companies discuss retention of assessors, consultants, auditors or other third parties, as part of their processes for oversight, identification, and management of material risks from cybersecurity threats.
Risks Associated with Third-Party Service Providers and Vendors. In line with the requirements of Item 106(b)(1)(iii), all companies outline processes for overseeing risks associated with third-party service providers and vendors.
Drafting Considerations.
- Most companies organize their disclosure into two sections, generally tracking the organization of Item 106, with one section dedicated to cybersecurity risk management and strategy and another section focused on cybersecurity governance. Companies typically include disclosures responsive to the requirement to address material impacts of cybersecurity risks, threats, and incidents in the section on risk management and strategy.
- The average length of disclosure among surveyed companies is 980 words, with the shortest disclosure at 368 words and the longest disclosure at 2,023 words. The average disclosure runs about a page and a half.

While comment letters have not been issued in response to Item 106 disclosure in annual reports on Form 10-K filed by the S&P 100 companies we surveyed, as of November 30, 2024, five comment letters from the Staff had been issued to other companies regarding their Item 106 disclosures. For details, see Section VI below.

III. Key Disclosure Trends

For comparison purposes, we have grouped the discussion below into three categories: (1) cybersecurity risk management and strategy; (2) cybersecurity governance; and (3) disclosures in response to the requirement to address material cybersecurity risks, threats, and incidents.

a. Cybersecurity Risk Management and Strategy

Item 106(b)(1) calls for a description of a company’s “processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes.” In response to this overarching disclosure requirement, some of the most commonly addressed topics are as follows:

Cybersecurity Frameworks or Standards. Though not specifically required by Item 106, a majority of surveyed companies (60%) reference one or more external frameworks or standards that inform, to varying degrees, their cybersecurity program management processes and practices. The NIST Cybersecurity Framework is referenced most often, with 51 companies making mention of it. Other frameworks or standards cited by surveyed companies include those set by the International Organization for Standardization (ISO) (including, for example, ISO 27001 and 27002), SOC 1 and 2, and the Payment Card Industry Data Security Standard (PCI DSS). Notably, companies use varied terminology when discussing specified frameworks or standards. For example, when citing NIST, companies explain that their cybersecurity program or risk management approach “leveraged,” was “informed by,” “aligns with,” or was “based on” the framework.[4]
Description of Cybersecurity Program Elements. Nearly all surveyed companies discuss specific components of the company’s cybersecurity program, which most prominently include references to identity and access management, logging and monitoring, penetration testing and vulnerability scanning, governance, risk assessment and threat intelligence, employee awareness and training, and security monitoring. Companies also widely note where employees are provided with cybersecurity training (84%), with 27 of those companies disclosing that they provide this training on at least an annual basis.
Incident Response Preparedness. The substantial majority of companies note the implementation of an incident response plan or procedures (87%), and nearly all companies (96%) describe the use of audits, drills, and/or tabletop exercises to test incident preparedness and the company’s incident response processes.

In addition to the general requirement quoted above, Item 106(b)(1) includes a non-exclusive list of disclosure items, which most surveyed companies specifically address in their Item 1C disclosures as follows:

Whether and how any such processes have been integrated into the company’s overall risk management system or processes. In response to this disclosure item, a substantial majority of surveyed companies (90%) disclose that the oversight of cybersecurity risk has been integrated into the company’s overall risk management system or processes.

Whether the registrant engages assessors, consultants, auditors or other third parties in connection with any such processes. Nearly all companies (98%) generally disclose the engagement of assessors, consultants, auditors or other third parties in the management of cybersecurity risks. Most companies do not specifically name the third parties they engage.
Whether the registrant has processes to oversee and identify material risks from cybersecurity threats associated with its use of any third-party service provider. In line with Item 106’s requirements, all companies generally discuss third-party risk management practices, including outlining processes for identifying and managing material cyber risks associated with third-party service providers. Ninety percent report evaluating, monitoring or conducting due diligence on a vendor’s cybersecurity practices, and 42% report requiring vendors to adhere to certain cybersecurity management processes. These third-party risk management processes can range from conducting due diligence of the third party’s information security environments, or reviewing their incident response capabilities, to monitoring their regulatory compliance to assess the company’s own risk of exposure.

