Virtual office parties won’t be the only corporate trend to look out for during this holiday season. Our analysis of SEC filings from the past five years shows a burgeoning pattern of companies explicitly categorizing their compliance with data privacy regulations and voluntary standards as an environmental, social, and governance (ESG) matter.
To conduct our analysis, we searched through publicly filed Form 8-Ks, by which companies disclose current material events (e.g., entering a major agreement that carries privacy risks), and Form 10-Ks, which contain comprehensive annual reports. We marked as relevant each filing whose wording expressly identified “privacy,” “cybersecurity,” or some similar term as an ESG program element and/or an ESG-related risk. The chart below summarizes our findings.
These results yield two important takeaways that likely reflect broader changes.
First, our dataset indicates that Q1 2021 had the largest quarterly number of relevant 10-K filings (13, up from just one in the year prior), while the number of relevant 8-Ks filed year-round has roughly doubled over the last two years. Taken together, these totals suggest that a record number of companies will be classifying their data-privacy actions as ESG matters by early 2022. (This also aligns with recent analysis forecasting more overall references to ESG in 2022 M&A deals.)
Second, this rapidly emerging trend underscores the role that data privacy plays in boosting corporate reputation, which is a primary driver of ESG disclosures generally. Indeed, in most of the 8-Ks that we examined, relevant results showed up not in risk-oriented disclosures on the main form, but in exhibits of a more promotional nature, like press releases, presentations, and, of course, ESG reports.
The future of this trend will also likely be shaped by the SEC, as the regulator is ramping up ESG-related guidance and has hinted at issuing new rules governing ESG disclosures next year.
With assistance from Omar Deghidy, Associate Legal Content Specialist.
Bloomberg Law subscribers can learn more about tech-related ESG matters on our new Technology Industry ESG Toolkit and find practical guidance on drafting incident reporting clauses, audit rights provisions, and other data-related contract language in the Data Management module of our Practical Guidance: Information Technology Agreements page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.