Skip to main content
close search
site logo
Deep Dive

SEC cybersecurity tactics point to ESG approach, attorney says

As the Securities and Exchange Commission builds investor protections on sustainable investing, CFOs can look to the agency's approach to cybersecurity for hints on how to prepare.

Published April 15, 2021
Jim Tyson's headshot
Senior Reporter
Belvedere debuts new 'Made With Nature' brand platform
Courtesy of Belvedere

The Securities and Exchange Commission (SEC) this year has prioritized shielding investors against abuses by companies that are, in the words of an SEC official, ”finding gold in the green” by selling products in environmental, social and governance (ESG) investing.

A recent SEC warning suggests that CFOs at companies committed to sustainable investing should look "in the green" for regulatory risk.

In a sign of intensifying SEC scrutiny of ESG, the agency's examinations division this month warned in a “Risk Alert” that some financial companies may have misled investors about their approach to ESG principles.

CFOs can curb compliance risk and frame a strategy for ESG disclosure by studying how the SEC has built cybersecurity disclosure rules and enforcement, according to Philip Bezanson, an attorney at Bracewell. The SEC will likely pull pages from its cybersecurity playbook as it crafts investor protections on ESG disclosure and identifies abuses for investigation, he said.

To be sure, differences between ESG and cybersecurity will lead to two different SEC approaches. While an understanding of cybersecurity is comparatively straightforward, the lack of a global consensus on how to define ESG complicates SEC oversight, company compliance and an agreement on disclosure standards.

The definition of ESG is “in the eye of the beholder,” and the ambiguity “certainly raises questions about what enforcement will look like,” Bezanson said in an interview.

Also, while cybersecurity is largely a dry technical challenge, “ESG has broad media retail appeal,” he said. Companies will face pressure to take a public stand on ESG, and executives and board members need to carefully choose their words.

Compared with cybersecurity, “there may be more opportunities for high-profile statements that ultimately could be deemed misleading” by the SEC, Bezanson said. When crafting ESG disclosures, a CFO needs to find the sweet spot between discretion and transparency.

“The risk with ESG disclosures is you either say so much about your shortcomings that the marketplace doesn’t like you or you get sued, or you tout how great you are when you’re not that great and the SEC will investigate you,” he said.

Guilty of 'greenwashing'

Companies that fail to follow through on ESG commitments may, at the least, be publicly accused of “greenwashing.”

ESG could also become more politically divisive than cybersecurity, Bezanson said. “We’ve only begun to see ways in which it could be a politically challenging subject matter.”

Tension has already emerged among SEC commissioners. On March 3, the examinations division mentioned climate-related risks first in its description of priorities for 2021, and Allison Herren Lee, the agency's acting chair, said the SEC is "integrating climate and ESG considerations into the agency's broader regulatory framework."

Among its efforts, the SEC will examine proxy voting practices "to ensure voting aligns with investors' best interests and expectations" and companies' "business continuity plans in light of intensifying physical risks associated with climate change," said Lee, a Democrat.

The following day, the enforcement division announced the creation of a Climate and ESG Task Force made up of 22 members from SEC headquarters, including the whistleblower's office, as well as regional offices and "specialized units" within the division.  

"Consistent with increasing investor focus and reliance on climate and ESG-related disclosures," the task force "will develop initiatives to proactively identify ESG-related misconduct," the SEC said in a press release.

On the same day — March 4 — the SEC's two Republican commissioners released a statement rhetorically asking whether the recent SEC "announcements represent a change from current commission practices or a continuation of the status quo with a new public relations twist? Time will tell."

"We assume that the new initiative is simply a continuation of the work the staff has been doing for more than a decade and not a program to assess public filers' disclosure against any new standards," commissioners Hester Peirce and Elad Roisman said.

Partisan wrangling

ESG may increasingly flare as a partisan issue in Congress as well. “I assume there will be political overhang with a lot of what happens with SEC enforcement” on ESG, Bezanson said.

Still, the SEC in important ways will probably tackle ESG enforcement in much the same way it has approached cybersecurity, he said.

First, as with high-profile cybersecurity cases, the SEC when vetting ESG disclosures will focus on companies guilty of “material and misleading statements or omissions,” Bezanson said.

Peirce underscored the standard in an April 12 statement. “Firms claiming to be conducting ESG investing need to explain to investors what they mean by ESG and they need to do what they say they are doing,” she said. “As with any other investment strategy, advisers and funds should not make claims that do not accord with their practices, and our examiners will be looking for that consistency between claims and practice.”

Second, as with cybersecurity, the SEC will make sure to pursue enforcement on ESG missteps when it’s sure of prevailing, Bezanson said. “They want to bring actions that they’re going to win.”

Third, the SEC will gradually build up its guidance and enforcement as staff, investors, various industries and other stakeholders learn more about ESG investing and, in public and private meetings, coalesce around common standards.

“There will certainly be ramp up time for this,” Bezanson said, giving CFOs time to take steps in preparation for SEC enforcement on ESG disclosure, including:

  • Define the meaning of ESG for your company, and share the definition with staff and external stakeholders. “Managing expectations is a great thing to do in lots of different contexts, certainly when venturing out into a fairly new disclosure area,” Bezanson said.

  • Ensure company statements and comments align with your company’s definition of ESG, preparing for times when executives may be caught off guard by a question. CFOs should create systems and controls that generate “clear and consistent messaging” in marketing materials, web pages, speeches, slide decks and other communication, Bezanson said. They should also be prepared to promptly correct any misstatements.

  • Track SEC guidance and enforcement on ESG as they evolve, along with the statements and policies of companies in your industry. SEC guidance in 2010 on disclosures of climate change risk is a starting point.


A CFO should ask, “What are other people in our industry saying about their risks on this, and are we saying enough — are we saying too much?” Bezanson said.

CFOs that closely monitor the SEC approach will probably have time to construct the right ESG policies and systems.

“I expect there to be incremental enforcement” similar to the SEC’s measured pace on cybersecurity, Bezanson said, “unless you see examples of truly egregious, misleading statements.”

Editors' picks

Company Announcements

View all | Post a press release
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Pharmaceutical Executive Taggart McGurrin Featured on Life Sciences 360 Podcast
From Wild Fig Advertising
October 29, 2024
Basware’s New GenAI Tool Transforms Insights for CFOs
From Basware
October 29, 2024
Editors' picks
Latest in Strategy & Operations
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell