Data has gone global. Whether you’re operating in one country or worldwide you need to know the local and international rules, regulations and risks that will affect your business.

We are bringing together members of our global Data Protection and Security Team from London, EU, and the US to update you on the key legal and regulatory developments affecting the world of data privacy. With sessions focusing on employee data, adtech, regulatory enforcement trends and practical compliance issues we will be sharing perspectives from around the world to help you manage your data globally.

Data protection is not just for privacy specialists – so please do share this invitation with any colleagues interested in joining our event!

Agenda
12.15 pm Registration for pre-session
12.30 pm Pre-session – Data Protection 101: a refresher on the basis
1.00 pm Registration for main session and lunch
1.30 pm Pre-session ends, lunch for those in that session
2.00 pm Welcome and Global data protection update
2.45 pm Breakout session

Choose one breakout from the following

  • Adtech
  • Data protection and employment: developments in criminal records data, biometric data processing, DSARs and human rights
  • Regulation reactions: EU enforcement trends
  • Data protection and broader compliance issues: investigations, sanctions screening
3.45 pm Refreshment break
4.00 pm Recent cases in the UK and elsewhere
4.45 pm Panel discussion: International perspectives from France, Germany, Italy and the UK
5.15 pm Closing remarks
5.30 pm Networking drinks and canapes

 

About this event

Baker McKenzie
100 New Bridge Street
London
EC4V 6JA

Map

The post Annual Data Protection and Security Seminar 2019 on 13 November 2019, London appeared first on Global Compliance News.

Source

Read full article

This article published in the Government Contracting Law Report discusses the U.S. Department of Justice’s Guidelines for Taking Disclosure, Cooperation, and Remediation into Account in False Claims Act Matters, which identify various factors that the Department will consider in issuing credit to companies that voluntarily disclose misconduct that could serve as the basis for False Claims Act violations, or companies that otherwise cooperate in ensuing investigations.

 

The post US: DOJ Guidelines Incentivize Companies to Self-Disclose and Cooperate in False Claims Act Cases appeared first on Global Compliance News.

Source

On October 2, 2019, the World Trade Organization (WTO) issued an arbitration decision in European Communities and Certain Member States – Measures Affecting Trade in Large Civil Aircraft, WT/DS316/ARB. The decision authorizes the United States to impose $7.5 billion in tariffs on EU imports for EU subsidies to Airbus, making the ruling the largest in the WTO’s history and providing a partial conclusion to one of the longest running WTO disputes. The US Trade Representative (USTR) announced in a press release, which is available here, that the Trump Administration plans to impose tariffs beginning October 18. USTR stated that the bulk of these tariffs will be applied to imports from France, Germany, Spain, and the United Kingdom, and that the tariff increases will be limited to 10 percent on large civil aircraft and 25 percent on agricultural and other products. The European Union is awaiting a damage award in a WTO counter-complaint against the United States and Boeing where it has sought authorization to levy duties on $12 billion worth of US products.

Background of the Dispute

The Boeing/Airbus litigation dates back to 2004 when the United States initiated WTO proceedings arguing that EU subsidies to Airbus violated the WTO Agreement on Subsidies and Countervailing Measures and the 1994 General Agreement on Tariffs and Trade. Nine months later, the European Union initiated proceedings alleging that the United States was providing WTO-inconsistent subsidies to Boeing. In the years since, the WTO has ruled that the United States and European Union both provided infringing subsidies. The United States and European Union have each made changes to comply with these rulings, but the WTO has found continued infringements. A decision on the EU case regarding US subsidies is expected in the coming months.

Potential US Measures

The United States will receive authority to impose the retaliatory tariffs as early as this month, once the WTO’s Dispute Settlement Body formally accepts the arbitration award. In its press release, USTR announced that the United States has requested the WTO to schedule a meeting on October 14 to approve a US request for authorization to take the countermeasures against the European Union. Under Section 301 of the Trade Act of 1974, the USTR has the discretion to impose tariffs on EU products for violations of the WTO trade rules, or USTR could use the arbitration decision as a starting point for further negotiations with the European Union. USTR has published two lists of EU products that could be the target of the duties that cover more than $20 billion worth of EU exports, which are available here and here. The key EU exports that USTR will likely target include wine, cheeses, motorcycles, aircraft parts, and certain helicopters. Additional listed products include seafood products, produce, certain clothing and textile products, glassware, and certain metal products and metal alloys. USTR is not required to impose tariffs on the full amount authorized by the WTO, or to apply all the tariff increases at one time.

The UK Department for International Trade issued a press statement following the ruling stating that the United Kingdom and other EU Member States subject to the case had already complied with the WTO ruling and so did not see a basis for the United States to retaliate at this point. The United Kingdom also pointed out that in a corresponding procedure brought by the European Union against the United States, it was clear that the United States had taken no steps to comply, and so retaliation against the United States would be justified.

Implications for the WTO System and US-EU

This decision and the imminent decision in the EU case will bring to a head a long running dispute that has roiled transatlantic relations for decades. The United States and the European Union could eliminate the other’s threat of retaliation if it were to modify its legislation to comply with the WTO rulings. Short of that, the United States and the European Union will be able to impose retaliatory tariffs on imports from the other, or to negotiate a resolution between the parties.

President Trump, who calls himself “Tariff Man” and argues that foreigners pay tariffs imposed by the United States, may view this decision in the US case as providing leverage with the European Union. However, an authorization to retaliate in the EU case will likely tee up a stand-off. It may not matter much in practice if the United States’ retaliation authorization is substantially larger than the European Union’s, given the large amount of trade covered by the authorizations. Increased import tariffs would harm exporting businesses and their customers in both America and Europe, and escalating tensions could unsettle markets in a time of growing economic uncertainty. As a result, there may be increased interest in finding a negotiated path forward.

One clear winner is the WTO’s appellate body. The United States has criticized the appellate body and tied up nominations of new judges such that the appellate body will soon cease to have a quorum necessary to operate. In this case, the appellate body has, as designed, made the legal determinations necessary to ascertain WTO members’ rights. These determinations have cleared the way for the protagonists, the United States and European Union, to find a resolution.

 

The post WTO Authorizes US Tariffs in Boeing/Airbus Arbitration Decision appeared first on Global Compliance News.

Source

The California legislative session ended with a bang on 13 September, when legislators passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). The California governor has until 13 October to act on these amendments. We have outlined below the amendments that materially alter the original scope or requirements of the CCPA and that will impact CCPA compliance activities for many organizations.

Limited Personnel Exemption

Assembly Bill 25, the amendment exempting personal information collected from employees and other personnel from the scope of the CCPA, was passed in a revised form. Under this final version of the amendment, the rights of access, correction and opt-out of sale do not apply to employees, job applicants, owners, directors, staff, officers, contractors and medical staff (collectively, “personnel”). However, businesses will still be required to meet the notice requirements laid out in Section 1798.100 for personnel and personnel still benefit from the private right of action in the event of a data breach as provided in Section 1798.150. The same provisions apply to personal information collected from personnel in the context of providing benefits, as well as information related to personnel’s emergency contact information. Importantly, this limited exemption expires after one year. While California legislators have made an affirmative commitment that they will address employee data privacy during the course of the next year, if they fail to do so prior to 1 January 2021, personnel information obtained from personnel and/or in the context of benefits will then be subject to the full requirements of the CCPA.

Limited B2B Information Exemption

Assembly Bill 1355 provides business-to-business (B2B) companies a limited reprieve from complying with all the requirements of the CCPA in the context of communications and transactions with other companies, organizations, and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. Notably, however, this exemption does not apply to the right to opt out of the sale of personal information, the obligation not to discriminate against a consumer for attempting to exercise other rights, or the private right of action in the event of a data breach. Like the limited personnel exemption, this exemption also expires after one year, at which point business contact information will be covered by the CCPA if the legislature does not take further action in the interim. This being said, B2B companies that do not sell (as this term is defined by the CCPA) business contact information will still have to closely re-examine their other California personal information collection, to determine if and to what extent they must comply with CCPA requirements for other types of personal information they collect, such as for marketing purposes with prospective customers.

