On November 26, 2021, the Commerce Department of Commerce published a Proposed Rule that would amend its Interim Final Rule on Securing the Information and Communications Technology and Services Supply Chain (“ICTS Regulations”) to specifically address connected software applications. The Proposed Rule would make changes prompted by Executive Order 14034 (“EO 14034”) to the ICTS Regulations.  We previously blogged about the ICTS Regulations herehere, and here.  The Commerce Department is seeking public comments on the Proposed Rule by December 27, 2021.

Read more at Baker McKenzie’s Sanctions & Export Controls Update Blog.

The post United States: Commerce Department Issues Proposed Rule to Amend ICTS Supply Chain Regulations to Address Connected Software Applications appeared first on Global Compliance News.

Source

The compromise version of the Uyghur Forced Labor Prevention Act (HR 6256) (“Act”) was recently passed by both chambers of Congress, and the legislation is now cleared for President Biden’s signature.  It is expected that President Biden will sign the legislation into law soon.  With strong bipartisan support, earlier versions of this legislation had passed the US House and Senate in the preceding months, and lawmakers reached an agreement that merged versions from each chamber.  Compared to earlier versions of this legislation, the Act no longer includes broad notification requirements for US Securities and Exchange Commission filings, but it retains the earlier legislation’s establishment of a rebuttable presumption that all goods (i) “mined, produced, or manufactured wholly or in part” in the Xinjiang Uyghur Autonomous Region of China (“Xinjiang”), or (ii) produced by an entity on one of the lists required under the legislation, are made with forced labor, and would be prohibited from entering into the United States under Section 307 of the Tariff Act of 1930, enforced by US Customs and Border Protection (“CBP”).  The Act further requires a strategy to strengthen the existing prohibitions on the importation of goods mined, produced, or manufactured with forced labor, potential additional sanctions, and a diplomatic strategy to address alleged forced labor in Xinjiang.

Below we expand upon the main provisions of the Act and summarize the key takeaways for companies:

CBP’s import ban and “rebuttable presumption”

The Act would require CBP to presume that any goods made in Xinjiang, or by certain other entities, are made with forced labor and are not entitled to entry into the United States unless the importer can, among other things, demonstrate “by clear and convincing evidence” that the goods are not made with forced labor.  Demonstrating admissibility to CBP (i.e., demonstration, by clear and convincing evidence, that a certain good is not made with forced labor) requires overcoming an extremely high level burden of proof that can essentially amount to trying to prove a negative.  In light of these practical challenges, and taking into consideration Xinjiang’s role in the broader Chinese economy, industry has been expressing its concerns against a broad import ban on all goods made in Xinjiang or by Xinjiang labor.

The “rebuttable presumption” standard generally against Xinjiang goods under the Act is a significant development from the withhold release orders (“WRO”s) previously issued by CBP related to Xinjiang, as those focused on specific products and entities. (CBP’s issuance of WROs is CBP’s main enforcement tool under Section 307 of the Tariff Act of 1930.)  This “rebuttable presumption” is similar to the provision under the Countering America’s Adversaries with Sanctions Act (PL 115-44) with respect to North Korean labor.  The presumptive import ban will likely go into effect in mid-June 2022, if the legislation is signed into law this week, as expected.

“Strategy” to provide guidance to CBP and importers

Following a public comment period, within 180 days after enactment, the Act would require Forced Labor Enforcement Task Force (chaired by the US Department of Homeland Security) to develop a strategy to support CBP’s enforcement of Section 307 of the Tariff Act of 1930.  This strategy is to include, for example, designating (i) specific entities in Xinjiang, or those that work with the government of Xinjiang, that allegedly engage in, or source from entities allegedly engaged in, forced labor practices, (ii) specific goods allegedly made by forced labor, and (iii) entities that export goods allegedly made with forced labor to the United States.  This strategy would also include further guidance to importers with respect to CBP’s expectations regarding the level of due diligence, effective supply chain tracing, and supply chain management measures, and specific type, nature, and extent of evidence that would overcome the “rebuttable presumption” standard. 

These measures are consistent with growing concerns both by the industry and lawmakers on the challenges regarding a broad import ban on all goods made in Xinjiang or by Xinjiang labor.  The public comment period provides a unique opportunity for the industry to help shape the effective implementation of, and CBP’s compliance expectations under, this Act.

Additional sanctions authorized

The Act expands the list of reasons for which sanctions may be imposed under the Uyghur Human Rights Policy Act of 2020 (PL 116-145) to include serious human rights abuses in connection with forced labor.  The Uyghur Human Rights Policy Act of 2020 authorizes the President to impose sanctions on persons, including Chinese government officials, deemed to be responsible for certain human rights violations and abuses committed against Muslim minority groups in China or elsewhere.  The law requires the administration to sanction those individuals by blocking their assets and declaring them ineligible for visas or admission into the United States.  The President may waive sanctions if determined to be in the national interest.

This means within 180 days of enactment, the President is required to identify each foreign person, including any official of the government of China, responsible for serious human rights abuses in connection with forced labor in Xinjiang, and to impose sanctions required by law on those persons, unless such sanctions can be waived.  This could result in additional sanctions imposed by the Office of Foreign Assets Control (“OFAC”) in the US Treasury Department, such as the addition of new parties to OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”).

Diplomatic strategy

The Act requires the US State Department, within 90 days of enactment, to submit to Congress a report on US strategy to promote initiatives to enhance international awareness of, and to address alleged forced labor in, Xinjiang.  The report must also include a list of entities in China that the US Government has determined to use or benefit from forced labor in Xinjiang, and a list of foreign persons that act as agents for these entities to import goods into the United States.  The listing by the US State Department could potentially result in additional restrictions targeting such parties.  Finally, the report must include a plan to work with the private sector to conduct supply chain due diligence and a plan of action taken by the federal government to address alleged forced labor in Xinjiang under existing authorities.

Takeaways for companies

  • The most immediate compliance risk for companies as a result of the Act is the “rebuttable presumption” that goods made in Xinjiang, or by certain entities with ties to Xinjiang, are deemed to have been made with forced labor, and thus are inadmissible in the United States.  We expect this to result in more audits, detentions, seizures, and other enforcement activities by CBP. 
  • US importers and other interested parties should consider actively engaging the US government during the public comment period to help shape the effective implementation of this Act, including the scope of the import ban, CBP’s forced labor enforcement processes, and the standard under which entities allegedly engaged in forced labor practices would be designated.
  • Companies importing into the United States from China (and not just from Xinjiang) should assess their supply chains to identify potential vulnerabilities (e.g., second or third tier suppliers that could be sourcing raw materials from Xinjiang or that could have ties to the government of Xinjiang) and proactively establish plans to address such vulnerabilities.  This could include, for example, refining supply chain mapping exercises, communicating policy changes to suppliers, and updating policy or other agreements.  Due to the cross-cutting nature of these risks, these efforts should ideally involve an intra-company working group of various stakeholders with responsibility in supply chain, e.g., procurement, supply chain/logistics, social and labor compliance, substantiality, legal, and trade compliance.
  • Companies should assess whether their trade compliance programs include appropriate risked-based measures that seek to address the risks associated with SDNs and other sanctioned parties.  Considering that the Act could result in additional sanctioned parties, now is a good time for companies to assess their restricted party screening procedures, supplier/customer onboarding processes, periodic supplier/customer due diligence refresher processes, and other relevant procedures.
  • Companies considering compliance assessments and other actions in response to the Act should also consider whether those actions could potentially create risks under Chinese law, such as under the Chinese Anti-Foreign Sanctions Law.

The post US President Set to Sign Uyghur Forced Labor Prevention Act into Law appeared first on Global Compliance News.

Source

On 6 December 2021, the International Trade Committee (a House of Commons Selected Committee) launched a new inquiry into the interplay between the UK’s approach to trade and its foreign policy objectives.

