31 October 202211 minute read

More signs that the major questions doctrine from West Virginia v EPA may impact the SEC’s authority on proposed climate and cybersecurity disclosure rules

In the first quarter of 2022, the SEC issued 16 new rule proposals, doubling the pace it has held throughout most of the 21st century.[1] While many of these rule proposals concern subjects more traditionally within the SEC’s purview, the SEC also has issued proposed rules covering areas outside its traditional field of regulation, such as those concerning climate and cybersecurity disclosures.

The SEC’s broad authority to promulgate these new regulations, however, has been called into question in the wake of the Supreme Court’s recent decision in West Virginia v EPA, which struck down an ambitious 2015 EPA regulation as outside of the EPA’s authority.[2] Recently, several Republicans on the House Financial Services, Appropriations, and Oversight and Reform Committees called on the SEC to specify its source of Congressional authority for each new rule it proposes so that they can “monitor the SEC to ensure it does not operate outside its statutory directives.”[3]

This alert provides a brief overview of the major questions doctrine used by the Supreme Court majority in the West Virginia decision and analyzes its potential impact on two significant SEC proposed rules: climate and cybersecurity. Courts’ analysis of the inevitable challenges to these rules will likely turn on the balancing of the SEC’s long-accepted broad authority to determine what information is “necessary or appropriate” to disclose to investors against a growing reticence to allow federal agencies to fill substantive gaps that Congress has declined to address.

The decision in West Virginia v EPA

In 2015, the EPA promulgated rules known as the Clean Power Plan, which, among other measures, required power plants to install more efficient devices to limit carbon dioxide emissions and shift toward other modes of energy creation. In proposing the rules, the EPA relied on Section 111(d) of the Clean Air Act, a rarely invoked “gap-filler” measure that allows the EPA to determine “the best system of emission reduction” for existing pollutants generated by covered power plant facilities.[4] To analyze the propriety of this rule, the Supreme Court relied on the “major questions doctrine” to determine whether the rule was within the scope of the EPA’s statutory authority.

As explained by the majority, the “major questions doctrine” involves analytical principles under which rules may be evaluated against the statute conferring authority upon the administrative agency. According to the majority, courts may consider the “major questions doctrine” in extraordinary cases in which the history and breadth of the asserted authority and the economic and political significance of the agency’s rule give courts reason to doubt that Congress meant to confer the authority in question. As Justice Neil Gorsuch suggested in a concurring opinion, once a court establishes that the “major questions doctrine” might apply, the key statutory analysis should focus on 1) the legislative provisions in question, rejecting broad assertions of authority from vague or cryptic language; 2) the age and focus of the statute in relation to the problem addressed by the agency; and 3) the agency’s past interpretation of the relevant statute. 

In West Virginia, after finding that the “major questions doctrine” was implicated, the Supreme Court found that the EPA had located “newfound power in the vague language of an ‘ancillary provision’” of the Clean Air Act and had adopted a regulatory program Congress “conspicuously and repeatedly declined to enact itself.” The Court struck down the rule, deeming it “[im]plausible” that Congress vested the EPA with the requisite authority “to adopt on its own such a regulatory scheme.”

The SEC’s proposed rules on climate and cybersecurity disclosures

The SEC’s recent rulemaking affects new subjects previously not covered by the agency: climate and cybersecurity.

With respect to climate, the SEC has proposed rules that would require registrants to include certain climate-related disclosures in their registration statements and SEC filings, including information about climate-related risks that are reasonably likely to have a material impact on their business. While some companies already might make such disclosures in discussing their risk factors, the proposed rules would expressly require such disclosures going forward.

Further, the proposed rules would require registrants to make disclosures about their greenhouse gas emissions, which, according to the SEC, have become a commonly used metric to assess a registrant’s exposure to climate risks.  The SEC asserted that “disclosure of information about climate-related risks and metrics would be in the public interest and would protect investors” and “promote efficiency, competition, and capital formation.”[5]  See our prior client alert for more information about the substance of the SEC’s proposed climate rule.