Clarification to the Definition of “Personal Information”

The original text of the CCPA defined “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” — an extremely expansive definition. The amendments narrowed this definition by adding a reasonableness standard. That is, “personal information” must identify, relate to, describe, be reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household. This means that businesses will still have to evaluate whether a particular piece of personal information is capable of being associated with a consumer or household, but this association must be reasonable in light of the information and means reasonably available to the business. Further, the amendments clarify that “personal information” does not include de-identified or aggregate information, or “publicly available information” that is lawfully made available from federal, state, or local government records.

FCRA and Vehicle Industry Exemptions

The CCPA amendments also clarified two further exemptions, one related to the Fair Credit Reporting Act (FCRA) and one related to the vehicle industry. Specifically, activities related to consumer credit reports are exempt from the CCPA, to the extent that the information is subject to the FCRA and the activities are allowed by the FCRA. Previous versions of the CCPA limited this exemption to the “sale” of information from consumer reports, but the final version of the CCPA expands the scope of the exemption to all such activities.

Further, a consumer’s right to opt-out of the “sale” of personal information does not apply to vehicle information or ownership information exchanged between a car manufacturer and new car dealer, so long as the information is used to carry out a vehicle repair covered by warranty or recall (so long as the recipient does not sell, share or use that information for any other purpose) and the information is not further shared or sold for any other purposes.

Other Notable Amendments . . . and Those that Failed

For businesses that operate exclusively online and have a direct relationship with a consumer from whom they collect personal information, only one method of access or deletion request will be required to be provided — an email address for submitting requests. This clarification has a significant impact on those businesses that operate exclusively online, since they will no longer be required to set-up a toll-free number in order to comply with CCPA requirements.

One important amendment, Assembly Bill 846, which would have protected certain loyalty programs, was removed from consideration and tabled until next year. This amendment addressed loyalty reward, discount and similar programs, and included a prohibition on the sale of personal information collected as part of those programs, as well as a limited exception to that prohibition.

The post California Consumer Privacy Act Update: What Has Changed and What Remains the Same? appeared first on Global Compliance News.

Source

Latest release of HITRUST MyCSF® brings innovations in custom assessments, user interface, third-party assurance, and control inheritance

FRISCO, Texas – September 26, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a significant new release of its information risk and compliance assessment SaaS platform. HITRUST is continually innovating MyCSF® to help streamline and simplify how organizations assess information risk and manage compliance. The October 2019 release features a redesigned user interface, capability to create custom assessments tailored to specific regulatory or control requirements, streamlined workflows throughout the third-party assurance process, and sharing of assessments with third parties through the HITRUST Assessment XChange™.

MyCSF was designed from the start as an information risk assessment and compliance tool and engineered to streamline assessing, reporting, and remediating information risk and compliance. In addition the platform can be used to build a robust ISRM program, lending insight into an organization’s security posture and areas of improvement, benchmarking against the scores of similar organizations.

New features include:

  • Custom Assessments: Tailor assessments to fit an organization’s needs, selecting some or all of the controls in any of 44 authoritative sources that are mapped and harmonized in the HITRUST CSF, including ISO 27XXX, NIST 800-53, NIST Cybersecurity Framework, NIST 800-171, PCI, HIPAA, HITECH, GDPR, FFIEC, and CCPA. Customizations could include assessing against one or multiple authoritative sources, regulatory factors, or control requirements without having to add CSF baseline controls.
  • Custom Roles: Create and define access control permissions tailored to the organization.
  • Redesigned User Interface: Modern, sleek, and streamlined interface enables intuitive and faster workflow.
  • Integration to Third-Party Assurance Process: MyCSF fully supports the HITRUST CSF Assurance Program including assessment entry, assessor assignments, and submission. It also includes role assignment and workflows for the recently added Internal Assessor role, allowing internal audit and other departments to aid in the CSF Assessment process.
  • Enhanced Shared Responsibility Support: Updated functionality within MyCSF supports the HITRUST Shared Responsibility Program for inheriting controls from cloud and other service providers, streamlining the assessment and working process.
  • Integration with HITRUST Assessment XChange Portal: Makes sharing risk assessment data with third parties simple, secure, and efficient. Satisfies and streamlines customer requests to provide CSF Assessment Reports as well as customer communications concerning Corrective Action Plans (CAPs), Interim Assessments, and more.
  • Enhanced API: MyCSF also offers expanded API functions for integration with GRC and other systems.

