PDF Download: "2025 SEC and Corporate Governance Update"

The following summary is designed to help our clients and friends keep track of the most significant Securities and Exchange Commission (“SEC”) developments and rule changes as they plan for their annual meetings, periodic reporting and corporate governance matters in the coming year.

Climate Change Final Rules Stayed
In March 2024, the SEC adopted long-awaited rules that could impose significant climate change-related disclosure obligations on registrants.  The final rules require companies to disclose financial statement metrics; provide data regarding material scope 1 and 2 emissions consisting of their own material greenhouse gas (GHG) emissions and how much energy they consume; disclose climate-related risks and the impacts of said risks, particularly those likely to have a material impact on the company’s business or financial statements; disclose governance and oversight of climate-related risks; and disclose material climate-related targets and goals, progress towards meeting those targets and goals, and transition plans. As a welcome change from the proposed rules, the SEC removed disclosure requirements for scope 3 emissions but still requires the disclosure of material scope 1 and scope 2 emissions. Additionally, the final rules exempt emerging growth companies, smaller reporting companies, and non-accelerated filers from the GHG emissions disclosure requirements. 

The new rules were immediately challenged in court in multiple jurisdictions, with the litigation ultimately being consolidated in the United States Court of Appeals for the Eighth Circuit.  In April, the SEC issued a voluntary stay of the rules pending resolution of the litigation. 

What companies should be doing now: The stay of the final rules reduced the sense of urgency surrounding the climate change rules, but climate change should still remain an important issue for companies in 2025. Companies should be implementing and reviewing controls and procedures regarding climate change as if the rules will go into effect as planned. Even if the final rules are struck down in whole or in part, investor pressure likely will continue to drive companies to provide similar climate-related disclosure. 

Cybersecurity Disclosure Updates
On July 26, 2023, the SEC adopted final rules for public companies implementing new disclosure obligations regarding cybersecurity incidents and risk oversight processes. The rules added Item 1.05 to Form 8-K, obligating companies to disclose material cybersecurity incidents within four business days of a determination that such incident is material (subject to narrow exceptions) and Item 106 to Regulation S-K, imposing new annual disclosure obligations regarding cybersecurity processes and oversight. These new rules went into effect in December 2023 for most public companies. 

During 2024, the SEC issued a statement regarding when to use the new Item 1.05 on Form 8-K versus Item 8.01 when reporting cybersecurity incidents. The SEC recommended Item 8.01 as the SEC’s preferred method of voluntarily reporting immaterial cybersecurity incidents or incidents disclosed before a materiality analysis has been conducted. In addition, the SEC issued five Compliance and Disclosure Interpretations (Questions 104B.05 – 104B.09) on the new cybersecurity rules regarding timing and materiality considerations for ransomware attacks.

What companies should be doing now: Companies should review the SEC guidance and ensure that they have instituted proper policies and procedures to facilitate timely communication and analysis regarding cybersecurity incidents in order to comply with the new 8-K disclosure obligations. 

Don’t Forget to File Insider Trading Policy with Upcoming 10-K
In December 2022, the SEC adopted amendments to Rule 10b5-1 under the Securities Exchange Act of 1934 (the “Exchange Act”) and related insider trading disclosures which went into effect in 2023. As part of this rule amendment, the SEC created Item 408(b) of Regulation S-K, which requires companies to disclose in their annual reports whether they have adopted policies and procedures for directors, officers and employees (i.e., an insider trading policy) that are reasonably designed to promote compliance with insider trading laws (or explain why not). In addition, if the company has adopted an insider trading policy, it must file the policy as an exhibit to their 10-K (see Exhibit 19 to Item 601 of Regulation S-K).  The narrative disclosure may be forward-incorporated from the company’s proxy statement and must be tagged in inline XBRL.

Companies are required to comply with Item 408(b) in the first annual report filing that covers the first full fiscal period that begins on or after April 1, 2023. Accordingly, the new narrative and exhibit disclosure requirements will apply to upcoming 2024 annual report filings for calendar year-end companies. 

What companies should be doing now: Companies are encouraged to review and revise their insider trading policies to (i) confirm compliance with the new rules and best practices and (ii) tend to any other necessary “housekeeping” within their policies before they are required to be disclosed publicly in their 2024 annual reports. 

Nasdaq Board Diversity Rules Vacated
In August 2021, the SEC approved Nasdaq’s proposed rules regarding disclosure of board diversity.  The rules required Nasdaq-listed companies to (i) disclose either in their proxy statement or on the company website board level diversity statistics using a standard template and (ii) have (or disclose why they do not have) at least two diverse directors on their board. 