The inquiry will consider the extent to which the UK Government should advance its foreign policy strategy through trade agreements. It will also examine whether free trade agreements and broader trade policy can be used to promote human rights, the rules-based international order and democratic values as well as the role of a trade agreement in advancing British interests globally.

This new inquiry follows the publication of the Government’s Integrated Review of Security, Defence, Development and Foreign Policy in March 2021. It will sit alongside the Committee’s existing work on relevant topics including UK trade negotiations and the UK-EU trading relationship.

As part of the new inquiry, the Committee has issued a public call for views from stakeholders on a wide range of issues including:

  • The ways in which UK trade policy can be used to strengthen multilateral organisations and promote predictability in international relations.
  • The extent to which the Government’s trade agreements can be used to bolster democracy, human rights and the development of free, fair, and transparent trade.
  • The use of monitoring or enforcement mechanisms to assess a trading partner’s adherence to specific provisions in trade agreements.
  • The relationship between the Department for International Trade and the Foreign, Commonwealth & Development Office in coordinating trade and foreign policy.
  • The importance of balancing the Government’s foreign policy goals against benefits or concessions for UK businesses and consumers.

The Committee is seeking written evidence from the public by 11 February 2022 and a full list of questions can be found here. Should you be interested in submitting written evidence for the inquiry, please feel free to contact us.

The post United States: Parliamentary Inquiry into Trade and Foreign Policy appeared first on Global Compliance News.

Source

var config_3850829 = {“options”:{“theme”:”hbidc_default”},”extensions”:[],”episode”:{“media”:{“mp3″:”https://dts.podtrac.com/redirect.mp3/pdst.fm/e/chrt.fm/track/E2G895/aw.noxsolutions.com/launchpod/federal-drive/mp3/011422_6a7a_Bitko_seg3_mix_oc02_36e7ba04.mp3?awCollectionId=1146&awEpisodeId=b64ba1c8-3b04-4f04-9143-0c9436e7ba04&awNetwork=322″},”coverUrl”:”https://federalnewsnetwork.com/wp-content/uploads/2018/12/FD1500-150×150.jpg”,”title”:”Why no one has gotten to the bottom of the Log4j cybersecurity hole”,”description”:”[hbidcpodcast podcastid='3850829′]nnBest listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Driveu2019s daily audio interviews onu00a0Apple Podcastsu00a0oru00a0PodcastOne.nnLog4j, the most visible cybersecurity threat since Solar Winds, has organizations scrambling to find and fix instances of certain software. My next guest says that the two incidents are totally different technically, buy they produce the same lessons learned. Gordon Bitko, former FBI chief information officer, now the senior vice president of policy at the Information Technology Industry Council, joined the Federal Drive with Tom Temin with details.nnInterview transcript:n

Tom Temin: Gordon, good to have you back.nnGordon Bitko: Hi, Tom, great to be with you, as always.nnTom Temin: Log4j, I think, is less understood technically, even though everyone is banding about the term. But it's fairly simple. Maybe let's start with an explanation of precisely what it is.nnGordon Bitko: Sure, I think that's a good place to start, so people understand, Tom, why it's important and why it's so ubiquitous. Log4ju00a0is a component of Apache software. Apache is open source project. That means that there's lots of people who've contributed to it over the years. And it's very widespread u2014 a lot of different programs, a lot of different systems have used it, it's foundational for web servers, and all sorts of other applications out there. Within it, as with many programs, you have the desire in many systems to log the activities that are going on so that developers can track what's happening if there's a problem, so that users if something goes wrong can send error reports back, all sorts of reasons why you want to collect log data. And security is another important reason why you want to collect log data as well. So Log4j is one of those components that exist within Apache. If you build an open source system using the Apache, you get Log4j as just a part of the process.nnTom Temin: So then Log4j normally contains code that is not executable, but in this vulnerability that's going around, the bad guys have discovered a way to put executables into your logs, and therefore they can launch some attack from a place you never expected.nnGordon Bitko: That's exactly right, Tom. What they are able to do, a log file shouldn't just be by and large a static record. Here's what happens when somebody after the fact can go back and analyze what went wrong, or what data was collected, and use it for legitimate purposes. But in the case of this particular set of bugs that exist within Log4j, people have figured out that it allows code to be executed, just like you said. And that really opens the door to virtually anything. People have discovered all sorts of log files using Log4j, and you can send the right strings of data and it will allow you to execute code,nnTom Temin: And has the rise of first, I guess, generation of post-server software called virtualization. Now we have containerization, so that instances of logs and all sorts of software get replicated all over the place. Has that multiplied the problem relative to when organizations had a single version of, say, a web server running on a single physical server?nnGordon Bitko: There's no doubt, Tom, that there's been a proliferation. It's super easy, as you noted, to create in the cloud, in a virtual environment, to create a system and to have a version of Apache running, and within that to have Log4j. And honestly, in many cases, people won't even know that that's what's running their system. They'll have done something at a level or two abstracted up above from Apache, and it's just that Apache happens to be the underlying product that the containerization is built on.nnTom Temin: All right, well then, really, we could sit here and talk about codes to write, to execute, to root it out and so forth. There's probably a lot of technical roots. But at the heart, I think, of your thesis is that in many ways, it's a management issue. And we have a law that is currently under consideration for revision u2014 the Federal Information Security Management Act, FISMA, under which this whole thing has been operated by the government. And so maybe bridge the challenge of Log4j to the need for FISMA. Reform. Am I making a bridge too far here?nnGordon Bitko: No, I don't think so, Tom. There is a logical connection in my mind. What we learned both from SolarWinds, and now again from Log4j, is that the government's focus has been in FISMA, in the information security programs, the upfront processes. Those are important. There's no doubt it's necessary for agencies to understand what are all their assets, who are all their users, to make sure that there's an annual report. Those things are necessary for an effective compliance program within the world of security, but they're not sufficient for a truly risk-based program. When you have a truly risk-based program, you need to understand what are the consequences if something happens, and you need to have accountability at a high level in the organization. And I think that that's a lot of what's missing in the current version of FISMA. And what we, in yesterday's hearing and in the proposed bill language, are looking at is reforms to try to get to those outcomes u2014 to be looking at real risk and real accountability within agencies.nnTom Temin: We're speaking with Gordon Bitko, senior vice president of policy at the Information Technology Industry Council. When looking at something like Log4j, you have to have top management interest in what's going on, and you have to have the so called C suite, including the Chief Information Security Officer. But how does that translate into making sure that there is somebody that goes and roots out Log4j instances, which can be a pretty time consuming task to find out everywhere it's running and make sure that every instance is patched.nnGordon Bitko: I think that's exactly why you do need, Tom, the senior leadership in an organization all the way down to take responsibility. It's not enough on the day of the incident to just have an awareness and to know that there's somebody working on it. But the agency leadership u2014 the CIO, the CSO, and down into the working security organizations u2014 all need to be in sync to understand there is a vulnerability. Oh, hey, we've identified a mission critical system that's exposed to this vulnerability; we might need to make a decision to take that offline to fix it. There's super sensitive data in there, and if it's compromised, the cost to the agency for that is unacceptable. Citizens, PII might be exposed, all sorts of things like that could happen. And that needs to be a decision that gets made at the senior-most levels of the organization, and it needs to get made quickly. Agency leaders can't take their time. They have to be prepared to know what the risks are, and to quickly make those decisions.nnTom Temin: And one of the questions that came to my mind in listening to the hearing and looking at some of the reforms they're talking about u2014 it does give CISA, the Cybersecurity and Infrastructure Security Agency at DHS, a bigger role, and that's kind of an evolution of what's been happening for probably 20 years, since there has been a DHS. But does it, in some way, absolve agencies from visibility directly to Congress and what they're doing, if there's an overlay of central command by the government, through CISA, over agency cybersecurity activities?nnGordon Bitko: I sure hope not, Tom. What I hope we get to as a model is the right balance between u2014and this is something I talked about a little bit in the hearing in a slightly different context u2014 but the right balance between a really prescriptive view that says that, in this case, only CISA should be responsible, and an understanding that what we really need is a federated approach. CISA should be a resource that should be providing guidance. They should be verifying that agencies are doing the right things. There are numerous agencies out there that have quite sophisticated, complex capabilities when it comes to their own information security. And really, CISA's role there shouldn't be anything other than ensuring that what they do integrates into the overall federal landscape. There are other agencies that are a lot less mature when it comes to cybersecurity and may need the help. And CISA really should, in that case, have the role of working much more closely with them to ensure that they up their game. The whole of the federal government is only as strong as the weakest links, right?nnTom Temin: Sure. And the policy of continuous diagnostics and mitigation and also of continuous monitoring for patches, specifically, and for un-updated software u2014 that goes back, again, about 20 years now. But really, it's probably fair to say not every agency is really up to speed on that basic hygiene approach, are they?nnGordon Bitko: There's no doubt every agency has a long list of open POAMs u2014 plans of action and milestones u2014 goals to fix those vulnerabilities that you just mentioned. And they prioritize them based on which ones are critical, and high and medium and so on. And the critical ones gets fixed pretty quickly in most agencies now. As you go down the list of impacts, they probably don't get fixed as quickly. And of course, the reality is what was maybe a lower priority vulnerability, it turns out it could become more significant over time. And agencies, many agencies, have a lot of technical debt when it comes to mitigating those vulnerabilities.nnTom Temin: And that gets us back to the Log4j question, because most agencies are going to look at their application software, whether they own it and run it on their own servers, or whether it's offered as a service or whether it's their own but hosted in a cloud. Historically, the vulnerabilities have come from application software. And probably before Lo4j, nobody thought to check log files as something you would have to continuously monitor or look for patches for. So in some sense, the whole idea of monitoring has widened a great deal, thanks to some basic utility being found to be a vulnerability launch point.nnGordon Bitko: I think what we're realizing out of both SolarWinds and Log4j, to go back to the original premise here that there is a management connection between them, is that the risk, because these things are ubiquitous, is very high. And agencies need to be aware and to understand that they might have components that might be in something like a log file that, like you said, Tom, you don't think of it in of itself as high risk because you're focused on rightly so where are your critical data, what are your critical information assets. But if what's underlying those is something like Log4j for logging purposes or SolarWinds Orion for network management configuration purposes, the risk is obviously unacceptably high, and agencies need to start having an understanding of those types of risks as well. Not just what's your sensitive data, but it's a what are all the things that are in the ecosystem around that most sensitive data.nnTom Temin: And is your sense from the hearing that Congress really means to get around to FISMA reform?nnGordon Bitko: My sense is that there is, Tom, momentum that Congress understands that cybersecurity is a priority, and that there is a need to do work. There is a need to clarify roles and responsibilities of all the different stakeholders. You mentioned CISA. They know the National Cyber Director, that needs some clarity. They would like to formalize the role of the federal CISO in the Office of Management and Budget, and what the responsibilities are there. So I think that there is a desire to do that. And the way that the proposed legislation was discussed yesterday, it was as a bipartisan effort.nnTom Temin: Well, that's always a good sign that could give something a chance of getting through. And just a final question, again, getting back to Log4j, is there any evidence that there have been actually attacks launched against the government through that mechanism?nnGordon Bitko: I have no doubt that there are people looking to find ways to exploit it. My understanding so far is that there's no evidence of anybody successfully doing that. And that's not that surprising. The federal government is, although there are many shortcomings when it when it comes to cybersecurity and many things they need to do better, in terms of direct connections to the internet, there's pretty decent defense in depth. You have the trusted Internet connection that people have to connect through and, and ways that the government will be able to mitigate the risk. That doesn't mean that they don't still need to patch all these systems and applications that are out there. They absolutely do. But I do also think that this is a case, Tom, where there's a difference from SolarWinds. Log4j wasn't a coordinated u2014 as far as we know u2014 attack by an adversary. It was a vulnerability that was identified, and so the people who are exploiting it now seem more like cybercriminals who were using it as a way to implant ransomware, things of that nature.nnTom Temin: Alright, so you can never rest on your laurels.nnGordon Bitko: That is 100% the case. It is important for everybody doing cybersecurity and their management to understand it's a race on a treadmill. You can never stop.nnTom Temin: Gordon Bitko is senior vice president of policy at the Information Technology Industry Council. As always, thanks so much.nnGordon Bitko: Thank you, Tom. Always a pleasure to be with you.