b. Cybersecurity Governance

Item 106(c)(1) requires that companies describe the role of the board in the oversight of cybersecurity risks, including the role of board committees or subcommittees, and Item 106(c)(2)(i) requires that companies describe the management’s role in assessing and managing their material risks from cybersecurity threats, including addressing which management positions or committees are responsible for assessing and managing such risks. In response to these disclosure requirements, some of the most commonly addressed topics are as follows:

The Role of the Board and Committees of the Board in Cybersecurity Governance. As part of the discussion of cybersecurity governance, a majority of surveyed companies (68%) report that the board is responsible for enterprise-wide risk oversight, which includes cybersecurity. However, a majority of companies (66%) also disclose that a committee or subcommittee of the board has been delegated responsibility for primary oversight of cybersecurity risks, with a minority of companies (28%) reporting that the board and a designated committee share the primary oversight of cybersecurity risks, and a handful of companies (6%) reporting that the full board retains primary oversight of cybersecurity risks. Of the companies that delegate primary oversight of cybersecurity risks to a committee or subcommittee, or for which the board and a designated committee or subcommittee share oversight, companies most often disclose that the audit committee (78%) has this responsibility, followed by a risk committee (19%) (for companies that have a risk committee).
The Role of Management in Cybersecurity Governance. In responding to this disclosure item, nearly all companies (99%) list one or more management positions responsible for addressing and managing cybersecurity risks, with a significant minority of companies (43%) reporting that a management committee is also responsible for managing such risks. Of the companies that identify a management position responsible for assessing and managing material cybersecurity risks, 61% identify one officer who fulfils this role and 39% identify more than one officer responsible for fulfilling this role. The substantial majority of companies (78%) identify a Chief Information Security Officer (CISO) among the management positions responsible for assessing and managing cybersecurity risks, while a minority of companies identify other positions, such as a Chief Information Officer (CIO) (14%), Chief Technology Officer (CTO) (4%), or another officer, such as a Chief Security Officer, Head of Technology, Chief Information and Digital Officer, and/or Chief Cybersecurity Officer.

Item 106(c)(2)(i) also requires a description of the relevant expertise of management in “such detail as necessary to fully describe the nature of the expertise.” In response, a substantial majority of companies (88%) disclose the experience and/or qualifications of the individual(s) responsible for assessing and managing cybersecurity risk. While companies vary widely with respect to the level of specificity they provide in describing relevant experience or qualifications of those in management, surveyed companies generally provide examples of an individual’s:

Roles and Positions Prior to Joining the Company. Practice on this point varies widely, ranging from the inclusion of a general note stating that the individual has held various cybersecurity-related roles, to identifying the specific title held by such individual in the past roles, to noting the technical and industry-specific experience gained or skills employed in prior positions.
Years of Relevant Work Experience. Where surveyed companies disclose this point, the years of experience range from 15 years to more than 30 years of relevant work experience.
Education and Certifications. While less common than the other two categories mentioned above, some companies include reference to an individual’s educational background or certifications (e.g., where the individual received certification as an information systems security professional (CISSP)).

Item 106(c)(2)(ii) requires that companies address how management is informed of and monitors the “prevention, detection, mitigation, and remediation of cybersecurity incidents.” In response to this disclosure item, companies generally disclose that management is informed of cybersecurity risks and incidents through internal reporting channels, such as receiving reports from the company’s cybersecurity professionals.

Item 106(c)(2)(iii) requires that companies discuss the process by which management reports cybersecurity risks to its board. In response to this disclosure item, all companies disclose that the board or responsible committee receives reports from management, with a substantial majority of these companies (82%) disclosing that the board or responsible committee receives reports on a regular basis.[5] A majority of the surveyed companies (61%) also report a process for escalating certain cybersecurity incidents, risks or threats to the board or responsible committee.

c. Material Cybersecurity Risks, Threats & Incidents

Item 106(b)(2) requires that companies “[d]escribe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.” While disclosure on this point varied greatly, we observed the following trends among surveyed companies in response to this disclosure item:

Some Companies Did Not Affirmatively Address Item 106(b)(2) in Item 1C. Twenty-two percent of surveyed companies do not appear to have included disclosure responsive to Item 106(b)(2) in Item 1C.[6] Of these companies, 90% provide a cross-reference to a discussion in Item 1A “Risk Factors.”[7]
Most Disclosures Track the Language of Item 106(b)(2). Forty percent of surveyed companies largely track the language of the disclosure item with respect to both the backward-looking aspect (“have materially affected”) and the forward-looking aspect (“are reasonably likely to materially affect”) of the rule by responding in the negative, concluding that they did not identify any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect the company, including its business strategy, result of operations or financial condition. However, the precise formulation varied from company to company.[8] Of these companies:
- 54% include a knowledge qualifier making clear that they are “not aware” or “do not believe” that such risks have materially affected or are reasonably likely to materially affect the company;
- 67% make clear that they are speaking as of the end of the fiscal year covered by the Form 10-K or as of the date of the Form 10-K;
- in addition to tracking the rule, 44% include a disclaimer noting that there is no “guarantee” or “assurance” (or something similar) that cyber-related risks may not be material in the future;
- 26% limit required disclosure to threats identified during the last year or last three fiscal years; and
- one company limited the future horizon to “over the long term.”
Many Companies Vary Disclosure on Forward-Looking Impacts, or Address It Vaguely or Not At All. Thirty-eight percent of surveyed companies address the backwards-looking aspect of the rule by largely tracking the rule on that point. For the forward-looking aspect of the rule, some of them: (i) simply do not address it at all or make vague references to potential future impacts (35%); (ii) include a disclaimer noting that there is no “guarantee” or “assurance” (or something similar) that cyber-related risks may not be material in the future (51%); or (iii) make explicit what is an inherent assumption in the disclosure requirement, such as by stating that risks from cybersecurity threats, “if realized,” are reasonably likely to materially affect business strategy, results of operations, or financial condition (16%). One company includes both a “no guarantee” disclaimer and “if realized” language (3%). In addition, among these 38% of the surveyed companies:
- 16% include a knowledge qualifier making clear that they are “not aware” or “do not believe” that such risks have materially affected the company;
- 41% make clear that they are speaking as of the end of the fiscal year covered by the Form 10-K or as of the date of the Form 10-K; and
- 27% limit required disclosure to threats identified during the last year, last three fiscal years or “recent years.”

IV. ISS Governance QualityScore[9]

While it is not possible to say definitively, it is possible that some of the reporting trends observed among the surveyed companies may be attributable to the questions included by Institutional Shareholder Services (“ISS”) in its Governance QualityScore (“QualityScore”) relating to information security since they are not otherwise directly responsive to Item 106 requirements. For example:

possibly in response to ISS Question 409, which evaluates disclosure regarding whether the company has information security risk insurance, a minority of surveyed companies (26%) disclose maintaining some level of cybersecurity insurance;
possibly in response to ISS Question 405, which assesses disclosure as to how many directors have information security skills, a minority of companies (14%) report having directors with information security experience, despite the fact that the proposed requirement to disclose this information was not included in the final cybersecurity rule;[10] and
possibly in response to ISS Question 407, which assesses whether a company experienced an information security breach in the last three years, 3% of companies frame their statements about material effects from cybersecurity threats or incident using this specific time period.

V. Drafting Considerations

The majority of surveyed companies (66%) divide their disclosure into two sections tracking the organization of Item 106, with one section dedicated to cybersecurity risk management and strategy and another section focused on cybersecurity governance. Of those companies, 33% include subsections within one or both of those two main sections, 23% of surveyed companies use no headings at all, and 11% of surveyed companies use headings that differ from the structure of Item 106 (either by including more than the two primary sections set forth in the rule or by including distinct headings altogether).

The average length of disclosure among surveyed companies is 980 words, with the shortest disclosure at 368 words and the longest disclosure at 2,023 words. The average disclosure runs about a page and a half.