For more information, including the MyCSF data sheet, go to https://hitrustalliance.net/mycsf.

For more information on the HITRUST Assessment XChange, go to https://hitrustax.com.

The post HITRUST Enhances Best in Class Information Risk and Compliance Assessment Platform appeared first on HITRUST.

Source

Latest release of HITRUST MyCSF® brings innovations in custom assessments, user interface, third-party assurance, and control inheritance

FRISCO, Texas – September 26, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced a significant new release of its information risk and compliance assessment SaaS platform. HITRUST is continually innovating MyCSF® to help streamline and simplify how organizations assess information risk and manage compliance. The October 2019 release features a redesigned user interface, capability to create custom assessments tailored to specific regulatory or control requirements, streamlined workflows throughout the third-party assurance process, and sharing of assessments with third parties through the HITRUST Assessment XChange™.

MyCSF was designed from the start as an information risk assessment and compliance tool and engineered to streamline assessing, reporting, and remediating information risk and compliance. In addition the platform can be used to build a robust ISRM program, lending insight into an organization’s security posture and areas of improvement, benchmarking against the scores of similar organizations.

New features include:

  • Custom Assessments: Tailor assessments to fit an organization’s needs, selecting some or all of the controls in any of 44 authoritative sources that are mapped and harmonized in the HITRUST CSF, including ISO 27XXX, NIST 800-53, NIST Cybersecurity Framework, NIST 800-171, PCI, HIPAA, HITECH, GDPR, FFIEC, and CCPA. Customizations could include assessing against one or multiple authoritative sources, regulatory factors, or control requirements without having to add CSF baseline controls.
  • Custom Roles: Create and define access control permissions tailored to the organization.
  • Redesigned User Interface: Modern, sleek, and streamlined interface enables intuitive and faster workflow.
  • Integration to Third-Party Assurance Process: MyCSF fully supports the HITRUST CSF Assurance Program including assessment entry, assessor assignments, and submission.  It also includes role assignment and workflows for the recently added Internal Assessor role, allowing internal audit and other departments to aid in the CSF Assessment process.
  • Enhanced Shared Responsibility Support: Updated functionality within MyCSF supports the HITRUST Shared Responsibility Program for inheriting controls from cloud and other service providers, streamlining the assessment and working process.
  • Integration with HITRUST Assessment XChange Portal: Makes sharing risk assessment data with third parties simple, secure, and efficient. Satisfies and streamlines customer requests to provide CSF Assessment Reports as well as customer communications concerning Corrective Action Plans (CAPs), Interim Assessments, and more.
  • Enhanced API: MyCSF also offers expanded API functions for integration with GRC and other systems.

For more information, including the MyCSF data sheet, go to https://hitrustalliance.net/mycsf.

For more information on the HITRUST Assessment XChange, go to https://hitrustax.com.

The post HITRUST Enhances Best in Class Information Risk and Compliance Assessment Platform appeared first on HITRUST.

Source

Federal Chief Information Security Officer Grant Schneider, speaking Thursday at the Cybersecurity and Infrastructure Security Agency’s summit, said agencies have “come a long way” on cybersecurity.

He pointed to overall higher Federal Information Security Management Act, and Federal Information Technology Acquisition Reform Act scores as evidence that government has turned a corner on cyber.

“I think we’re all far more operationally focused with agencies,” Schneider said. “We’re able to hold agencies accountable, or at least highlight where they’re at on metrics and really get a lot of the basic stuff done and done well.”

cybersecurity, Jeanette Manfra, DHS
Jeanette Manfra, assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency

Jeanette Manfra, the assistant director for cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said less time spent enforcing basic cyber hygiene standards allows CISA to play more of a cyber oversight role, providing “operational implementation guidance” of polices and setting standards.

Through two of its signature programs – Continuous Diagnostics and Mitigation, and its cyber hygiene program – Manfra said CISA has made it easier for agencies to show tangible progress in meeting their cybersecurity goals.