“}};

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Log4j, the most visible cybersecurity threat since Solar Winds, has organizations scrambling to find and fix instances of certain software. My next guest says that the two incidents are totally different technically, buy they produce the same lessons learned. Gordon Bitko, former FBI chief information officer, now the senior vice president of policy at the Information Technology Industry Council, joined the Federal Drive with Tom Temin with details.

Interview transcript:

Tom Temin: Gordon, good to have you back.

Gordon Bitko: Hi, Tom, great to be with you, as always.

Tom Temin: Log4j, I think, is less understood technically, even though everyone is banding about the term. But it’s fairly simple. Maybe let’s start with an explanation of precisely what it is.

Gordon Bitko: Sure, I think that’s a good place to start, so people understand, Tom, why it’s important and why it’s so ubiquitous. Log4j is a component of Apache software. Apache is open source project. That means that there’s lots of people who’ve contributed to it over the years. And it’s very widespread — a lot of different programs, a lot of different systems have used it, it’s foundational for web servers, and all sorts of other applications out there. Within it, as with many programs, you have the desire in many systems to log the activities that are going on so that developers can track what’s happening if there’s a problem, so that users if something goes wrong can send error reports back, all sorts of reasons why you want to collect log data. And security is another important reason why you want to collect log data as well. So Log4j is one of those components that exist within Apache. If you build an open source system using the Apache, you get Log4j as just a part of the process.

Tom Temin: So then Log4j normally contains code that is not executable, but in this vulnerability that’s going around, the bad guys have discovered a way to put executables into your logs, and therefore they can launch some attack from a place you never expected.

Gordon Bitko: That’s exactly right, Tom. What they are able to do, a log file shouldn’t just be by and large a static record. Here’s what happens when somebody after the fact can go back and analyze what went wrong, or what data was collected, and use it for legitimate purposes. But in the case of this particular set of bugs that exist within Log4j, people have figured out that it allows code to be executed, just like you said. And that really opens the door to virtually anything. People have discovered all sorts of log files using Log4j, and you can send the right strings of data and it will allow you to execute code,

Tom Temin: And has the rise of first, I guess, generation of post-server software called virtualization. Now we have containerization, so that instances of logs and all sorts of software get replicated all over the place. Has that multiplied the problem relative to when organizations had a single version of, say, a web server running on a single physical server?

Gordon Bitko: There’s no doubt, Tom, that there’s been a proliferation. It’s super easy, as you noted, to create in the cloud, in a virtual environment, to create a system and to have a version of Apache running, and within that to have Log4j. And honestly, in many cases, people won’t even know that that’s what’s running their system. They’ll have done something at a level or two abstracted up above from Apache, and it’s just that Apache happens to be the underlying product that the containerization is built on.

Tom Temin: All right, well then, really, we could sit here and talk about codes to write, to execute, to root it out and so forth. There’s probably a lot of technical roots. But at the heart, I think, of your thesis is that in many ways, it’s a management issue. And we have a law that is currently under consideration for revision — the Federal Information Security Management Act, FISMA, under which this whole thing has been operated by the government. And so maybe bridge the challenge of Log4j to the need for FISMA. Reform. Am I making a bridge too far here?

Gordon Bitko: No, I don’t think so, Tom. There is a logical connection in my mind. What we learned both from SolarWinds, and now again from Log4j, is that the government’s focus has been in FISMA, in the information security programs, the upfront processes. Those are important. There’s no doubt it’s necessary for agencies to understand what are all their assets, who are all their users, to make sure that there’s an annual report. Those things are necessary for an effective compliance program within the world of security, but they’re not sufficient for a truly risk-based program. When you have a truly risk-based program, you need to understand what are the consequences if something happens, and you need to have accountability at a high level in the organization. And I think that that’s a lot of what’s missing in the current version of FISMA. And what we, in yesterday’s hearing and in the proposed bill language, are looking at is reforms to try to get to those outcomes — to be looking at real risk and real accountability within agencies.