VI. Comment Letters

As of November 30, 2024, there have been five comment letters from the Staff regarding disclosure under Item 1C. While these comment letters have not been issued in response to disclosure in annual reports on Form 10-K filed by the S&P 100 companies we surveyed, we are including a discussion of them here for completeness, as they are instructive as to what the Staff was focused on when reviewing the first set of Item 106 disclosures. To summarize:

Two of these comment letters simply requested that companies refile their annual reports on Form 10-K to include an omitted Item 1C.[11] In both instances, the companies filed an amendment on Form 10-K/A, adding the requested disclosure.[12]
One comment letter requested that a company amend future filings to clarify inconsistent statements about its engagement of third parties in connection with its processes for identifying, assessing and managing material risks from cybersecurity threats.[13] The company responded by clarifying the nature of its engagement of third parties in identifying and managing cybersecurity risks, and also confirmed that it would clarify this point to avoid any inconsistency or ambiguity in future filings.[14]
In three comment letters, the Staff touched upon the following requirements of Item 106, requesting expanded disclosure in future filings:
- Item 106(b)(1) (Processes for Assessing, Identifying, and Managing Material Risk from Cybersecurity Threats). The Staff requested that a company expand its disclosure to describe the areas of responsibility of its executive management team and board of directors, along with their respective processes in response to this disclosure item.[15] The company responded by confirming it would include the requested detail in future filings.[16]
- Item 106(b)(1)(i) (Integration of Cybersecurity Risk Processes into Overall Risk Management). In one comment letter, the Staff requested that a company revise future filings to disclose how processes for “assessing, identifying, and managing” material cybersecurity threats have been integrated into its overall risk management system or processes in response to this disclosure item.[17] The company responded by emphasizing that these processes are “well integrated” into its overall risk management system, noting relevant disclosure included in its current filing, and agreeing to provide more detail in future filings in response to this disclosure item.[18]
- Item 106(c)(2)(i) (Identification of Management Committees or Positions Responsible for Assessing and Managing Material Risks from Cybersecurity Threats). Two of the comment letters noted above also included comments related to the discussion of management’s responsibility over cybersecurity risks. The first comment letter requested the company identify which management positions or teams are responsible for assessing and managing material risks from cybersecurity threats in future filings.[19] The second such letter requested a discussion of the relevant expertise of the company’s senior leadership responsible for managing the company’s cybersecurity risk and the “design and implementation of policies, processes and procedures to identify and mitigate this risk.”[20] In each case, the company responded by confirming it would include the requested detail in future filings.[21]

While the impact of the November 2024 election on future leadership of the SEC is uncertain, as are their strategic and enforcement priorities, we expect SEC scrutiny over cybersecurity incident disclosures to continue as companies adjust their disclosure practices to the new requirements.

VII. XBRL Requirements

As a reminder for the upcoming Form 10-K season, all Item 106 disclosures must be tagged in Inline XBRL (block text tagging for narrative disclosures and detail tagging for quantitative amounts) beginning one year after the initial compliance date of December 15, 2023, which, for most companies, means starting with their Form 10-K or Form 20-F filed in 2025.

Companies must use the “Cybersecurity Disclosure (CYD)” taxonomy tags within iXBRL to tag these disclosures.[22] We note that significant judgment will be required to apply these tags. Not only will companies be required to determine the provision of Item 106 to which each part of the narrative disclosure is responsive, but companies will need to determine which flags to mark as “true” or “false.” Importantly, there is a flag for “Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]” and, it is our understanding that to properly apply the flag, each company must select “true” or “false.” Companies that have addressed Item 106(b)(2) by including slightly vague or ambiguous disclosure in Item 1C or by cross-referencing their risk factors will need to carefully consider how they will handle these new tagging requirements.

[1] This alert memo highlights certain disclosure trends based on our review of the 97 surveyed companies. (As of November 30, 2024, three S&P 100 companies had not yet filed annual reports on Form 10-K for fiscal years ending on or after December 15, 2023.) Where appropriate, we have grouped together similar responses to disclosure items to enable a comparison among the companies’ disclosures. For example, where a company provided time qualifiers such as “in the last year,” “in 2023,” or “during the last fiscal year,” we have considered these to be similar data points in our survey of company disclosures. Percentages may not add up to 100% due to rounding.

[2] Foreign private issuers are required to make similar annual disclosures pursuant to Item 16K of Form 20-F.