On December 11, 2024, the United States Court of Appeals for the Fifth Circuit ruled that the SEC exceeded its authority under the Exchange Act and vacated the rules. Nasdaq has announced that it does not plan to appeal the Fifth Circuit’s ruling. The SEC is reviewing the decision, but given the upcoming administrative change at the SEC, it is not expected to challenge the decision.

What companies should be doing now: Nasdaq companies are no longer required to comply with the board diversity rules. However, public companies may still voluntarily disclose diversity information to align with investor expectations and the voting guidelines of proxy advisory firms. For example, large institutional investors such as BlackRock and State Street and proxy advisory firms like ISS and Glass Lewis have adopted policies encouraging board diversity, threatening to withhold votes or vote against board members or committee chairs of companies not meeting certain diversity goals.  

“EDGAR Next” Goes Live in March 2025; Legacy EDGAR Platform Going Dark in September 2025
In September 2024, the SEC adopted rule and form amendments regarding the EDGAR filing system commonly called “EDGAR Next.” The final rules will effectively end shared EDGAR accounts as EDGAR will be moving from a system of one login per company to one login per individual. Each filer must authorize at least two individuals as account administrators (one account administrator is allowed for individual or single-member company filers). The account administrators generally will manage the filer’s account, with responsibilities such as: delegating authority, annually confirming on EDGAR that all individuals and entities reflected on the filer’s dashboard are authorized to act on the filer’s behalf, maintaining accurate and current corporate information on EDGAR and maintaining information relevant to access the filer’s EDGAR account. 

The EDGAR Next dashboard will go live on March 24, 2025. After that date, any new filers must register on the new EDGAR Next platform. On September 12, 2025, the legacy EDGAR filing process will end and on September 15, 2025, compliance with EDGAR Next becomes mandatory. Filers who have not enrolled by December 22, 2025 must submit an amended Form ID to gain access to EDGAR.

What companies should be doing now: Companies should familiarize themselves with EDGAR Next and develop a plan for implementation. Additionally, if public companies handle Section 16 filings for their officers and directors, they should plan to start the registration process for those individuals on the new EDGAR Next platform in the Spring or Summer of 2025. Companies should determine which administrators and/or third-party providers should be authorized for each individual filer.  

SEC Fall 2024 Regulatory Agenda 
Below are a few relevant rule proposals currently included on the SEC’s Fall 2024 regulatory agenda (the “Flex Agenda”). Note that it is likely that these proposals may be altered or abandoned by the incoming administration in 2025. 

Incentive-based Compensation Arrangements for Financial Institutions (April 2025). The SEC’s Flex Agenda indicates that it is considering reproposing regulations and guidelines in April 2025 (that were originally proposed in 2016) to prohibit incentive-based compensation practices that encourage inappropriate risks at certain financial institutions that have $1 billion or more in total assets as required by the Dodd-Frank Act. 

Human Capital Management Rules to be Proposed (October 2025). The SEC’s Flex Agenda indicates that it will propose new human capital management disclosure rules in October 2025 to supplement the rules passed in 2021. The 2021 amendment to Item 101 of Regulation S-K requires the disclosure of material information regarding a company’s human capital resources.  In September 2023, the SEC’s Investor Advisory Committee approved a subcommittee recommendation for new human capital management prescriptive disclosure such as headcounts for different types of workers in the company, turnover metrics, total cost of the workforce and other demographic data and narrative disclosures of firm practices and strategies. 

Shareholder Proposal Amendments to be Finalized (October 2025). The SEC’s Flex Agenda indicates that it is considering adopting final rules in October 2025 revising shareholder proposal rules under Rule 14a-8. The rules would amend three of the substantive bases for excluding a shareholder proposal: (i) the substantial implementation exclusion, (ii) the duplication exclusion and (iii) the resubmission exclusion. 

Corporate Board Diversity Rules to be Proposed (October 2025). The SEC’s Flex Agenda indicates that it will propose new corporate board diversity disclosure rules in October 2025 to enhance disclosures about the diversity of board members and nominees. Currently, Item 407(c)(2)(vi) requires companies to disclose whether the board has a policy regarding consideration of diversity in identifying director nominees and how such policy is implemented. 

Notable SEC Enforcement Actions 
New “Shadow Trading” Theory. On April 4, 2024, in SEC v. Panuwat, a federal jury in the Northern District of California found a company employee liable for insider trading when the employee traded in the securities of a third party who was not the source or subject of the material non-public information. The defendant, Matthew Panuwat, was an employee at an oncology-focused biopharmaceutical company. Through the course of his employment, Panuwat learned that his employer expected to be acquired at a premium price. Panuwat purchased out-of-the-money call options in a company that was a peer to his employer, believing that the stock price in the peer company would rise on announcement of the acquisition of his employer. Panuwat obtained approximately $110,000 in profits from the trade. To prove that Panuwat breached a duty when he purchased the call options, the SEC focused on vague language in his employer’s insider trading policy that prohibited trading in the securities of “another publicly traded company,” when the employee had material non-public information. Companies should review their insider trading policies and other governance documents to ensure they are drafted in a clear and precise manner that does not create any unintended duties.