“What I think we’ve done well is find ways to identify indicators of success. If you don’t have an incident response plan, you probably are not doing very well. If you don’t have a patch continuous management process and policy, there are probably some problems in your organization,” she said. “There’s well understood, in the community, key indicators of success — that you can evaluate an organization just at a high level and say, ‘OK, well, you probably want to work on these things.”

That evolution in roles, she said, plays into CISA’s mission statement of “securing today and defending tomorrow.”

But if cybersecurity is a team sport, questions still remain about bringing one former player back onto the field: The federal cybersecurity coordinator.

House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) urged Trump’s new National Security Adviser Robert O’Brien to bring back the cybersecurity coordinator, and argued the White House “has done little to address the vacuum left behind” when former adviser John Bolton eliminated the position last year.

“With cyber threats becoming more sophisticated and growing by the day, including the persistent threat to our election systems, there is no reason that the White House should have allowed this position to be eliminated,” Thompson said in a statement Thursday.

Christopher Krebs
CISA Director Chris Krebs

CISA Director Chris Krebs said the cybersecurity coordinator, when the position was created about a decade ago, focused on “blocking and tackling,” and helping DHS engage with public and private partners. But now with CISA in place, Krebs said the agency and its partners have taken on more of that role as a coordinator.

“Now, 10 years later, we’re in a spot where a coordinator has a different job. It’s not blocking and tackling. It’s ensuring that we’re most effective coordinating policy and implementation across the interagency,” Krebs told reporters.

“There is coordination, so don’t take the lack of a coordinator for a lack of coordination,” he added.

Krebs said he has yet to meet with O’Brien, but said he would make cybersecurity a top priority at their first meeting. And if the White House brings back the coordinator role, Krebs said he would take all the help he can get.

“I think there’s space. I will take anybody in a federal agency that wants to play in this game. We will do an all-hands approach. So if a federal cybersecurity coordinator is in our future, then I really look forward to working with him,” he said.

While agencies have shown measurable progress on cybersecurity compared to where they were a decade ago, Schneider said IT modernization plays a major role in mitigating cyber vulnerabilities.

“We don’t want to build the next decade’s legacy systems tomorrow,” Schneider said. “We instead want to move to shared services and try to get agencies out of the business of doing some things that that they need not be in the business of.”

Short-term cyber goals for agencies, he said, include establishing a “federal baseline for cybersecurity,” while longer-term goals include a move toward security as a shared service, as outlined in the Office of Management and Budget’s Quality Services Management Offices memo.

Grant Schneider, federal chief information security officer

But cyber readiness remains a moving target, and measuring the criteria for what makes an effective strategy can be an elusive goal.

“Can you be totally green across your scorecard and get [hacked] tomorrow by a nation-state? Absolutely,” Schneider said. “It’s an amount of, are you doing what you need to do to be as protected as possible, but it doesn’t get you to someplace that’s ‘safe.'”

Looking ahead at the next wave of cyber vulnerabilities, Donna Dodson, the National Institute of Standards and Technology’s chief cybersecurity adviser, said her agency is doubling down on efforts to build security into internet of things devices, and ensure that industry is building the right software into devices to ensure confidence devices are secure, and not circling back “after the fact” on cybersecurity.

“As we look around in our networks and in our infrastructure, we see IoT in places and spaces across the federal government and with industry. It’s almost like the IT days, we really didn’t realize it was there,” Dodson said, adding that zero trust and identity management needs to play a role.

NIST held a workshop last month seeking feedback from industry partners following the release of an IoT internal report in June and a roadmap released in April that laid out areas where NIST could further advance its cybersecurity framework.

Dodson said NIST plans to hold a workshop next week that will look at “AI from a trust perspective.” The agency will also host a workshop looking for feedback on the “human factors” of IoT “smart home” devices.

Source

Expands role of Internal Audit Department participation in streamlining HITRUST CSF Assessments

FRISCO, Texas–HITRUST, a leading data protection standards development and certification organization, released updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. These policy and methodology updates create opportunities for greater assessment efficiency and customer cost savings.

HITRUST has historically afforded two opportunities for External Assessors (formerly referred to as HITRUST CSF Assessors) to rely on the results of previously performed control testing, one being inheritance of the results of other HITRUST CSF Assessments, and the other reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program. The recently released updates clarify these options by specifying associated timing, scope, and documentation requirements.

