Utility Companies Brace for GHG Emissions Disclosure Regulations

May 27, 2023 by Shannon Cuthrell

Fortress Information Security is working with top utilities to prepare for the Security and Exchange Commission’s looming disclosure requirements related to environmental, social, and governance data, as well as supply chain risks.

Utility companies are bracing for new regulations from the U.S. Securities and Exchange Commission (SEC) that would require data disclosures around environmental, social, and governance (ESG) standards. The SEC is expected to announce the final rule changes this year, mandating publicly traded companies to share information about their greenhouse gas (GHG) emissions and climate-related supply chain risks likely to impact their business activities, operations, financial condition, and other metrics. 


Renewable energy

Renewable energy. Image used courtesy of Pexels


Florida-based cybersecurity software provider Fortress Information Security is working with top U.S. utilities to mitigate new regulatory and supply chain risks around ESG reporting requirements, incorporating a standardized ESG questionnaire for the utility industry into its existing risk management platform. 

Many companies already voluntarily disclose their emissions data to investors, following the broader movement of climate investing worldwide. However, there are several frameworks for how to measure and categorize emissions, and there’s no standard model that bridges industries. Since the SEC’s forthcoming regulations will change this landscape, Fortress is tapping into a new point of demand for its supply chain software. 


Fortress Expanding Into ESG Supply Chain Risk Assessment

With the SEC’s new ESG rules looming, Fortress Information Security recently hosted a two-day benchmarking session in Ohio to discuss third-party risk assessment approaches with partners in the electric, gas/oil, and water sectors. Betsy Soehren-Jones, the company’s chief operating officer, stated that the same strategies used to tackle cybersecurity threats now apply to managing emerging non-cyber supply chain risks across vendors. 

This marks an expansion of Fortress’s cybersecurity expertise to the ESG space. It already offers a “software bill of materials” repository for utility vendors called the North America Energy Software Assurance Database (NAESAD). The platform helps companies find vulnerabilities in software components and third-party integrations in the products they use for critical energy applications. And in 2022, the company launched an Asset to Vendor library, a repository of cyber risk information on over 40,000 vendors. Fortress worked with nine of the ten largest investor-owned power firms—including American Electric Power and Southern Company—to secure products across nearly half of the American power grid. 

This month, Fortress has launched a new offering in NAESAD to help utilities navigate ESG-related regulatory and supply chain risks. Working with its utility partners, the company developed a standardized ESG questionnaire, collecting and storing responses and advising on risk resolution. 


More Context on the SEC Proposal

The SEC’s proposed rule changes, first announced in March 2022, would require public companies to release information about their governance of climate risks, relevant risk management processes, and how many of those vulnerabilities have a material impact on their financial statements, business model, and strategy. They would also need to report whether the estimates/assumptions in their financial statements were impacted by risks and uncertainties tied to severe weather and other climate-related events and their efforts to transition to clean energy

Many companies already keep a public scorecard on some of this data. According to the International Federation of Accountants, 95% of firms worldwide report some level of ESG data as of 2021 (the most recent reporting year), and around 64% provide some assurance to their sustainability information. ESG uptake is even higher in the U.S., with 99% disclosing some ESG information, primarily via periodic sustainability reports. 


State of corporate sustainability disclosures in the U.S.

State of corporate sustainability disclosures in the U.S. Image used courtesy of the International Federation of Accountants


An analysis from S&P Global found that the utility and material sectors have the highest levels of emissions disclosures, reaching around 70% and 55% in 2020, respectively. For those already conducting analyses or that have developed transition plans with climate targets, the SEC’s proposed amendments would add extra detail to their disclosures to help investors understand how these factors affect climate-related risk management. 

According to the SEC’s 490-page proposal, public companies must disclose their direct GHG emissions (also known as “Scope 1” emissions), indirect emissions from purchased electricity (Scope 2), and emissions from upstream/downstream activities (Scope 3), such as fuel extraction and transport. On the latter point, the SEC specifies that the regulations would contain a safe harbor for liability from Scope 3 disclosure, and smaller companies would likely be exempt. 

Under the current status quo, several of the top utilities by market cap in the U.S. already disclose partial Scope 3 emissions in their ESG documents. For example, NextEra Energy’s 2022 report covers Scope 3 emissions that include fuel- and energy-related activities outside of Scopes 1 and 2, alongside business travel and use of sold products. Southern Company’s 2022 ESG data covers 10 out of 15 Scope 3 categories, with the remainder deemed irrelevant to its business. Also, Duke Energy recently expanded its 2050 net-zero target to include certain Scope 3 GHG emissions in its data. 

The new requirements are expected to resemble existing disclosure frameworks, including the Greenhouse Gas Protocol and the Task Force on Climate-Related Financial Disclosures (TCFD). TCFD is one of the more common frameworks, with one-third of companies saying their climate disclosures incorporate TCFD recommendations, according to S&P Global. However, the SEC would attempt to standardize these approaches. 


Assessment of Material Risks & Impacts

The SEC initially expected to set its final ruling last fall but, as Reuters reported, legal considerations likely delayed the timeline. Namely, last year’s Supreme Court case, West Virginia v. Environmental Protection Agency (EPA), determined the EPA lacks the Congressional authority to regulate carbon dioxide emissions from power plants. 

Soon after its release, the SEC’s proposal drew criticism over the definition of “material” risks and impacts. This concept isn’t new in the ESG space, as a 2021 survey from S&P Global found that nearly a quarter of companies worldwide see climate change as a material issue for their business. The new rules require companies to make determinations regarding information that shareholders consider essential to their investment or voting decisions. 

The impacts would likely be shared across industries, with companies reporting increased short-term expenses to install new technologies necessary for transitioning to renewables. The SEC gave an example of an electric utility disclosing a rise in electricity generated from low-carbon sources, such as solar panels, wind turbines, nuclear, or hydroelectric power, and how that impacts its ability to meet regulatory constraints. 


SEC analysis of 10-K filings from 2019 to 2020

SEC analysis of 10-K filings from 2019 to 2020 identifies four clusters of topical trends and their relative intensity (aggregate number of relevant sentences divided by the total number of companies in the industry). Image used courtesy of the SEC


The proposal also mentioned that electric services top the list of industries with the most substantial climate-related discussion in their annual 10-K filings, followed by oil/gas, steel manufacturing, passenger and freight air travel, and maritime transportation.