[3] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11216 (July 26, 2023) (“Adopting Release”) at 60-63.

[4] Companies are wise to be cautious when describing their adherence to cybersecurity frameworks and standards, as underscored by the SEC’s recent enforcement action against SolarWinds Corporation where the SEC charged the company with making a materially misleading statement when it claimed “SolarWinds follows the NIST Cybersecurity Framework” despite internal assessments showing that most NIST controls were not met. See SEC v. SolarWinds Corp., 1:23-CV-09518 (S.D.N.Y. July 18, 2024), at 11-14.

[5] In counting the companies who disclose where management reports to the board or responsible committee on a regular basis, we have included companies that state that they do this “regularly” (e.g., regularly, “at each regularly scheduled meeting,” etc.), as well as companies who refer to a specific time period (e.g., annually, quarterly, semi-annually, mid-year, etc.). This does not include where companies use language such as “periodically,” “as appropriate,” “as necessary,” or “as needed.”

[6] Our review of company cybersecurity disclosure was limited to the language included in Item 1C. We have not reviewed other sections of Forms 10-K filed by surveyed companies to determine whether they contain disclosure that can be deemed responsive to Item 106(b)(2).

[7] We have not reviewed the cross-referenced risk factor, or the risk factors section more generally, to determine whether they contain disclosure that can be deemed responsive to Item 106(b)(2).

[8] The language surveyed companies use to disclose how they have been impacted by cybersecurity risks, threat, or incidents is imprecise. For example, some companies specifically discuss the effect of cybersecurity incidents, while others fully track the language of the rule and discuss “risks from cybersecurity threats”.

[9] On October 28, 2024, ISS announced an update to its ISS QualityScore product to include 12 new factors. Among these are the following Audit and Risk Oversight factors related to cybersecurity risk management:

Question 460. Does the company disclose the role of the management in overseeing information security risks?
Question 461. Does the company disclose the role of the board in overseeing information security risks?
Question 462. Does the company have a third-party information security risk management program?
Question 463. Does the company leverage a third-party assessment of information security risks?
Question 464. What is the Data Protection Officer reporting line?

These factors generally align with the disclosure requirements under the rule, and based on our survey results, companies are already addressing Questions 460-463 while preparing their Item 106 disclosures.

[10] Adopting Release, supra note 3, at 81-85.

[11] See SEC Comment Letter to Quarta-Rad, Inc. dated August 1, 2024; SEC Comment Letter to Scientific Industries, Inc. dated June 14, 2024.

[12] See Response Letter from Quarta-Rad, Inc. to the SEC dated August 15, 2024; Response Letter from Scientific Industries, Inc. to the SEC dated July 17, 2024.

[13] See SEC Comment Letter to Wilhelmina International, Inc. dated August 21, 2024 (“SEC Letter to Wilhelmina International”).

[14] See Response Letter from Wilhelmina International, Inc. to the SEC dated September 3, 2024 (“Wilhelmina International Response Letter”).

[15] See SEC Comment Letter to TNF Pharmaceuticals, Inc. dated September 23, 2024 (“SEC Letter to TNF Pharmaceuticals”). In its comment letter, the Staff noted that the responsive disclosure needed to be in sufficient detail for a reasonable investor to understand.

[16] See Response Letter from TNF Pharmaceuticals, Inc. to the SEC dated September 30, 2024 (“TNF Pharmaceuticals Response Letter”).

[17] See SEC Comment Letter to Blackbaud, Inc. dated August 23, 2024.

[18] See Response Letter from Blackbaud, Inc. to the SEC dated September 3, 2024.

[19] SEC Letter to TNF Pharmaceuticals, supra note 15.

[20] SEC Letter to Wilhelmina International, supra note 13.

[21] Wilhelmina International Response Letter, supra note 14; TNF Pharmaceuticals Response Letter, supra note 16.

[22] See the Cybersecurity Disclosure Taxonomy Guide (September 16, 2024), available at https://www.sec.gov/data-research/standard-taxonomies/operating-companies.