These updates also introduce opportunities for Internal Audit or other departments, meeting specific objectivity and resource qualification requirements, to directly participate and support the CSF Assessment process, more specifically creating a new role in the CSF Assurance process called Internal Assessor. Internal Assessors will aid in the CSF Assessment process by performing testing and verification on various aspects of the process. External Assessors will now have the option of relying on work performed by an assessed entity’s Internal Assessors, which not only creates efficiencies and cost savings, but also greater organizational alignment as it relates to information security and privacy control requirements. The Internal Assessor role in the CSF Assurance process will bring benefits to both External Assessors and assessed entities:

  • Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their assessor can be reduced.
  • Teams with deep knowledge of the organization’s internal controls (such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.

“Integrating Internal Audit teams into the CSF Assessment process can be very beneficial for organizations,” says Ken Vander Wal, Chief Compliance Officer, HITRUST. “In addition to the efficiency, time, and cost savings, it can better align information security and compliance across the organization.”

Those interested in learning more, including the specific requirements for Internal Assessors, are encouraged to read the recently released CSF Assurance Program advisory notices, available at https://hitrustalliance.net/csf-assurance-bulletin/.

In addition, MyCSF is also being enhanced to enable a defined role and updated workflow to support the addition of Internal Assessors.

To read the blog visit: https://blog.hitrustalliance.net/using-work-others-initiative-hitrust-streamlines-security-control-assessments-promote-culture-risk-management-collaboration/.

The post HITRUST Releases Guidance for Relying on the Work of Others appeared first on HITRUST.

Source

Expands role of Internal Audit Department participation in streamlining HITRUST CSF Assessments

FRISCO, Texas–HITRUST, a leading data protection standards development and certification organization, released updated guidance for placing reliance on the results of previously performed audits, assessments, and inspections. These policy and methodology updates create opportunities for greater assessment efficiency and customer cost savings.

HITRUST has historically afforded two opportunities for External Assessors (formerly referred to as HITRUST CSF Assessors) to rely on the results of previously performed control testing, one being inheritance of the results of other HITRUST CSF Assessments, and the other reliance on audit reports and certifications issued by third-party auditors (such as SOC 2 Type II reports) that meet the requirements as established by the CSF Assurance program. The recently released updates clarify these options by specifying associated timing, scope, and documentation requirements.

These updates also introduce opportunities for Internal Audit or other departments, meeting specific objectivity and resource qualification requirements, to directly participate and support the CSF Assessment process, more specifically creating a new role in the CSF Assurance process called Internal Assessor. Internal Assessors will aid in the CSF Assessment process by performing testing and verification on various aspects of the process. External Assessors will now have the option of relying on work performed by an assessed entity’s Internal Assessors, which not only creates efficiencies and cost savings, but also greater organizational alignment as it relates to information security and privacy control requirements. The Internal Assessor role in the CSF Assurance process will bring benefits to both External Assessors and assessed entities:

  • Assessed entities already performing robust pre-assessment testing in advance of their HITRUST CSF Validated Assessment can expect lower overall HITRUST CSF Assessment costs, as duplicate testing performed by their assessor can be reduced.
  • Teams with deep knowledge of the organization’s internal controls (such as Internal Audit, Risk Management, and Compliance) can now have a defined role in the overall HITRUST CSF Assessment process.

“Integrating Internal Audit teams into the CSF Assessment process can be very beneficial for organizations,” says Ken Vander Wal, Chief Compliance Officer, HITRUST. “In addition to the efficiency, time, and cost savings, it can better align information security and compliance across the organization.”

Those interested in learning more, including the specific requirements for Internal Assessors, are encouraged to read the recently released CSF Assurance Program advisory notices, available at https://hitrustalliance.net/csf-assurance-bulletin/.

In addition, MyCSF is also being enhanced to enable a defined role and updated workflow to support the addition of Internal Assessors.

To read the blog visit: https://blog.hitrustalliance.net/using-work-others-initiative-hitrust-streamlines-security-control-assessments-promote-culture-risk-management-collaboration/.