Tom Temin: We’re speaking with Gordon Bitko, senior vice president of policy at the Information Technology Industry Council. When looking at something like Log4j, you have to have top management interest in what’s going on, and you have to have the so called C suite, including the Chief Information Security Officer. But how does that translate into making sure that there is somebody that goes and roots out Log4j instances, which can be a pretty time consuming task to find out everywhere it’s running and make sure that every instance is patched.

Gordon Bitko: I think that’s exactly why you do need, Tom, the senior leadership in an organization all the way down to take responsibility. It’s not enough on the day of the incident to just have an awareness and to know that there’s somebody working on it. But the agency leadership — the CIO, the CSO, and down into the working security organizations — all need to be in sync to understand there is a vulnerability. Oh, hey, we’ve identified a mission critical system that’s exposed to this vulnerability; we might need to make a decision to take that offline to fix it. There’s super sensitive data in there, and if it’s compromised, the cost to the agency for that is unacceptable. Citizens, PII might be exposed, all sorts of things like that could happen. And that needs to be a decision that gets made at the senior-most levels of the organization, and it needs to get made quickly. Agency leaders can’t take their time. They have to be prepared to know what the risks are, and to quickly make those decisions.

Tom Temin: And one of the questions that came to my mind in listening to the hearing and looking at some of the reforms they’re talking about — it does give CISA, the Cybersecurity and Infrastructure Security Agency at DHS, a bigger role, and that’s kind of an evolution of what’s been happening for probably 20 years, since there has been a DHS. But does it, in some way, absolve agencies from visibility directly to Congress and what they’re doing, if there’s an overlay of central command by the government, through CISA, over agency cybersecurity activities?

Gordon Bitko: I sure hope not, Tom. What I hope we get to as a model is the right balance between —and this is something I talked about a little bit in the hearing in a slightly different context — but the right balance between a really prescriptive view that says that, in this case, only CISA should be responsible, and an understanding that what we really need is a federated approach. CISA should be a resource that should be providing guidance. They should be verifying that agencies are doing the right things. There are numerous agencies out there that have quite sophisticated, complex capabilities when it comes to their own information security. And really, CISA’s role there shouldn’t be anything other than ensuring that what they do integrates into the overall federal landscape. There are other agencies that are a lot less mature when it comes to cybersecurity and may need the help. And CISA really should, in that case, have the role of working much more closely with them to ensure that they up their game. The whole of the federal government is only as strong as the weakest links, right?

Tom Temin: Sure. And the policy of continuous diagnostics and mitigation and also of continuous monitoring for patches, specifically, and for un-updated software — that goes back, again, about 20 years now. But really, it’s probably fair to say not every agency is really up to speed on that basic hygiene approach, are they?

Gordon Bitko: There’s no doubt every agency has a long list of open POAMs — plans of action and milestones — goals to fix those vulnerabilities that you just mentioned. And they prioritize them based on which ones are critical, and high and medium and so on. And the critical ones gets fixed pretty quickly in most agencies now. As you go down the list of impacts, they probably don’t get fixed as quickly. And of course, the reality is what was maybe a lower priority vulnerability, it turns out it could become more significant over time. And agencies, many agencies, have a lot of technical debt when it comes to mitigating those vulnerabilities.

Tom Temin: And that gets us back to the Log4j question, because most agencies are going to look at their application software, whether they own it and run it on their own servers, or whether it’s offered as a service or whether it’s their own but hosted in a cloud. Historically, the vulnerabilities have come from application software. And probably before Lo4j, nobody thought to check log files as something you would have to continuously monitor or look for patches for. So in some sense, the whole idea of monitoring has widened a great deal, thanks to some basic utility being found to be a vulnerability launch point.

Gordon Bitko: I think what we’re realizing out of both SolarWinds and Log4j, to go back to the original premise here that there is a management connection between them, is that the risk, because these things are ubiquitous, is very high. And agencies need to be aware and to understand that they might have components that might be in something like a log file that, like you said, Tom, you don’t think of it in of itself as high risk because you’re focused on rightly so where are your critical data, what are your critical information assets. But if what’s underlying those is something like Log4j for logging purposes or SolarWinds Orion for network management configuration purposes, the risk is obviously unacceptably high, and agencies need to start having an understanding of those types of risks as well. Not just what’s your sensitive data, but it’s a what are all the things that are in the ecosystem around that most sensitive data.

Tom Temin: And is your sense from the hearing that Congress really means to get around to FISMA reform?

Gordon Bitko: My sense is that there is, Tom, momentum that Congress understands that cybersecurity is a priority, and that there is a need to do work. There is a need to clarify roles and responsibilities of all the different stakeholders. You mentioned CISA. They know the National Cyber Director, that needs some clarity. They would like to formalize the role of the federal CISO in the Office of Management and Budget, and what the responsibilities are there. So I think that there is a desire to do that. And the way that the proposed legislation was discussed yesterday, it was as a bipartisan effort.

Tom Temin: Well, that’s always a good sign that could give something a chance of getting through. And just a final question, again, getting back to Log4j, is there any evidence that there have been actually attacks launched against the government through that mechanism?

Gordon Bitko: I have no doubt that there are people looking to find ways to exploit it. My understanding so far is that there’s no evidence of anybody successfully doing that. And that’s not that surprising. The federal government is, although there are many shortcomings when it when it comes to cybersecurity and many things they need to do better, in terms of direct connections to the internet, there’s pretty decent defense in depth. You have the trusted Internet connection that people have to connect through and, and ways that the government will be able to mitigate the risk. That doesn’t mean that they don’t still need to patch all these systems and applications that are out there. They absolutely do. But I do also think that this is a case, Tom, where there’s a difference from SolarWinds. Log4j wasn’t a coordinated — as far as we know — attack by an adversary. It was a vulnerability that was identified, and so the people who are exploiting it now seem more like cybercriminals who were using it as a way to implant ransomware, things of that nature.

Tom Temin: Alright, so you can never rest on your laurels.

Gordon Bitko: That is 100% the case. It is important for everybody doing cybersecurity and their management to understand it’s a race on a treadmill. You can never stop.

Tom Temin: Gordon Bitko is senior vice president of policy at the Information Technology Industry Council. As always, thanks so much.

Gordon Bitko: Thank you, Tom. Always a pleasure to be with you.

Source

By Michael Parisi, Vice President of Adoption, HITRUST

“Creating a HITRUST Compliance Culture” was a robust breakout session at HITRUST Collaborate 2021 conference. Hosted by myself (Mike Parisi of HITRUST), the panel discussion featured experts from three independent external HITRUST assessors—Ryan Patrick of Intraprise Health, Greg Vetter of RSM US, and Michael Kanarellis of Wolf & Company. Based on the panel discussion, our last blog (posted on January 6, 2022): “Adopting the HITRUST CSF Framework,” covered the benefits of implementing and using the HITRUST CSF framework. In Part 2 below, the discussion focuses on initiating proven buy-in methodologies that raise awareness and instill a strong compliance culture across an entire enterprise.

Getting Your Organization to Think About IT Security

Organizations don’t want their IT team to be the only ones thinking about information security; they want their entire ecosystem to consider data protection safeguards as they decide on the right digital systems and processes to deploy and use. Risk considerations don’t only include IT, but also involve Finance, Human Resources, Procurement, Operations, and other business functions, as well as the ever-important third-party vendor supply chain, which extends the risk management culture outside of the organization.

“A framework like HITRUST enables you to protect your vendor streams of activity,” says Vetter. “If you partner with a thousand vendors, each one may have several fourth-party and fifty-party vendors that share your data, and you need assurances of security across that entire ecosystem. Working with one framework like HITRUST is much easier than sending out and processing a thousand questionnaires. It’s also much easier for vendors to get HITRUST certified.”