The following Gibson Dunn lawyers assisted in preparing this update: Thomas Kim, Julia Lapitskaya, Michael Titera, Stephenie Gosnell Handler, Alexandria Johnson, Isaac Maycock, and Kayla Jahangiri.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Regulation & Corporate Governance or Privacy, Cybersecurity & Data Innovation practice groups, the authors, or any of the following practice leaders and members:

Securities Regulation & Corporate Governance:
Elizabeth Ising – Co-Chair, Washington, D.C. (+1 202.955.8287, [email protected])
James J. Moloney – Co-Chair, Orange County (+1 949.451.4343, [email protected])
Lori Zyskowski – Co-Chair, New York (+1 212.351.2309, [email protected])
Aaron Briggs – San Francisco (+1 415.393.8297, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, [email protected])
Brian J. Lane – Washington, D.C. (+1 202.887.3646, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Michael Scanlon – Washington, D.C.(+1 202.887.3668, [email protected])
Michael A. Titera – Orange County (+1 949.451.4365, [email protected])

Privacy, Cybersecurity & Data Innovation:
Ahmed Baladi – Co-Chair, Paris (+33 1 56 43 13 00, [email protected])
S. Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, [email protected])
Joel Harrison – Co-Chair, London (+44 20 7071 4289, [email protected])
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, [email protected])
Rosemarie T. Ring – Co-Chair, San Francisco (+1 415.393.8247, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Sophie C. Rohnke – Dallas (+1 214.698.3344, [email protected])

Latin America is one of the most important regions for the U.S. and other companies conducting business abroad. Not only is it geographically proximate to the U.S., but the region’s economic promise is substantial. Indeed, the World Bank estimates that, region-wide, the middle class has grown by 50% during the last decade. Some markets, including Mexico and Colombia, have made particularly noteworthy strides in boosting the ranks of their middle classes. Yet, despite its economic promise, conducting business in Latin America continues to be challenging. One key challenge has been corruption, which The Economist recently described as “surging across Latin America,” due in part to “political blowback from a period of intense anti-corruption campaigns[.]” Several governments in the region have collapsed in recent years due to corruption scandals, and in various countries, widely heralded anti-corruption reforms have not yielded the expected results.

This webcast surveys anti-corruption enforcement and developments in the region, including overviews of:

Recent U.S. Foreign Corrupt Practices Act (“FCPA”) enforcement actions involving the region;
Recent, locally led anti-corruption enforcement actions;
Noteworthy legislative and judicial developments; and
Potential mitigation strategies for businesses operating in the region.

PANELISTS:

Michael M. Farhang is a former federal prosecutor and a partner in the Los Angeles office of Gibson, Dunn & Crutcher. He is a member of the firm’s White Collar Defense and Investigations and Securities Litigation Practice Groups. Michael is an experienced litigator and trial attorney who has earned recoveries totaling nearly $70 million for private equity and corporate clients pursuing fraud, contract, and M&A-related claims. In the white collar area, Michael regularly represents corporate and individual clients and has specific subspecialties in Foreign Corrupt Practices Act (FCPA) and Anti-Money Laundering (AML) matters and Latin American corporate investigations. Michael has conducted investigations and compliance work relating to FCPA, AML, and OFAC issues in ten countries and regularly leads investigations for clients conducted in Spanish. Michael is a member of the California Bar and is admitted to practice in the Central District of California and the Ninth Circuit.

Patrick Stokes is a litigation partner in Gibson, Dunn & Crutcher’s Washington, D.C. office. He is the co-chair of the Anti-Corruption and FCPA Practice Group and a member of the firm’s White Collar Defense and Investigations, National Security, Securities Enforcement, Trials, and Litigation Practice Groups. Prior to joining Gibson Dunn, Patrick headed the FCPA Unit of the U.S. Department of Justice, where he managed the FCPA enforcement program and all criminal FCPA matters throughout the United States. Patrick also served as the DOJ’s principal representative at the OECD Working Group on Bribery, working with law enforcement and policymakers from 41 signatory countries on anti-corruption enforcement policy issues. He is a member of the Maryland State Bar and the District of Columbia Bar.