The post HITRUST Releases Guidance for Relying on the Work of Others appeared first on HITRUST.

Source

On 8 August 2019, the US Securities and Exchange Commission (SEC) issued for public comment certain proposed amendments to Regulation S-K.1 Regulation S-K principally governs the content of disclosure documents filed by US domestic issuers. Therefore, generally speaking, most of these proposed amendments to Regulation S-K will not affect foreign private issuers (FPIs). This alert briefly discusses the portions the Proposing Release that would apply to FPIs and certain additional information in the Proposing Release that may be of interest to them.

Background: Regulation S-K

Regulation S-K is the central source of the information required to be disclosed by US domestic issuers in registration statements under the US Securities Act of 1933, as amended (the Securities Act) and in periodic reports under the US Securities Exchange Act of 1934, as amended (the Exchange Act).2 The SEC issued these recent proposed amendments as part of its broader efforts to make disclosure documents more readable and easier for investors to navigate, and in response to a legislative mandate to the SEC to review Regulation S-K and pare it back where possible.

The proposed amendments would affect parts of Item 101 (Business Description),3 Item 103 (Legal Proceedings) and Item 105 (Risk Factors). The SEC characterizes its current disclosure requirements as “prescriptive” in that the same quantitative disclosure thresholds apply to all issuers or require all issuers to disclose the same type of information, which may not reflect information that is material to every business. The proposed amendments to Items 101 and 105 reflect SEC determinations to adopt “principles-based” disclosure, which the SEC believes will be tailored to issuers’ particular circumstances and, at least for these items, to move away from the “prescriptive disclosure” requirement. The SEC also believes that the changes to these items may elicit disclosure with a greater focus on information that is material to individual businesses. In contrast, Item 103 (Legal Proceedings), would remain prescriptive, reflecting the SEC’s belief that disclosure of such matters depends less on the specific characteristics of individual issuers. The proposed revisions to Item 103 include amendments intended to eliminate repetitive disclosure and raise the monetary threshold for disclosure of certain proceedings.

The immediate reaction to the proposed amendments has been mixed. Many public companies – particularly larger that are more closely watched by shareholders and the media and those that face “activist” shareholders — tend to over disclose, rather than potentially face shareholders lawsuits arising out of adverse events. The SEC’s intention to address such over disclosure is particularly evident in the proposed revisions to Item 105 (Risk Factors) discussed below.

Application of Proposing Release to FPIs

Regardless of the proposal’s ultimate effects on US domestic issuers, the immediate effects on FPIs would be limited since, as noted above, Regulation S-K applies principally to US domestic issuers.4 The content of disclosure documents filed by FPIs is set forth primarily in SEC Form 20-F. Form 20-F is, essentially, a stand-alone catalog of required disclosures by FPIs. FPIs must file Form 20-F both to register a class of securities under the Exchange Act (generally in connection with a listing) and as an annual report under the Exchange Act. Form 20-F is also the source of most of the information required to be included in registration statements under the Securities Act filed by FPIs. However, an FPI that registers its securities for sale under the Securities Act is required to provide a discussion of risk factors in accordance with Item 105 of Regulation S-K. Thus, the proposed changes to Item 105 will affect disclosure by FPIs should they choose to conduct a registered public offering in the US.

The SEC’s Proposing Release contains the following key changes to Regulation S-K Item 105 (Risk Factors):

  • Documents containing risk factor disclosure exceeding 15 pages would have to include summary risk factor disclosure in the forepart of the prospectus or report, under an appropriate heading.
  • In lieu of disclosing the “most significant” risk factors as now required, issuers would be required to disclose “material” risk factors.
  • Risk factors would be required to be organized under relevant headings.

The SEC is proposing these revisions to Item 105 “to address the lengthy and generic nature of the risk factor disclosure presented by many registrants,” and notes that a contributing factor to the increased length of risk factor disclosure appears to be the inclusion of “generic, boilerplate risks that could apply to any offering or registrant.”5 The first and third bullets above appear to reflect existing practices by many issuers, and should be familiar to many FPIs. The EU Prospectus Directive requires a risk factors summary and, as noted by the SEC in the Proposing Release, many issuers already organize their risk factors disclosure under relevant headings.6 The second bullet above, replacing disclosure of the “most significant risks” with disclosure of “material” risks, is intended to emphasize disclosure of the risks to which a reasonable investor would attach importance in making investment decisions.7 The SEC believes that this change could result in risk factor disclosure more tailored to the facts and circumstances of each issuer, reducing immaterial disclosure and thereby shortening risk factor disclosure.