With respect to cybersecurity, the SEC has proposed amendments to its rules that are, according to the SEC, designed to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance and incident reporting by public companies. The proposed amendments would require, among other things, current reporting (eg, on Form 8-K) about material cybersecurity incidents and periodic reporting (eg, on Forms 10-Q and/or 10-K) to provide updates about previously reported cybersecurity incidents; periodic reporting about the company’s cybersecurity policies and procedures; and additional reporting about the board of directors’ cybersecurity expertise, if any.[6]

The SEC locates its authority for these rules within Sections 2 and 7 of the Securities Act and Sections 3, 12, 13 and 15 of the Exchange Act. Those statutory provisions each provide the SEC with authority to promulgate rules or regulations as to what is “necessary or appropriate” for the protection of investors in connection with securities registration.[7] However, the SEC Commissioners have not unanimously endorsed this position. In her dissent, titled, “We are Not the Securities and Environmental Commission – At Least Not Yet” and “Dissenting Statement on Cybersecurity, Risk Management, Strategy, Governance and Incident Disclosure Proposal,” Commissioner Hester Peirce argues that the SEC lacks the constitutional authority to propose these rules. Commissioner Pierce expressed concerns that Congress had not given the SEC clear authority to regulate outside traditional “subject-matter boundaries,” and that, because the SEC was compelling speech outside of its core mission, it would unduly infringe on the First Amendment.

In evaluating the proposed regulations, a key question is whether the rulemaking authority asserted by the SEC is sufficient to overcome a rising judicial skepticism of agency action, now armed with a new tool to unwind that action via the “major questions doctrine.”

Balancing SEC authority with Supreme Court skepticism of agency rulemaking

An issue the SEC likely will face in coming challenges is whether the statutory breadth that the agency enjoys will immunize these recent rules from the “major questions doctrine.” Courts will be tasked with determining 1) whether the “major questions doctrine” applies to the SEC’s new rules and, 2) if so, whether the rules survive scrutiny.

Until this point, the SEC’s proclamation that a promulgated rule furthers the statutory aim “to protect investors” has often proven sufficient to establish that the agency adopted the rule pursuant to an express delegation of rulemaking authority.[8] As previously noted, however, lawmakers are voicing concern that the SEC’s interpretation of “necessary or appropriate” has inappropriately expanded in recent years; the climate and cybersecurity disclosure rules are oft-cited examples of that expansion.[9] Should these concerns be judicially tested, federal courts would likely look to West Virginia as one starting point for their analysis.

Under the “major questions doctrine” framework, Congress must issue a clear delegation of authority for an agency to regulate a major policy question of economic and political importance. The SEC’s proposed climate and cybersecurity rules share some similarities with the EPA’s Clean Power Plan with respect to the potential application of the doctrine. Congress has not expressly acted in this space, and these climate and cybersecurity issues substantially impact public companies and thus the American economy.  The SEC, however, does have broad delegated authority regarding risk disclosures and is well within its historical authority to require them, which may serve as a differentiator from the EPA.

Assuming that a court applies the “major questions doctrine” to the SEC’s climate change and cybersecurity rules, the next question will be whether those rules will survive heightened scrutiny. The rationale underlying the decision in West Virginia suggests that, in contrast with the “gap filler” statute at issue there (Section 111(d) of the Clean Air Act), Section 7 of the Securities Act and Sections 12, 13 and 15 of the Exchange Act expressly grant broad rulemaking authority to the SEC. Indeed, the statutory language from which the SEC derives its authority appears, at a glance, to be both stronger and broader than the EPA’s authority under Section 111(d) to “determine” the “best system of emission reduction.” The SEC has framed its proposed climate and cybersecurity rules around the need for companies to make comprehensive disclosures, which is closely linked to the SEC’s purpose of protecting investors by requiring disclosure of “necessary and appropriate” information.

Also potentially weighing in the SEC’s favor is the historically long-accepted breadth of its rulemaking authority. If the SEC is deemed to lack authority to promulgate these new climate and cybersecurity rules because they are not sufficiently “necessary or appropriate” for investors to make informed decisions, it might be difficult to locate the other side of the line. A judicial opinion that strikes down the SEC’s authority in these particular circumstances could have wide-ranging and unintended consequences for the agency as we know it. This possibility might counsel courts against a decision that would severely restrict the SEC’s ability to regulate any issue of significant economic importance without Congressional approval.