“HITRUST also creates a common vocabulary,” Patrick adds. “You can compare one organization to another and map a vendor’s assessment to yours. This helps you understand where they’re at in security and privacy. Everyone speaks the same language and can understand the importance of understanding the security of third, fourth, and fifth parties, and beyond.”

How to Start

Key aspects of the HITRUST journey to consider from the start are getting executive buy-in and making sure someone with organizational clout will champion the effort. It’s also essential to work with an external assessor who can guide you through the best practices to follow and the pitfalls to avoid. Completing the HITRUST journey is well worth the effort in protecting your digital assets and those of your customers and business partners that overlap with your operations. It is also an extended journey that is likely to present roadblocks along the way, each of which could make your program more robust and your culture of security more authentic.

“Don’t do your assessment and then hire a validator,” warns Patrick. “External assessors do this every day and have extensive experience. You may not understand the requirements or how to establish the scope, which is the most important part of the journey.”

Vetter recommends laying out the project roadmap and pulling in all the stakeholders, including executives, business unit leaders, and IT management. “Get them on the same page,” Vetter recommends. “Communicate why the organization is using the HITRUST CSF, what the impact will be, what each stakeholder needs to do, and the cost. By laying out the framework for everyone to see, you will eliminate confusion that could delay the project down the road.”

How to Get Organizational Buy-in

Without buy-in across the organization, the effort to build a culture of security that matures your security posture will likely derail. “Invite the C-suite as well as the business continuity and incident response teams and other areas of the company that will be impacted,” says Vetter. “Before you do a readiness review with an external assessor, discuss all the areas of the business that will come into the scope. They need to know it’s a long journey.”

As far as the person who owns the project, Patrick says, “You need a passionate champion who can influence the organization. They need to be respected, able to make decisions, and have the power to allocate resources. It’s a significant emotional event that will stress the organization, so you need someone who can prioritize the work that people need to do to push the project forward.”

End-to-End HITRUST Solution Set

Using HITRUST helps establish a culture of compliance with a proven, consistent, end-to-end approach based on an integrated suite of solutions. You not only implement the HITRUST CSF framework, but you can also subscribe to the MyCSF SaaS best-best-in-class information risk management platform to interface with the CSF for performing information risk and compliance reporting, as well as facilitating formal assessments through the HITRUST Assurance Program. The HITRUST Assess Once, Report Many™ approach allows using a single assessment to support multiple reporting options based on a standard security assessment, such as for HIPAA, AICPA Trust Services Criteria, and NIST Cybersecurity Framework Compliance.

To mitigate whatever risks are most important to your organization, the free, downloadable HITRUST Threat Catalogue helps identify and tailor specific controls in the HITRUST CSF. For strengthening your third-party risk management activities, the HITRUST Assurance XChange is designed to streamline and simplify managing and maintaining risk assessments and compliance information from third parties.

By using the fully integrated and cohesive HITRUST Approach to information risk management throughout your organization, your internal and external stakeholders will come to recognize, understand, and appreciate the benefits and consistency that HITRUST offers.

Continuing the Journey

The journey to a mature security posture does not end following the completion of the initial HITRUST assessment. The process to nurture, grow, and enhance information security programs requires ongoing attention. That’s why HITRUST updates the CSF often to keep the framework up-to-date and relevant to meet an ever-evolving threat landscape and a changing set of Authoritative Source requirements. Other frameworks remain far more static over time, which often requires manual updates by users.

The HITRUST Collaborate panel closed the session by discussing what happens after an assessment is complete. Ideally, the person or team who owned the original project will continue ongoing monitoring and measuring the operating effectiveness of the security controls and the scope. This includes monthly or at least quarterly check-ins to confirm tasks such as access control reviews and firewall rules checks.

“Keeping the same person or team in charge will also smooth the way for the interim HITRUST assessment and the next validated audit,” says Kanarellis. “You don’t want to start all over again with a fire drill and have things fall through the cracks. That’s where a strong culture comes in—it helps you continue to keep the train on the track as you contend with new controls and as new technologies come into scope.”

For more on the importance of the HITRUST CSF in establishing a strong information security program, please review:

Adopting the HITRUST CSF Framework

You’re Invited to Download the HITRUST CSF Free of Charge!

Follow HITRUST on Twitter.

Follow HITRUST on LinkedIn.


 

About the Author

michael-parisi-thumbMichael Parisi, Vice President of Adoption, HITRUST

Michael Parisi has led over 500 controls-related engagements and has extensive experience with third-party assurance reporting including HITRUST readiness, HITRUST certification, SOC 1, SOC 2, SOC 3, Agreed Upon Procedure, and customized AT-101 engagements. Michael is deeply involved with helping customers leverage the advantages of the HITRUST Assessment XChange for third parties. He has extensive knowledge of financial reporting and regulatory standards through his external audit and consulting experience, including Sarbanes Oxley, HIPAA, NIST, CMS, and state-specific standards. He is an active member of ISACA and IAPP.

The post Creating a HITRUST Compliance Culture for IT Security – Part 2: Earning Organizational Buy-in appeared first on HITRUST Alliance.

Source

In an era where supply chain disruptions and risks are regular front-page news, the Biden Administration has been undertaking a range of initiatives intended to create resilient supply chains that reflect the administration’s policies around national security, foreign policy, human rights and the US economy.

Considering the nonstop legal and compliance developments in this space, with more on the horizon, in-house counsel and compliance professionals for companies with supply chains that touch the United States want to know what to focus on, and what they should be doing. Baker McKenzie’s global supply chain team have been advising clients across every industry and geography on these very questions and are pleased to share our real-world and practical legal and business insights with you in this five-part series.

Episode 1: Biden Supply Chain Policy: What’s Going on and What’s on the Horizon?

In the first of our short videos, Kerry Contini (Partner, Washington, DC), Reagan Demas (Partner, Washington, DC), Christina Conlin (Partner, Chicago) and Maria Piontkovska (Associate, Los Angeles) focus on some of the key trends and priorities for companies across sectors and industries.

The post Biden Supply Chain Policy Video Series appeared first on Global Compliance News.

Source

Lawmakers see an opening this year to reform the Federal Information Security Modernization Act, with major updates including the assignment of clear roles and responsibilities for federal cybersecurity leadership.

The House Oversight and Reform Committee released a “discussion draft” of its FISMA reform bill today. Chairwoman Carolyn Maloney (D-N.Y.) said it holds a lot of similarities with a bill that passed the Senate Homeland Security and Governmental Affairs Committee last fall.

“We have a real opportunity to pass FISMA reform this year, and to protect the intellectual property, sensitive data and networks that are essential to our country’s economy and national security,” Maloney said during a hearing held today to discuss the bill.

The draft would assign the Office of Management and Budget with “federal cybersecurity policy development and oversight responsibilities,” CISA with “operational coordination responsibilities” and the National Cyber Director with “overall cybersecurity strategy responsibilities,” according to a summary of the bill.

FISMA was last updated in 2014. Meanwhile, CISA was elevated to a standalone agency in 2018, while the National Cyber Director’s office was just established last year.

The draft bill would also codify the federal chief information security officer’s role into law. The CISO reports to the OMB’s chief information officer and assists in implementing security policies. The position was also recently dual-hatted as deputy national cyber director.

Grant Schneider, former federal chief information security officer, endorsed the move to codify his old role into law. He also said CISA and the National Cyber Director will play key roles in tandem with OMB and the National Institute of Standards and Technology.

“I view the National Cyber Director as having that overarching voice being a bit of the conductor,” Schneider said. “I view CISA as really being the operational partner with agencies. So CISA should be there to help agencies who are tasked to implement their risk management programs.”

The draft bill seeks to reduce FISMA reporting requirements on agencies, notably by shifting independent assessments for each civilian executive branch agency to once every two years. FISMA assessments are currently conducted annually by agency inspector generals or external auditors.