Apart from the specific changes to Item 105 that will affect FPIs when they register securities under the Securities Act, FPIs will also be interested in the SEC’s requests for comments on all the proposed revisions at pages 53-54, 64 and 74 of the Proposing Release. On these pages, the SEC solicits comments specifically addressing whether comparable changes should be made to the analogous disclosure requirements of Form 20-F. It is interesting to note that question 27, on page 53, acknowledges that the requirements of Form 20-F are largely prescriptive, rather than principles-based. Paradoxically perhaps, the prescriptive nature of Form 20-F for FPIs may be contrasted with the principles-based approach for financial statements embodied in International Financial Reporting Standards (IFRS), used by many FPIs to prepare the financial statements included in their SEC filings. Unlike IFRS, US GAAP used by US domestic issuers is considered to be “rules-based,” i.e., prescriptive. Thus, if the amendments to Regulation S-K are adopted as proposed, the use of prescriptive versus principles-based disclosure for the non-financial and financial portions of disclosure documents filed by US domestic companies and FPIs could reflect contrasting trends, with US issuers providing principles-based non-financial disclosure and rules-based financial statements and FPIs doing just the opposite. If any such contrasting trend were perceived as an impediment to comparability of disclosure by US issuers and FPIs, that might ultimately motivate the SEC to revise Form 20-F to provide for principles-based disclosure requirements as well. A countervailing consideration could be the fact that the present non-financial portions of Form 20-F were revised in 1999 to harmonize Form 20-F with the non-financial international disclosure standards endorsed by the International Organization of Securities Commission (IOSCO). One of IOSCO’s objectives was the promotion of the use of a single disclosure document that would be accepted in multiple jurisdictions. In its request for comments regarding possible revisions to Form 20-F comparable to the proposed Regulation S-K amendments, the SEC asked specifically whether such revisions would reduce the ability of FPIs to use a single document in multiple jurisdictions.8

The comment period for the proposed amendments expires 60 days following publication of the Proposing Release in the Federal Register.


1. See Securities and Exchange Commission Release No. 33-10668, Modernization of Regulation S-K Items 101, 103, and 105, available at https://www.sec.gov/rules/proposed/2019/33-10668.pdf (the Proposing Release).

2. The full title of Regulation S-K is “Standard Instructions for Filing Forms Under the Securities Act of 1933, the Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975.” The complete text of Regulation S-K is set forth as Part 229 of Title 17 of the Code of Federal Regulations.

3. This Alert does not discuss the proposed revisions to Item 101 of Regulation S-K, the business description required to be provided by US domestic issuers. The Proposing Release includes an extensive description and explanation of these proposed amendments at pp. 12-54 of the release.

4. Regulation S-K also governs disclosures by non-US companies that elect to use US domestic registration and reporting forms, and by foreign issuers that do not qualify as FPIs. The SEC’s rules define “foreign private issuer” as any foreign issuer other than a foreign issuer that has more than 50 percent of its outstanding voting securities owned directly or indirectly owned of record by US residents and having (i) a majority of its executive officers or directors who are US citizens or residents, (ii) more than 50% of its assets located in the US, or (iii) its business administered principally in the US.

5. Proposing Release at pp. 65, 66. The Proposing Release also acknowledges that commentators attribute the growing length of risk factor disclosure to the litigation risk associated with a failure to disclose if events turn negative.

6. Proposing Release at p. 71.

7. The SEC’s position reflects the definition of “material” in Rule 405 under the Securities Act, under which material information is “information . . . to which there is a substantial likelihood that a reasonable investor would attach importance in determining whether to purchase the security.

8. Proposing Release at p. 53.

The post US: SEC Proposes Amendments to Regulation S-K: What Foreign Private Issuers Need to Know appeared first on Global Compliance News.

Source