Bridging the Gap Between Climate Reporting and Attestation

California’s new climate disclosure rules—the Climate Corporate Data Accountability Act (SB 253) and the Climate-Related Financial Risk Act (SB 261)—are shaping planning discussions for many insurance organizations. Together, they introduce statutory climate reporting and emissions disclosures. SB 253, in particular, will require independent assurance over Scope 1 and Scope 2 emissions, with Scope 3 reporting and assurance to follow on a later timeline. Both laws set more formal expectations around climate-related financial risk.

If you lead finance, risk, internal audit, or another governance function, you may be fielding questions from your board, regulators, or rating agencies while your team is still working through scope, timelines, and early data needs. Many insurers have already taken those first steps, but the next phase requires deeper coordination and more structured documentation.

That is where most leaders pause. One question tends to rise above the rest: How do we move from early planning and reporting efforts to a position where an independent firm can provide attestation on our disclosures?

Johnson Lambert approaches this as both an insurance specialist and an assurance provider, which gives us a practical view of what insurers need at this stage. We see where organizations are making progress, where they get stuck, and what tends to distinguish teams that move into attestation more smoothly. This piece focuses on that middle ground, offering perspective on the decisions and coordination that help insurance leaders bridge the gap between today’s climate disclosure work and future assurance over SB 253 emissions reporting.

Where Climate Reporting Efforts Tend to Stall

Most insurers are not starting from scratch. Governance structures, risk frameworks, and internal audit programs already touch climate-related topics in some way. The challenge is that SB 253 and SB 261 cut across those structures and require a more coordinated response. Three slow-down points appear most often.

Challenge #1: Ownership is spread out, and no one has the full picture

Early work often lands across multiple teams:

• Finance and controllership focus on public reporting.
• Risk and ERM assess scenarios and long-term exposures.
• Internal audit considers control implications.
• Facilities and real estate hold emissions information.
• IT and vendor management manage system access and data flows.

Each group sees part of the big picture, but no single function has a mandate to pull it together in a way that supports assurance. Leaders often receive updates that sound active but do not answer the core question: “Are we on track for eventual attestation?”

Challenge #2: Vendors and software are moving ahead, but roles are unclear

Many insurers are investing in software platforms or sustainability consultants for emissions calculation or climate-risk reporting. These partners often bring valuable tools and methods.

Where efforts stall is role definition. Leaders are not always clear on:

• What partners will own versus what internal teams must still do
• When to involve an assurance provider 
• How independence rules apply as planning progresses 

Without that clarity, organizations sometimes invest in tooling or models that later require rework to hold up in an assurance process.

Challenge #3: Board and regulator expectations move faster than internal comfort

Boards and audit committees are asking reasonable questions:

• What do SB 253 and SB 261 mean for our group?
• How exposed are we relative to peers?
• Will we be ready when assurance is required?

Meanwhile, internal work is still forming. Data is incomplete. Controls are evolving. Capacity is limited. It can be difficult to offer a steady update when the organization is still learning where the information lives and how it will be tested.

This tension is not a sign that insurers are behind. It reflects why many organizations need a deliberate bridge between understanding the rules and being ready for assurance.

3 Key Decisions That Shape Your Path to Attestation

Every insurer will approach climate reporting differently, but three decisions consistently influence how smoothly organizations move from planning to attestation.

Decision 1: How to structure ownership

Climate reporting touches many teams. Attestation still requires clear lines of responsibility. Leaders can start with three questions:

• Who is accountable for SB 253 and SB 261 at the group level? This is often a joint effort among finance, risk, and a sustainability or ESG sponsor, with internal audit partnering on readiness.
• Who owns the narrative and who owns the evidence?
  • SB 261 needs someone responsible for telling the story: how climate-related financial risks are identified, assessed, and managed.
  • SB 253 requires someone responsible for the evidence: where Scope 1 and Scope 2 data come from, how calculations are made, and what controls support them.
• How will internal audit be involved without taking over management’s role? Internal audit adds value through testing and advisory input, but management still owns controls.

Writing these decisions down early—often in a short governance memo—helps align teams before the volume of work increases.

Decision 2: How to combine internal teams, vendors, and an assurance provider

Most insurers will use a combination of:

• Internal teams who understand the business and systems
• Software or sustainability consultants who support data and methodologies
• An assurance provider who offers independent evaluation

The key is sequencing and role definition.