Failure to Disclose Pledging of Company Shares. On August 19, 2024, the SEC announced charges against Carl C. Icahn and his company, Icahn Enterprises L.P. for failing to disclose information relating to Icahn’s pledge of Icahn Enterprises securities as collateral to secure personal margin loans worth billions of dollars under agreements with various lenders. Notably, the SEC charged Icahn Enterprises with the failure to disclose the pledges as required by Item 403(b) of Regulation S-K. Companies should take special note of these charges as they prepare their beneficial ownership table in 2025.

Section 16 Enforcement. On September 25, 2024, the SEC announced settled charges against 23 entities and individuals for failures to timely report information about their holdings and transactions in public company stock. Notably, in two of the cases the company had undertaken to make Section 16 filings for its insiders, but the filings were repeatedly late, and the company failed to make required disclosures regarding the delinquent Section 16 filings. The Section 16 insiders have the obligation to file their required Section 16 reports; however, most companies voluntarily file Section 16 reports on behalf of their insiders as a courtesy. These two cases underscore that the company can face some legal consequences for late filings and missed disclosures when the company has voluntarily taken on this obligation. Companies should review their controls and procedures to ensure timely filing of Section 16 reports. 

Special Relationships that Bring Director Independence into Question. On September 30, 2024, the SEC announced settled charges against James R. Craigie, a former CEO, Chairman and board member of Church & Dwight Co., Inc. for violating proxy rules by standing for election as an independent director without informing the board of his close personal friendship with a Church & Dwight executive. Among other things, Craigie frequently vacationed with the executive and the executive’s spouse, including six trips that spanned eight countries on five continents. Craigie paid more than $100,000 for them to join Craigie and his spouse on several of these international vacations. In addition to the Craigie case, there have been other cases over the years in which directors were alleged to have lacked independence because they belonged to the same country clubs, served on the same boards (including boards of charitable organizations) or generally ran in the same social circles. Although casual friendships are not problematic, companies should consider this enforcement action when determining director independence.

Risk Factor Updates to Consider in 2025
Risk factors should be reviewed and updated often to address the ever-changing risk environment. Some risk factor topics and trends to consider in 2025 are included below:

• Geopolitical risks – With the continued war in Ukraine and volatility in the Middle East, companies should consider risk factors concerning geopolitical risks and conflict around the world.
• Trade restrictions – With the increased focus on trade restrictions, such as tariffs, consider any business risks related to the restriction of international trade.
• Cybersecurity risks – With the SEC’s increased focus on cybersecurity and constantly evolving cybersecurity threats, cybersecurity risks should be reviewed to stay current in the cyber risk landscape.
• Artificial intelligence risks – With constant advancements in artificial intelligence technology, increased implementation into companies’ businesses and continued changes in the regulatory environment, artificial intelligence risk factors should be considered and revised as new risks arise.
• Climate risks – Although the SEC’s climate disclosure rules are currently stayed, continued SEC and investor interest in climate change and extreme weather events over the past year should keep this item at the forefront of company risk factor considerations.

Artificial Intelligence Disclosure and “AI Washing” 
The advancements in generative artificial intelligence have continued to attract the attention of companies, legislators, and regulators alike. In March 2024 the SEC announced settled charges against two investment advisers for making false and misleading statements about their use of artificial intelligence. This “AI Washing” is the intentional overstating of a product or service’s AI capabilities to make such product or service appear more innovative than it actually is, which “artificially” inflates sales or engagement. Companies should precisely and accurately disclose its AI usage and capability rather than relying on disclosure language that is vague or aspirational. 

Additionally, companies should continue to focus on AI-related risks in their periodic reports, including regulatory, operational, competitive, cybersecurity, ethical and third-party risks. Companies should assess the material impact of AI on the company’s business outlook and performance and update their risk factors and other disclosures, if necessary. Outside of disclosures, companies should continue monitoring regulatory developments, evaluate their AI governance and oversight procedures, and look toward establishing broader company policies relating to the use of AI.

Kutak Rock Turns 60
On January 11, 2025, Kutak Rock LLP will celebrate its 60th anniversary. What started out as a three-person law firm in 1965 has grown into a national law firm of more than 550 lawyers in 19 locations. We thank our clients and friends for their continued trust in our firm. 

Additional Information 
This legal update is merely a high-level summary of the developments discussed herein as of January 1, 2025 and does not purport to be a complete discussion of each of the noted rule changes. Complying with the SEC rules and regulations is a complex task within an ever-changing environment. If you have questions about the rules discussed above, please contact your Kutak Rock attorney or one of the authors listed below.