Pedro G. Soto is of counsel in the Washington, D.C. office of Gibson, Dunn & Crutcher. He is a member of the White Collar Defense and Investigations group, and his practice focuses primarily on anti-corruption and fraud matters. He has more than 13 years of experience representing corporations and individuals under investigation by government authorities. He has also conducted compliance due diligence for over 100 transactions around the world. Pedro has particularly deep experience in Latin America, where he has worked on matters in more than 15 different countries. He also represents foreign governments and private claimants in significant litigation and arbitration matters.

A native Spanish speaker, Pedro has extensive experience in Latin America. He has worked on matters involving Argentina, Bolivia, Chile, Colombia, Costa Rica, the Dominican Republic, Ecuador, El Salvador, Guatemala, Mexico, Panama, Paraguay, Peru, Puerto Rico, Uruguay, and Venezuela. Pedro also has experience in matters throughout Asia, Europe, and the Middle East. Pedro is admitted to the District of Columbia Bar.

MCLE CREDIT INFORMATION:

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour in the General Category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

Join us for a 45-minute briefing covering several M&A practice topics. The program is part of a series of quarterly webcasts designed to provide quick insights into emerging issues and practical advice on how to manage common M&A problems. Steve Glover, a partner in the firm’s Global M&A Practice Group, acts as moderator.

Topics discussed:

Update on developments in the law governing earn-outs
Review of the new HSR rules
Briefing on the proposed new rules governing outbound investments
Recent case law addressing fraud liability in M&A transactions

PANELISTS:

Branden C. Berns is a partner in the San Francisco office of Gibson, Dunn & Crutcher, where he practices in the firm’s Corporate Transactions Practice Group, focusing on representing leading life sciences companies and investors. Mr. Berns advises clients in connection with a variety of financing transactions, including initial public offerings, secondary equity offerings and venture and growth equity financings, as well as complex corporate transactions, including mergers and acquisitions, asset sales, spin-offs, joint ventures, PIPEs and leveraged buyouts. Mr. Berns regularly serves as principal outside counsel for numerous publicly-traded companies and advises management and boards of directors on corporate law matters, SEC reporting and corporate governance.

Andrew Cline is Counsel in Gibson, Dunn & Crutcher’s Washington, D.C. office. He currently practices in the firm’s Antitrust Practice Group.

Michelle Weinbaum is of counsel in the Washington, D.C. office of Gibson, Dunn & Crutcher LLP where she is a member of the firm’s National Security and International Trade practices. Michelle advises clients on cross-border transactions and national security compliance matters including reviews before the Committee on Foreign Investment in the United States (CFIUS), the Defense Counterintelligence and Security Agency (DCSA), and Team Telecom, as well as export controls (ITAR/EAR), sanctions, foreign direct investment, and government contracts matters.

Michael M. Farhang is a former federal prosecutor and a partner in the Los Angeles office of Gibson, Dunn & Crutcher. He is a member of the firm’s White Collar Defense and Investigations and Securities Litigation Practice Groups. Michael is an experienced litigator and trial attorney who has earned recoveries totaling nearly $70 million for private equity and corporate clients pursuing fraud, contract, and M&A-related claims. He specializes in private M&A litigation matters, including rep and warranty, earnout, and working capital disputes, as well as the defense of companies, directors, and executives in DOJ and SEC investigations and in shareholder class actions, derivative suits and other commercial litigation. Michael has tried more than 25 cases in government and private practice.

Ryan Foley is Of Counsel in the Washington, D.C. office of Gibson, Dunn & Crutcher and a member of the firm’s Antitrust and Competition Practice Group. Ryan counsels clients on all aspects of antitrust law, with a focus on complex transactions. He has extensive experience representing clients in all phases of merger review before the U.S. Department of Justice Antitrust Division, Federal Trade Commission, and other competition authorities globally. He has expertise across a broad range of industries, including pharmaceuticals, technology, media, consumer products, and energy.

Stephen I. Glover is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher who has served as Co-Chair of the firm’s Global Mergers and Acquisitions Practice. Mr. Glover has an extensive practice representing public and private companies in complex mergers and acquisitions, joint ventures, equity and debt offerings and corporate governance matters. His clients include large public corporations, emerging growth companies and middle market companies in a wide range of industries. He also advises private equity firms, individual investors and others.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of .50 credit hour, of which .50 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of .75 hour in the General Category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.