Legal and regulatory updates: In planning for 2023, a 2022 review

As we begin the new year, many companies will be reviewing the changes their business went through in 2022 and how such changes have impacted or may impact operations and future performance. At the same time, businesses also have their eye on the year ahead and are thinking through how they will continue to adapt to external and internal forces driving such changes in their business. Material changes will need to be accounted for in budgets, business plans, and, for public companies, addressed in their public reports filed with the Securities and Exchange Commission (the SEC).

As companies look back on the last year and plan for the future, many will identify recent legal and regulatory developments as a driving factor of change within their organization.

Below is a summary of select laws and regulations passed or proposed in late 2021 and 2022 that may have a material impact on certain US-based businesses, including with respect to their compliance costs, future business plans and results of operations. Relatedly, public companies should consider whether such laws and regulations, and their actual or anticipated impact on their business, warrant updates to their risk factors, the description of their business and/or their management’s discussion and analysis (MD&A).

SIGNIFICANT NEW LAWS AND REGULATIONS

Inflation Reduction Act

The Inflation Reduction Act (the IRA) was signed into law on August 16, 2022 and its impact reaches several distinct industries. For example, the IRA offers a number of tax credits that will reduce the costs of clean energy projects and offers tax credits to purchasers of certain new and used electric vehicles. The impact of such clean energy tax credits should be carefully considered not only just by energy project sponsors and businesses offering clean energy solutions to consumers, but also by companies in the traditional energy sector that compete with clean energy solutions.

Separately, the IRA contains provisions impacting the healthcare, pharmaceutical and insurance industries with the overall goal of lowering the cost of healthcare. The IRA authorizes the US Department of Health and Human Services to negotiate prescription drug prices that are covered by Medicare and Medicaid, places caps on costs for Medicare beneficiaries and extends the term of premium payment assistance from public marketplaces established under the Affordable Care Act. Accordingly, companies in these spaces should consider how such changes will impact their business and whether any updates need to be made to their public disclosures.

The costs of these incentives and subsidies will be paid for via new taxes, including a new minimum 15% tax on corporations with average annual income of $1 billion or more and a new 1% excise tax on public company stock repurchases.

CHIPS and Science Act

The Creating Helpful Incentives to Produce Semiconductors and Science Act of 2022 (the CHIPS and Science Act) was signed into law on August 9, 2022. One of the main goals of the CHIPS and Science Act is increasing the number of semiconductors made in the US, including by allocating funds for semiconductor research, development, manufacturing and workforce development, as well as providing tax credits for investments in chip manufacturing and processing equipment. In addition, the CHIPS and Science Act provides funds for the promotion of certain wireless technologies and research and development in areas such as artificial intelligence, biotechnology and robotics, among others.

US companies, particularly semiconductor businesses and technology sector companies, should look further into the CHIPS and Science Act provisions to assess how they may take advantage of these benefits, while remaining cautious until the implementation and effects of the law becomes clearer. On the other hand, organizations relying on imported semiconductors may want to re-evaluate their supply chain and consider any indirect, but otherwise material, impacts from the CHIPS and Science Act provisions.

Uyghur Forced Labor Prevention Act

The Uyghur Forced Labor Prevention Act (the UFLPA) was signed into law in late December 2021. Under the UFLPA, there is a rebuttable presumption that any goods mined, produced or manufactured, in whole or in part, by certain entities named in the UFLPA Strategy on the UFLPA Entity List, or in the Xinjiang Uyghur Autonomous Region of the People’s Republic of China (the XUAR), are not permitted for import into the US. An importer can rebut the presumption by providing clear and convincing evidence that the applicable goods were not mined, produced or manufactured using forced labor. The implementation of the UFLPA presumption took effect on June 21, 2022.

Products from the XUAR are found in supply chains across many sectors, including industrials (particularly manufacturing and chemicals), agricultural, consumer goods – particularly apparel, energy, and healthcare. Impacted companies should consider the costs of compliance with the UFLPA and, if necessary, conducting supply chain mapping and making changes in their supply chain and related procedures.

Strengthening American Cybersecurity Act of 2022

The Strengthening American Cybersecurity Act of 2022 (the SACA) was signed into law in March 2022. One of the primary goals of the SACA is the protection of critical domestic infrastructure. Among other provisions, the SACA requires entities in critical infrastructure sectors to follow specified timelines and reporting procedures with respect to cybersecurity incidents and ransom payment demands.

The Director of the Cybersecurity and Infrastructure Agency has been charged with defining more precisely what entities are covered by the SACA, so the scope currently remains unclear. For now, companies should review their internal policies and procedures and assess their ability to comply with the new requirements. Further, those not operating in applicable sectors should consider whether their policies and procedures will continue to meet market standards once the new requirements come into effect.