On the other hand, detractors of the SEC’s proposed rules have argued that climate and cybersecurity are distinct from financially material information that historically has been at the core of required disclosure under the federal securities laws. Although sustainability is becoming more important to investors, as Commissioner Peirce warned, physical and transitional climate risks might not be financially material. Additionally, Congress has not specifically defined climate or cybersecurity as categories of required disclosure through any statute, as it did for executive compensation in the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010.[10]

For more information about the subject of this alert, please contact any of the authors.  Please also visit our Sustainability and Environment, Social and Governance portal for our latest information on sustainability and ESG developments.



[1] See SEC Proposed Rules, https://www.sec.gov/rules/proposed.shtml, (last visited October 14, 2022) (listing proposed rules by year); see also Kevin Zambrowicz, Joe Corcoran, and Sean Campbell, The SEC’s Current Far-Ranging & Aggressive Rulemaking Agenda Will Raise Regulatory Uncertainty and Risks Unintended, Negative Consequences, SIFMA (Apr. 25, 2022), https://www.sifma.org/resources/news/the-secs-current-far-ranging-aggressive-rulemaking-agenda-will-raise-regulatory-uncertainty-and-risks-unintended-negative-consequences/.

[2] See , 142 S. Ct. 2587 (2022).

[3] Letter from Patrick McHenry, James Comer, and Kay Granger to the Honorable Gary Gensler (Sept. 20, 2022), available at https://www.law360.com/articles/1533484/attachments/0 (“We write to bring your attention to West Virginia v EPA, a recent Supreme Court decision that clarified the limitations of certain agency action.”); see also Jon Hill, Republicans Say CFPB, SEC Must Reckon With EPA Ruling, Law360 (Sept. 23, 2022), https://www.law360.com/articles/1533484/republicans-say-cfpb-sec-must-reckon-with-epa-ruling.

[4] See West Virginia v EPA, 142 S. Ct. at 2599 (citing 42 U. S. C. §7411(a)(1), (b)(1), (d)); see also Clean Air Act, codified at 42 U.S.C. 7401 et seq.

[5] SEC, Proposed Rule: The Enhancement and Standardization of Climate-Related Disclosures for Investors, 87 Fed. Reg. 21334 (Apr. 11, 2022) (citing Section 2(b) of the Securities Act (15 U.S.C. 77b(b)) and Section 3(f) of the Exchange Act (15 U.S.C. 78c(f))) (the “ESG Disclosure Rule”).

[6] SEC, Proposed Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 87 Fed. Reg. 16590 (Mar. 23, 2022).

[7] See id. at 16604 n.107; see also ESG Disclosure Rule, 87 Fed. Reg. at 21335 n.3.

[8] See U.S. Sec. & Exch. Comm'n v Alpine Sec. Corp., 982 F.3d 68, 77 (2d Cir. 2020) (concluding the SEC’s determination that Rule 17a-8 – which requires broker-dealers to comply with the Bank Secrecy Act’s reporting requirements – would “serve to further the aims of the Exchange Act by protecting investors and helping to guard against manipulation” and was sufficient to conclude the “SEC acted pursuant to an express delegation of rulemaking authority” in promulgating Rule 17a-8), cert. denied sub nom. Alpine Sec. Corp. v Sec. & Exch. Comm'n, 142 S. Ct. 461 (2021). The petition for certiorari in Alpine challenged the SEC’s authority to touch on the Treasury’s typical regulatory domain, but did not challenge the SEC’s authority to promulgate the rule as “necessary or appropriate” to further the goals of the Exchange Act. See Petition for Writ of Certiorari, Alpine, No. 21-82 (U.S. Jul. 19, 2021), ECF No. 1.

[9] See Hill, supra note 3; see also Hester M. Peirce, We are Not the Securities and Environment Commission  At Least Not Yet, SEC Statement (Mar. 21, 2022)

Print