The bill would have CISA perform risk assessments of agencies “on an ongoing and continuous basis,” using information such as vulnerability remediation efforts, incident analysis, vulnerability disclosure programs, threat hunting results, cyber threat intelligence, and other standards. Agencies would be required to inventory their internet-accessible information systems and assets.

“FISMA reform must provide agencies with the authority to effectively address threats with speed and precision while also freeing time to continuously monitor new and emerging threats as they arise,” Ranking Member James Comer (R-Ky.) said during the hearing.

The shift from compliance to a more continuous, risk-based approach is something cyber leaders have been attempting for at least a decade, including in OMB and CISA’s most recent FISMA guidance.

Jennifer Franks, director of information technology and cybersecurity at the Government Accountability Office, said a key problem is agencies lacking visibility into their own IT environments.

“The fundamental problem across federal agencies is identifying what’s in your inventory of systems,” Franks said. “With zero trust architecture, knowing what you have before you can even protect it is key. With agencies unable to really give a firm inventory of their major information systems and then the data that resides on those systems . . . how will we be reassured that the adequate protections are in place to prevent certain situations from happening?”

Lawmakers said the bill will help drive agencies toward better visibility and the adoption of zero trust architectures. Gordon Bitko, senior vice president of policy for the Information Technology Industry Council, urged lawmakers not to be overly prescriptive as they seek to drive improved cybersecurity outcomes.

“You can have the right balance of centralized control and prescription with flexibility that you need for each agency to deal with its own risks, to understand that its landscape is different, that the threats it faces might be might be varied,” Bitko testified.

Comer noted the committee’s draft adheres to a request from OMB to avoid “overly burdensome reporting requirements.”

The legislation would also require agencies to maintain an inventory of Software Bills of Material as part of their supply chain risk management programs overseen by the Federal Acquisition Security Council. The Biden administration is already moving toward SBOM requirements as part of last year’s cybersecurity executive order.

Officials have also pointed to the widespread Log4J vulnerability as a reason to implement SBOMs, so organizations can more quickly identify vulnerable software in their networks.

Ross Nodurft, executive director of the Alliance for Digital Innovation, argued SBOMs should be used in a “targeted manner” with a risk-based approach.

“You may not need an SBOM for every piece of software everywhere across all the environments if they’re not really risky asset,” Nodurft said. “We don’t want to overburden the industry providers that are building this backbone for the departments and agencies.”

The bill would also have CISA establish two shared services pilot programs. One would provide a “security operations center as a service” for agencies, while the other would provide shared endpoint detection and response tools.

CISA already has several shared offerings through its Cybersecurity Quality Services Management Office.

Source

In brief

Please join us for a weekly series, hosted by Baker McKenzie’s North America Government Enforcement partners Tom Firestone and Jerome Tomas.

This weekly briefing is available on demand and will cover hot topics and current enforcement actions related to white collar crime and criminal investigations in the US and abroad to arm you with the information you need for your business week.

As one of the largest global law firms, we will call upon our exceptionally deep and broad bench of white collar experts throughout the world and particularly in the commercial hubs of Europe, Asia, Africa and Latin America to join our weekly discussion series.

These briefings cover:

  • High-profile DOJ case updates and implications
  • SEC enforcement developments 
  • CFTC enforcement developments
  • Other white collar defense industry developments

13 December 2021

This week’s discussion will cover the following

  • 6 January Investigation Update
  • White House Anti-Corruption Strategy
  • New OFAC Anti-Corruption Sanctions
  • DOJ Notice of Proposed Rulemaking on FARA 
  • ESG Update: Office of Comptroller of the Currency’s National Risk Committee Identifies Climate Change Initiative in Semiannual Risk Perspective report

Video link

Podcast link

30 November 2021

This week’s discussion will cover the following:

  • New OECD guidance on anti-corruption
  • SEC Enforcement Focus Relating to Undisclosed Executive Compensation and Perquisites Continues: ProPetro Holding Corp. matter.

Video link

Podcast link

22 November 2021

This week’s discussion will cover the following: 

  • Update on Elizabeth Holmes trial
  • Update on Belarus Sanctions
  • FinCEN Notice on Environmental Crimes  
  • Insights on SEC Enforcement – SEC Enforcement’s FY21 report and the NYU Pollack Center for Law & Business and Cornerstone Research report on SEC Corporate Enforcement

Video link

Podcast link

15 November 2021 

This week’s discussion will cover the following: 

  • New Cambodia Sanctions
  • Steve Bannon Indictment

Video link

Podcast link

8 November 2021 

This week’s discussion will cover the following: 

  • Deputy Attorney General Lisa Monaco on corporate enforcement priorities under the Biden Administration
  • The Consumer Financial Protection Bureau (CFPB) is targeting big tech 
    • What do they want and why do they want it?
    • How should tech firms prepare, whether they receive a request from CFPB or not?

Video link

Podcast link

1 November 2021

This week’s discussion will cover the following: 

  • Managing Allegations of Workplace Wrongdoing: Independent Investigator’s Report on Chicago Blackhawks Allegations of Sexual Misconduct

Video link

Podcast link

25 October 2021 

This week’s discussion will cover the following: 

  • Tether Holdings CFTC Crypto Settlement: Reminder that the CFTC is asserting a prominent role in the regulation and enforcement of cryptocurrencies. 
  • SEC Report on January 2021 Market Frenzy: “Staff Report on Equity and Options Market Structure Conditions in Early 2021”
  • Will DOJ Prosecute Steve Bannon for Contempt?

Video link

Podcast link

18 October 2021

This week’s discussion will cover the following: 

  • 6 January Commission and possible prosecution of Steve Bannon for contempt.
  • SEC Enforcement Director Grewal’s speech on appropriate approaches to compliance, proactive enforcement, electronic message retention/production, cooperation, and civil penalties.

Video link

Podcast link

27 September 2021

This week’s discussion will cover the following: 

  • CFTC v. HDR GLOBAL TRADING LIMITED, ET AL
  • Motion to Dismiss Unregistered Crypto Exchange Claims
  • Control Person Liability Runs Into “Minimum Contacts”   
  • House Committee on January 6 Attack Subpoenas Trump Advisors

Video link

Podcast link

20 September 2021

This week’s discussion will cover the following: 

  • Details Behind The SEC Whistleblower Award That Pushed the Program Over USD 1 Billion in Whistleblower Payouts
  • SEC v. DAYAKAR R. MALLU – Tipper-Tippee Insider Trading Case – SEC Investigation Tactics and Trends
  • Indictment of lawyer by Trump-appointed Special Counsel for lying to the FBI in Russia investigation.

Video link

Podcast link

14 September 2021

This week’s discussion will cover the Elizabeth Holmes Theranos trial. 

Video link

Podcast link

30 August 2021

This week’s discussion will cover the following: 

  • Organized crime charges in new elder abuse case
  • Novel SEC Insider Trading Action — Shadow Trading — SEC v. Matthew Panuwa
  • Quick blurb on 18 year old and under crackdown on video game playing in China
  • SEC v. MANISH LACHWANI – The SEC’s Enforcement Focus on Unicorns

Video link

Podcast link

23 August 2021 

This week’s discussion will cover the following: 

  • Special Inspector General for Afghanistan Reconstruction (SIGAR) Report on Lessons of Corruption in Afghanistan
  • Novel SEC Insider Trading Action — Shadow Trading — SEC v. Matthew Panuwa

Video link 

Podcast link

9 August 2021

This week’s discussion will cover the following: 

  • SEC brings charges unregistered crypto exchange: In the Matter of Poloniex, LLC
  • The need to keep your auditor at arm’s length — SEC brings auditor independence case for audit bid-related misconduct against accounting firm, it’s partners and the Chief Accounting Officer of public company: In the Matter of Ernst & Young LLP, et al. and In the Matter of William G. Stiehl
  • Accusations against Governor Cuomo: Key Legal Issues
  • New Belarus Sanctions