European Union Corporate Sustainability Reporting Directive

The European Union’s (the EU) Corporate Sustainability Reporting Directive (the CSRD), which is considered to implement the broadest mandatory sustainability reporting requirements to date, is expected to take effect in early 2023, although companies will have until 2025, 2026 or 2028 – depending on what category they fall into under the CSRD – before they have to comply. The CSRD will require disclosure on a company’s own sustainability efforts and policies, as well as how the company is impacted by external forces related to sustainability. The CSRD not only revises and expands existing EU sustainability and ESG (environmental, social, and governance) reporting requirements, but also broadens the scope of companies to which such requirements pertain. The CSRD will extend to US organizations that generate a certain amount of net turnover or revenue in the EU or are listed on a regulated market in the EU.

Companies should assess whether they fall within the CSRD’s mandatory reporting requirements. If they do not, such companies may still want to consider whether competitors that will comply with the CSRD will be able to use such disclosure to their advantage (and, therefore, whether an out-of-scope organization could still benefit from increasing their voluntary sustainability and ESG reporting or other publicity). In either case, companies who anticipate increasing the amount of sustainability data they make public will want to begin compiling and organizing such data, as well as accounting for any increased compliance costs associated with the same.

SIGNIFICANT FUTURE AND PROPOSED LAWS AND REGULATIONS

European Union Sustainability Due Diligence Directive

The European Union Sustainability Due Diligence Directive (the CSDD) is a proposed supply-chain focused due diligence law with, among others, a goal of enhancing the human rights and environmental practices and policies of businesses. One significant way in which the CSDD seeks to accomplish this goal is by imposing an obligation on in-scope companies to conduct due diligence on their own operations and their supply chain, although the precise scope of covered suppliers and vendors is still an open question. In addition, the CSDD will require companies to adopt and annually update due diligence policies that enable them to identify human rights and environmental issues. Further, businesses will need to take action to end, prevent and/or mitigate the impacts of any identified issues.

In addition to certain EU companies, the proposed CSDD requirements will apply to non-EU companies generating a certain amount of net turnover in the EU. Importantly, however, the impact of the CSDD will extend to other organizations in the supply chain of in-scope companies since such organizations may fall within the scope of companies’ due diligence obligations.

The European Council has adopted its negotiating position with respect to the CSDD, and committees of the European Parliament are currently considering the CSDD internally. The next steps will be for the European Parliament to vote upon its position, and then the institutions will begin formal negotiations regarding the CSDD. The CSDD is not expected to take effect until at least 2024.

Proposed SEC rules regarding climate-related disclosure and governance rules

In March 2022, the SEC proposed new public company disclosure requirements regarding a company’s greenhouse gas emissions (including those from its supply chain), financial data related to climate considerations and climate-related governance. One of the goals of these rules is standardizing climate-related disclosures by using established frameworks such as the Task Force on Climate-related Financial Disclosures and Greenhouse Gas Protocol. Currently, climate related disclosures are largely based on materiality standards, and the new rules would provide more specific requirements that will increase companies’ internal costs for compliance. As originally proposed, there were limited exceptions based on filing status.

Companies should consider the steps they need to take to comply, as the information to be disclosed can be difficult to gather and track. Further, companies might start deliberating on strategies to reduce greenhouse gas emissions or improve other climate impacts from their activities in order to avoid negative market impact from the additional required disclosure when the rules go into effect.

Although the rules were originally expected to be finalized and adopted before the end of 2022, the final rules are now anticipated in 2023.

Proposed SEC rules regarding cybersecurity disclosure

Also in March 2022, the SEC proposed new rules related to cybersecurity. The new rules would require public companies to report material cybersecurity incidents on Form 8-K and to disclose when a series of otherwise immaterial cybersecurity incidents have, in the aggregate, become material on the company’s periodic reports. When it comes to these requirements, organizations will need to be careful with their process, as states and different regulatory regimes may require other forms of disclosure on a different timeline.

In addition, the proposed rules would require companies to provide a description of their cybersecurity practices, policies and procedures in their periodic reports, to disclose whether any directors have cybersecurity expertise in annual reports or proxy statements, and to disclose whether they have a chief information security officer. The latter two requirements may motivate companies to review the expertise of existing directors and officers, and factor into their search for new persons to fill such roles.

A timeline for adoption of the final rules has not been provided.

Going forward

As noted above, this is only a summary of select laws and regulations that may materially affect companies’ operations and public reports in the upcoming years, and there are other new legal and regulatory changes that companies need to consider given their business and sector. In all cases, companies should take the time to understand how such changes impact their compliance practices internally and with respect to the risk factors, the description of their business and MD&A in their public reports.  Return to our full set of alerts on key considerations for the 2022 annual reporting season.  If you have any questions about the items discussed in this article or other compliance matters, please reach out to your regular DLA Piper contact.