Questions leaders can ask now:

• Have we clarified what our vendors will and will not do?
• Do we understand how independence rules apply once assurance planning begins?
• Are we involving an assurance provider early enough to confirm expectations before finalizing methodologies and controls?

The goal is to avoid rework and ensure that investments in systems and consulting lead to a smoother assurance process.

Decision 3: How to talk about cost, capacity, and risk with the board

Boards will want to understand how investments in climate reporting connect to risk exposure and timing. Leaders can frame decisions through three lenses:

• Foundational work that always adds value: Mapping data sources, setting ownership, and strengthening governance help the organization regardless of enforcement timing.
• Areas that can wait for regulatory clarity: Some scenario assumptions or expanded disclosures may be better addressed once litigation and rulemaking settle.
• Range of investment paths: Boards often prefer a spectrum rather than a single plan, such as:
  • A focused approach that targets high-priority entities and data sources
  • A broader approach that accelerates readiness across the group

Positioning choices this way helps boards see that management is preparing thoughtfully without overcommitting.

What Distinguishes Organizations That Reach Attestation More Smoothly

In our work with insurers, we see a few practices reliably help teams move from preparation to attestation more confidently: 

• Documenting accountability for SB 253 and SB 261
• Mapping key data sources early and identifying gaps before testing
• Involving internal audit and risk as readiness partners
• Bringing an assurance provider in early enough to confirm expectations
• Using vendors and software for data and methodology while preserving independence for assurance

No organization gets everything right on day one. The difference is structure—teams that define roles early tend to maintain momentum even as details evolve.

Choosing an Assurance Partner: Independence and Insurance Experience

Insurers in scope for SB 253 will eventually need a firm that can provide independent attestation over Scope 1 and Scope 2 disclosures, and later over Scope 3 (value chain) emissions as those requirements phase in. The choice is partly about technical capability, but it’s also about how well the assurance provider understands insurance operations and can work alongside your other partners.

A key consideration is independence. Under AICPA attestation standards, the firm issuing the opinion cannot design or operate the underlying emissions calculations. In practice, this means:

• Software vendors or sustainability consultants that build models or design methodologies generally cannot provide independent assurance on the same results.
• Understanding independence boundaries early prevents conflicts that lead to rework and clarifies what each partner can and cannot do.

Just as important is insurance specialization. Climate-related assurance connects to familiar areas of the business:

• Data flows that run through underwriting, claims, facilities, finance, and IT
• Governance shaped by MAR, SOX, NAIC expectations, and rating agency criteria
• Existing internal audit and risk assessment processes

An assurance team already working within this environment can quickly understand how insurers structure their processes, controls, and governance—and focus on the evidence that matters most for attestation.

For insurers, that means less disruption, clearer expectations, and a more practical path to attestation.

How Johnson Lambert Supports Insurers

We have focused on insurance for more than 35 years and understand how insurers operate—the systems they rely on, the controls they maintain, and the governance frameworks that shape audit, MAR, and SOX work. Our climate-related assurance work centers on:

• Independent attestation for SB 253: We issue independent opinions under AICPA attestation standards for Scope 1 and Scope 2 disclosures and help insurers plan for future Scope 3 reporting and assurance as those requirements phase in ahead of California’s move toward reasonable assurance.
• Readiness support that preserves independence: We review documentation, advise on control design and evidence ownership, and help teams organize files in line with CARB’s evolving expectations. We do not calculate emissions or build GHG inventories, which protects independence and keeps roles clear.

We coordinate with your software and sustainability partners so everyone understands their roles: vendors support the data and models, and we provide the independent attestation.

Turning Decisions into a Practical Path Forward

Bridging the gap from planning to attestation takes clear ownership, aligned partners, and steady coordination. Once you confirm accountability, understand where the key data lives, and clarify how internal teams, vendors, and an assurance provider will work together, it becomes much easier to build a practical plan and prepare for future assurance.

If it would help to talk through how these decisions apply to your structure and reporting timeline, Johnson Lambert is here to support you. We work alongside insurers to organize SB 253 and SB 261 preparation and provide the independent attestation required under SB 253.

Have questions or need a place to start? We’re available to talk through timing, scope, and what a practical path to attestation could look like for your team.