SEC Climate-Related Disclosure Requirement Highlights and Third-Party Considerations

Climate-related disclosures have steadily gained prominence in recent years, with regulations currently established in the EU and California. Many organizations have anticipated regulations at the U.S. federal level for almost two years since the SEC first proposed its rule on climate-related disclosures in 2022. The wait is now over. On March 6, 2024, the SEC issued The Enhancement and Standardization of Climate-Related Disclosures for Investors.

One of the most notable differences between the proposed rule and final rule is the exclusion of Scope 3 emissions, which would have significantly influenced an organization’s third-party risk management (TPRM) practices. Despite this exclusion, environmental, social, and governance (ESG) risk continues to be an important area to explore in third-party risk management.

This blog will cover some of the highlights of the final rule, which will give you a better understanding of the type of data your organization might be expected to disclose. Although the final rule doesn’t include Scope 3 emissions, we’ll offer some compelling reasons why ESG awareness is still important to consider in your third-party risk management program and some next steps for third-party compliance.

Note: Text from the final rule is noted in italics.

Highlights of the SEC Climate-Related Disclosure Final Rule  

The final rule clocks in at over 800 pages, much of which contains the proposed rule and commentary that was collected from over 24,000 letters. As with any regulation, organizations are advised to read and understand the text to ensure they’re meeting the expectations and requirements. 

Here are 5 highlights to note:  

1. Types of emissions – The final rule states that organizations must disclose Scope 1 and Scope 2 emissions. Scope 1 emissions are also known as “burn” and refer to those that are controlled or owned by the organization. Gas emissions from an organization’s vehicles would be an example of Scope 1. Scope 2 emissions, or “buys,” refer to the energy an organization purchases, like electricity for a facility. 
   
   
   Note: Organizations are not required to disclose Scope 3 emissions, according to the final rule. Scope 3 emissions are essentially those that are produced by your third-party vendors, or anything beyond what your organization burns or buys.  
2. Material climate-related risks – A registrant is required to provide a description of any climate-related risks that have materially impacted or are reasonably likely to have a material impact on the registrant, which includes the organization’s strategy, operations, and financial condition. Materiality can be a difficult term to deconstruct, but the final rule gives some guidance, stating that a material matter would be considered important by a reasonable investor. In other words, a material matter would have a significant impact on an investor that’s making decisions on buying or selling securities. 
   
   
   Pro Tip: Since material matters can also impact business strategies and operations, it may help to think of this concept in terms of criticality. This requirement might be worth researching further to determine whether any overlap exists between your organization’s critical vendors and material climate-related risks.  
3. Risk management processes – Understanding what’s considered material or critical to your organization is just one piece of the puzzle. An organization is also expected to disclose any existing processes for the identification, assessment, and management of material climate-related risks. The final rule emphasizes that it doesn’t offer a prescriptive approach to managing climate-related risks because there isn’t a “one-size-fits-all” model that works for every organization and industry. A comprehensive TPRM program that details your processes and procedures would be an effective strategy to help identify material third-party climate risks.
4. Oversight responsibilities – The board of directors and senior management are expected to be involved in overseeing and managing the organization’s climate-related risks. Organizations are required to disclose a description of a board of directors’ oversight of climate-related risks and management’s role in assessing and managing climate-related risks. This requirement closely aligns with other regulatory expectations such as the Interagency Guidance on Third-Party Relationships about the board and senior management’s involvement in critical third-party activities.
5. Targets and goals – In response to climate-related risks, many organizations may choose to set targets and goals, which will then need to be disclosed. For instance, an organization might set a goal related to energy or water usage. In this case, the final rule requires disclosure, as applicable, of how the registrant intends to meet its climate-related targets or goals. The disclosure should include details such as the scope of the activities, a timeline for when the goal or target will be met, and how the organization will track its progress.

3 Reasons for Continued ESG Awareness in Third-Party Risk Management 

Scope 3 emissions might not be a requirement in the SEC’s final rule, but this doesn’t necessarily mean they can be ignored altogether. Here are three reasons why Scope 3 emissions and other third-party ESG risks should continue to be integrated into your third-party risk management program: 

1. Expanding regulations and standards – California requires the disclosure of Scope 3 greenhouse gas (GHS) emissions in the Climate Corporate Data Accountability Act, while the EU requires its own Scope 3 disclosures in the Corporate Sustainability Reporting Directive (CSRD). Some organizations may also want to meet the sustainability reporting standards developed by the International Sustainability Standards Board (ISSB). Keeping Scope 3 emissions and ESG risk within your third-party risk management program will help keep your organization prepared for future regulations that may be established in the years to come.
2. Shareholder expectations – Many organizations continue to make commitments to voluntarily report ESG metrics to their shareholders. This commitment might come from a desire to improve transparency with investors, create a competitive advantage, or even to encourage other organizations to follow in their footsteps with their own reporting. Managing ESG risk will ensure you have the necessary data to meet shareholder expectations.  
3. Reputation management – ESG risk encompasses a variety of issues, from clean energy and water conservation, human rights and labor practices, and anti-corruption and anti-bribery initiatives. Consider a situation where one of your vendors violated human rights by using child labor in their supply chain. Even though this violation wasn’t directly attributed to your organization, it can still harm your reputation and brand. The public, including potential customers and investors, may view your organization unfavorably because of its association with this vendor. 

Next Steps for Third-Party ESG Compliance 

Some of your third parties may not be held to the same regulatory expectations of climate-related disclosures. It’s still important to consider how they can potentially create compliance issues for your organization. 

Here are next steps to get started with third-party compliance:  

• Identify your critical third parties – This will help you understand which third parties should be in scope for your disclosure requirements. A critical third party is one whose failure or extended outage would have a significant impact on your organization or customers. 
• Begin the conversation – Reach out to your critical third parties and begin the conversation on why your organization has implemented certain ESG goals, requirements, and practices. This would also be a good opportunity to gather information on your third parties’ preparedness for ESG disclosures. Consider distributing a survey to better understand whether your third parties have any ESG practices in place. 
• Develop a plan of action – If you discover some of your third parties are unprepared for ESG practices and disclosures, consider creating a plan of action for compliance. In general, you won’t need to create separate ESG standards for your third parties to follow. Many organizations will just want to ensure their vendors are meeting the same standards. Make sure to include relevant details in your plan that your third party can follow, such as roles and responsibilities, reporting requirements, and timelines for compliance.

The SEC’s climate-related disclosure requirements provide further evidence that regulators are focusing more on ESG risks. Even with the current absence of Scope 3 emissions from the SEC’s final rule, there’s still good reason to integrate third-party vendors in your ESG efforts.