In-House Corner: Disclosure Controls - Part 1

In this blog feature, our in-house readers share tips, anecdotes, and thoughts about topics that arise in their daily practice. This particular batch of thoughts is about disclosure controls, particularly in the context of the climate and cybersecurity disclosure rules that could be coming soon from the SEC:

1. "We spent time aligning with our information security team on what makes a cyber incident sufficiently significant that it should be promptly discussed with a disclosure controls working group. The objective was that the information security team would not be making decisions about whether an incident is "material" and would report the "significant" incidents quickly for disclosure consideration.
   
   We also added to our disclosure working group a lawyer who supports our cybersecurity and privacy compliance efforts, for ongoing alignment on related disclosure objectives."
    
2. "I still blame Enron for too much emphasis on "check the box" practices, sometimes to the exclusion of a thoughtful analysis and discussion. There is now a full generation or more of people who rely on certifications as a substitute for doing the hard work of understanding the intricacies of a business and determining what should be disclosed in any given situation."
    
3. "Disclosure controls? Ugh. If I wanted to be an accountant, I would have become a CPA."
    
4. "We modified our disclosure controls about seven years ago over cybersecurity incident concerns. Any new rulemaking in that area will probably not cause us to do much in the way of change.
   
   But the new SEC climate rules will have a sizable impact on our controls and we have been mapping that out in draft form for the past year. We recently added a lawyer to our disclosure working group who supports our climate change initiatives, to help with alignment on disclosure objectives."
    
5. "Ahead of the SEC's climate rules, our Controller's office has been leading the way by creating a mammoth spreadsheet in an effort to figure out where we may need to change our controls, both internal and disclosure. We have also talked to several technology providers about assisting in this process."