Video link

Podcast link

3 August 2021

This week’s discussion will cover the following: 

  • New DOJ opinion on Trump tax returns
  • New DOJ policy on subpoenas to new organizations
  • New DOJ memorandum on White House communications
  • SEC Chair Gensler’s Public Statement on Disclosures Required by Chinese Companies Listed In US

Video link 

Podcast link

26 July 2021

This week’s discussion will cover the following:

  • The Importance of Having Up-To-Date Automated Accounting Procedures, Effective Manual Accounting Procedures, and Trained Accounting Staff:  The SEC’s Latest Accounting Case Against Tandy Leather Factory Inc. and its former chief executive officer Shannon Greene.
  • Indictment of Trump Advisor Thomas Barrack
  • Biden Executive Order on Promoting Competition

Video link  

Podcast link

13 July 2021

This week’s discussion will cover the following:

  • Manhattan DA’s Indictment of the Trump Organization and Allen Weisselberg
  • New SEC Enforcement Director – New Jersey Attorney General Gurbir Grewal
  • SEC and federal criminal charges filed arising out of alleged fraudulent scheme to sell “insider trading tips” on the Dark Web- SEC v. Apostolos Trovias

Video link

Podcast link

29 June 2021

This week’s discussion will cover the following: 

  • SEC Cybersecurity Enforcement Sweep:  The SEC Clarifies, Sort Of
  • Latest, and Interesting, Comments By SEC Commissioner on ESG
  • Combating Global Corruption Act of 2021
  • Global Magnitsky Reauthorization Act
  • New Belarus Sanctions 

Video Link

Podcast Link

22 June 2021

This week’s discussion will cover the following: 

  • New Charges in 1MDB Case
  • FARA Reform Proposals
  • Possible New Russia Sanctions  
  • Cyber SEC Enforcement: Latest SEC Disclosure Controls and Procedures Enforcement Case
  • A New SEC Cyber Enforcement Sweep

Video Link

Podcast Link

9 June 2021

This week’s discussion will cover the following: 

  • Potential SEC ESG Disclosure Rulemaking and Materiality:  Commissioners Allison Herren Lee and Elad Roisman Continue to Volley
  • White House strategy statement on corruption and national security
  • Belarus sanctions
  • Bulgaria sanctions
  • Executive Order on Western Balkans

Video Link 

Podcast Link

25 May 2021

This week’s discussion will cover the following: 

  • Insight on Gary Gensler’s SEC Enforcement Agenda: SEC Chair’s Remarks at 2021 FINRA Annual Conference
  • Discussion of Treasury’s Plan to Increase IRS Enforcement and Narrow the Tax Gap
  • Update on Nord Stream 2 Sanctions 

Video link 

18 May 2021

This week’s discussion will cover the following:

  • Russian Response to US Sanctions and Designation of US as an “Unfriendly” Country  
  • Trial of Mayor of Fall River, Massachusetts for Extorting Marijuana Businesses  
  • The Challenges of Fitting Modern Practices into Old Laws: SEC Commissioner Hester Peirce’s Statement Regarding an Index Fund SEC Settlement  
  • SEC’s Continued Slow Embrace of Crypto Assets: Division of Investment Management’s Statement on ETF Holdings of Crypto Assets and Potential Enforcement Implications  to Assets and Potential Enforcement Implications  

Video Link

10 May 2021

This week’s discussion will cover the following:

  • Crypto developments:  SEC Chair Gensler’s Testimony, Dogecoin and Saturday Night Live
  • The “Swiss George Floyd Case”  (for more information about this case, please see this documentary featuring Simon Ntah here

Video Link

3 May 2021

This week’s discussion will cover the following:

  • First Voluntary Self-Disclosure of Sanctions and Export Violations Leads to Settlement between Software Company and DOJ
  • The Sudden Resignation of SEC Enforcement Director Alex Oh:  What is Next For SEC Enforcement?

Video Link

26 April 2021

This week’s discussion will cover the following:

  • New SEC Enforcement Director Alex Oh: What It May Mean For SEC Enforcement
  • DOJ Pattern and Practice Investigation of Minneapolis Police Department

Video Link

19 April 2021

This week’s discussion will cover the following:

  • First guilty plea in Capitol attack cases: What it means for future prosecutions
  • New Russia sanctions: What they do and don’t do, and what could be next
  • Comments by Acting Director of the SEC’s Division of Corporation Finance, “SPACs, IPOs and Liability Risk under the Securities Laws”: What it means for SEC enforcement

Video Link

12 April 2021

This week’s discussion will cover the following:

  • Criminal Antitrust Prosecutions of No Poaching and Wage Fixing Agreements: Perspective of a Leading Antitrust Lawyer.
  • Enforcement perspectives arising out of the SEC’s April 9, 2021 “Risk Alert” relating to ESG products and services offered by investment advisers, registered investment companies and private funds.
  • DOJ Priorities under the Biden Administration: What the Budget Tells Us.

Video Link

30 March 2021

This week’s discussion will cover the following:

  • SEC Enforcement Sweep Looks Into SPAC IPOs
  • New Legal Issues in the Capitol Riot Cases

Video Link

15 March 2021

This week’s discussion will cover the following:

  • DOJ/SEC FCPA priorities
  • Oath Keepers conspiracy case
  • New Russian law to protect officials against corruption charges
  • Does SEC Commissioner Crenshaw’s speech about increased corporate penalties foreshadow a possible retraction of the SEC’s 2006 Statement Concerning Financial Penalties and what we can expect from corporate securities enforcement over the next 4 years?

Video Link

8 March 2021

This week’s discussion will cover the following:

  • This week, Jerome is joined by his partners Amy Greer and Jen Klass and they will dig deep into the enforcement issues presented by the SEC’s “Enforcement Task Force Focused on Climate and ESG Issues” 

Video Link

1 March 2021

This week’s discussion will cover the following:

  • The SEC’s Plan to Dig Into Public Company Climate Change Disclosures: A White Collar Enforcement Perspective
  • Key Takeaways from Merrick Garland Confirmation Hearing
  • Update on Capitol Riot Cases
  • Secretary Blinken Statement on Anticorruption Champions 

Video Link

22 February 2021

This week’s discussion will cover the following:

  • Potential prosecution of former President Trump for incitement of the Capitol attack
  • The SEC’s latest message following the “The Market Events”: trading suspension in In the Matter of SpectraScience, Inc. 
  • New Transparency International Corruption Report
  • The SEC’s ICO enforcement initiative lives on: SEC v. Coinseed, Inc., et al. (S.D.N.Y. 17 February 2021)

Video Link

15 February 2021

This week’s discussion will cover the following:

  • Update on Capitol riot cases
  • The legal definition  of “incitement of insurrection” 
  • Discussion of the reported DOJ and SEC investigations into the retail traders in last month’s market events
  • A reminder on the scope of the US insider trading laws, courtesy of SEC v. Mark Ahn (D. Mass) (also a parallel criminal case was filed)

Video Link

8 February 2021

This week’s discussion will cover the following:

  • An update on the Capitol Riots
  • Consideration of new sanctions on Russia
  • An update on stock market events, including the FINRA notice on broker-dealer “game-style” trading apps 

Video Link

1 February 2021

This week’s discussion will cover the following:

  • Analysis of the Reddit/WallStreetBets-driven stock surges, with a special appearance by Jerome’s 15 year old son, Sam, who has been following the events on Reddit and Discord  
  • Discussion of the Hoskins appeal and the future of the FCPA’s “Agency” theory
  • Update on the Capitol raid prosecutions

Video Link

18 January 2021

This week’s discussion will cover the following:

  • New SEC Enforcement Statute of Limitations and Disgorgement Provisions Contained in the NDAA
  • New AML Whistleblower Bounty Provision in the NDAA
  • Criminal charges against Capitol rioters
  • Julian Assange extradition case

Video Link

4 January 2021

This week’s discussion will cover the following:

  • What criminal statutes might apply to the attack on the Capitol?
    • 18 USC 2383 – Rebellion or Insurrection
    • 18 USC 2384 – Seditious Conspiracy
    • 18 USC 1752 – Restricted Building or Grounds
  • What, if any, criminal statutes might apply to President Trump’s call last week with Georgia Secretary of State?
  • The 25th Amendment — A brief history of the amendment, what the amendment provides for and how it might apply in light of these events.

Video Link

14 December 2020

Video Link

07 December 2020

Video Link

23 November 2020

Video Link

16 November 2020

Video Link

9 November 2020

Video Link

26 October 2020

Video Link

19 October 2020

Video Link

5 October 2020

Video Link

29 September 2020

Video Link

8 September 2020

Video Link

24 August 2020

Video Link

17 August 2020

Video Link

10 August 2020

Video Link

3 August 2020

Video Link

27 July 2020

Video Link

20 July 2020

Video Link

13 July 2020

Video Link

6 July 2020

Video Link

29 June 2020

Video Link

22 June 2020

Video Link

17 June 2020

Video Link

9 June 2020

Video Link

26 May 2020 

Video Link

The post United States: This Week in Government Enforcement (Video Chat) appeared first on Global Compliance News.

Source

In brief

On December 6, 2021, the White House issued the first ever consolidated United States Strategy on Countering Corruption (the “Strategy”).  The Strategy follows President Biden’s June 3, 2021 memo that established the tackling of corruption as a central US national security interest (the “Memo”).  That Memo tasked fifteen US Federal Government departments and agencies to conduct an interagency review to examine corruption as a national security threat and jointly develop a strategy that would significantly enhance the United States’ ability to combat corruption.  The Strategy is the result of those agencies’ review.


Click here to download the full alert. 

The post United States: Five Key Takeaways from the United States Strategy on Countering Corruption appeared first on Global Compliance News.

Source

A recent Washington Post article about child labor in the Brazilian acai industry underscores the need for companies to develop compliance programs intended to identify and mitigate the risk of possible child labor in their supply chains.

Not only is acai used in trendy health foods as noted in the article, but acai is also used as a base for other products.  The article focuses on acai berries sourced from two regions in Brazil that are allegedly harvested from child labor and then exported from Brazil to various countries, including the United States.  In the article, acai harvesting is described as “one of the most dangerous jobs in Brazil” in which young children may climb trees that are up to 65 feet tall.  The article contains an image that appears to show a child maneuvering from one tree to another without coming down to the ground.   

The Washington Post article states that child labor in the acai industry is being investigated by both the US and Brazilian authorities.  Below we unpack what that could mean for companies with Brazilian acai in their supply chains, and what it means for companies seeking to mitigate the risk of child labor in their supply chains more broadly.

What are the key US legal risks?

It is possible that the US Bureau of International Labor Affairs in the Department of Labor (“DOL”) could be considering whether to add acai from Brazil to the 2022 editions of one or more of the three reports it publishes on child labor and forced labor practices in foreign countries.  As we have previously reported on this blog, these reports make up the US Government’s key public statements on the issue of forced labor and child labor around the world.  The DOL is currently accepting comments on these reports through January 15, 2022.  The DOL reports do not automatically result in restrictions or prohibitions on imports into the United States, but they could influence further US Government actions and raise the risk profile for companies whose supply chains may include products identified in the reports.

Another possible US Government action could be the issuance of a Withhold Release Order (‘”WRO”) by US Customs and Border Protection (“CBP”) targeting imports containing acai from certain companies or regions in Brazil.  CBP can issue a WRO if it has a “reasonable suspicion” that merchandise that is (or is likely to be) imported into the United States is produced by forced labor or indentured labor, including forced or indentured child labor.       

In recent years, the US Government has also increasingly used its trade blacklists (the Entity List and Specially Designated Nationals (“SDN”) List) to target companies determined by the US Government to have been involved in human rights abuses.  Such an action can result in export bans and/or, in the most extreme circumstances, being cut off from the US market altogether.  These actions are not mutually exclusive.  For example, the Chinese state-owned Xinjiang Production and Construction Corps (“XPCC”) has been the target of a WRO and has also been added to both the Entity List and SDN List.

Another possible risk is that companies involved in these supply chains could be sued by plaintiffs under the Trafficking Victims Protection Reauthorization Act (“TVPA”).  Plaintiffs have struggled thus far to persuade courts to award damages under the TVPA.  See our blog post on a recent court decision in favor of several US tech companies sued by a class of child laborers who mind cobalt in the Democratic Republic of Congo.  That said, the right set of facts could lead to a different result, and either way, litigation can require a significant amount of attention and resources.

What are the key Brazilian legal risks?

The Brazilian labor authorities are increasingly investigating product supply chains in which forced labor and child labor are reported.  As mentioned in the Washington Post article, this includes the acai industry.  

The Amazon region, which is the biggest acai producer in the world, has been a particular focus for the Brazilian labor authorities.  We are aware that since 2018, the Brazilian labor authorities have been investigating big companies with Amazonian acai in their supply chains, which is not an easy task due to local peculiarities. Acai is commonly found growing wild in the forest, so there is no need to plant it, making it difficult for companies to identify specific properties to assess for indications of child labor.  Companies with acai in their supply chains are often several steps removed from the source.  Many families who harvest the fruit from the wild sell the product through individuals who act as intermediaries and sell the acai to a company or to work cooperatives.  Also, many individuals in the regions where acai is harvested do not even have a birth certificate, so it can be difficult to identify the age of the individuals involved in the harvest.    

Since 2018, a task force has been conducted by the Ministry of Labor, the Labor District Attorney, and Federal Police to track the acai production chain and eradicate child labor.  The task force is seeking to map the supply chains for companies with the Amazonian acai as a raw or final product.  It also aims to increase the safety procedures and to prevent child and forced labor in harvesting the fruit.

When the involvement of children in work is identified in company’s supply chain, the consequences can include executing consent agreements with the Labor District Attorney, in which company undertakes to promote inspection and educational initiatives for producers to prohibit child labor; public civil claims involving significant penalty amounts as indemnification for pain and suffering; and infraction notices from the Ministry of Labor for involvement with child labor.

If the Brazilian authorities determine that a company’s supply chain includes child on forced labor, the company can be included on a “Dirty List” published by the Brazilian government.  This can increase the risks for companies doing business in Brazil in several ways, such as:

  • Reputational Risk:  As the “Dirty List” is public, once it is disclosed and depending on the level of investigation that is carried out on the matter, the relationship between the company and its investors, financiers, clients and other companies in general may be compromised;
  • Notifications to Public Agencies and Financial Implications:  The company may face difficulties in raising money before the National Development Bank and/or other private or public banks or in contracting with the government or companies owned or controlled by the government.  Inclusion in the “Dirty List” also increases the possibility for public bodies to request further information on the matter and to investigate the company.  In our experience, many banks have internal regulations on loans that prevent the loan from being granted when the company is included in the Dirty List.  Furthermore, the government prevents those companies listed on the Dirty List from obtaining contracts with the Governmental Financing Funds and are prevented to obtain rural credits.
  • Respond to Criminal Procedures:  Article 149 of the Criminal Code establishes as a crime slavery based on conditions of work, establishing the penalty of imprisonment from two to eight years and monetary fines and penalties. The penalties may be increased if committed against a child or adolescent or due to prejudice based on race, color, ethnicity, religion or origin.

What should companies do to mitigate these risks?

Companies with Brazilian acai in their supply chains should take a close look at these risks and consider whether there are opportunities to enhance their supply chain compliance programs to help mitigate these risks.  This is also a reminder for companies in other industries to consider the risk of possible child labor in their supply chains and to assess whether their compliance programs are sufficiently tailored for these risks, taking into account all relevant jurisdictions.  Additional compliance steps could include, among other things, third-party audits, contract clauses, and training, as appropriate. 

The post US and Brazilian Perspectives on Possible Child Labor in Supply Chains: the Brazilian Acai Industry appeared first on Global Compliance News.

Source