Baker McKenzie’s Sanctions Blog published the alert titled US Clarifies Applicability of Russian Flight Restrictions on 14 March 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: US Clarifies Applicability of Russian Flight Restrictions appeared first on Global Compliance News.

Source

Baker McKenzie’s Sanctions Blog published the alert titled CBP issues guidance on petroleum imports from Russia on 15 March 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: CBP issues guidance on petroleum imports from Russia appeared first on Global Compliance News.

Source

Baker McKenzie’s Sanctions Blog published the alert titled US Government Issues New Executive Order Prohibiting Certain Imports, Exports, and New Investments Involving Russia and Four New General Licenses Related to Operations in Russian and Ukraine on 15 March 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: US Government Issues New Executive Order Prohibiting Certain Imports, Exports, and New Investments Involving Russia and Four New General Licenses Related to Operations in Russian and Ukraine appeared first on Global Compliance News.

Source

Baker McKenzie’s Sanctions Blog published the alert titled G7 Countries Move to Revoke Russia’s “Most Favored Nation” Status and Impose Other Sanctions on 16 March 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post Global: G7 Countries Move to Revoke Russia’s “Most Favored Nation” Status and Impose Other Sanctions appeared first on Global Compliance News.

Source

Baker McKenzie’s Sanctions Blog published the alert titled “FinCEN issues alert on potential Russia and Belarus sanctions evasion” on 18 March 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: FinCEN issues alert on potential Russia and Belarus sanctions evasion appeared first on Global Compliance News.

Source

SEC proposes rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies

In brief

On 9 March 2022, the US Securities and Exchange Commission (SEC) proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. These rules are intended to enhance and standardize cybersecurity disclosures, and, if adopted in their current form, would require public companies to disclose cybersecurity-related policies, procedures and all material cybersecurity incidents.


Key takeaways

  • On 9 March 2022, the SEC proposed new disclosure requirements related to cybersecurity risk management, strategy, governance, and incident reporting.
  • Under the proposed rules, public companies would be required to file a report on Form 8-K within four business days of determining that a cybersecurity incident was material and would be required to report material changes as a result of the incident.
  • Public companies should consider updating or adopting cybersecurity policies and procedures, as the proposed rules would require disclosure of such policies and governance practices surrounding their implementation. 

Incident reporting requirements

Current incident reporting (Item 1.05 of Form 8-K)

The proposed rules would create a new reporting obligation on material cybersecurity incidents. In content and substance, this obligation is similar to US state data breach notification laws. Unlike data breach notification laws, however, a cybersecurity incident can be considered material even if it does not impact personal data. For example, an unauthorized party accessing, or exceeding authorized access, and altering, or stealing sensitive business information, intellectual property, or information that resulted, or may result, in a loss or liability for the company would be a material cybersecurity incident under the proposed rules, even though no personal data was affected.

In the proposed new Item 1.05 of Form 8-K, public companies would be required to provide specific information within four business days of determining that a material cybersecurity incident had occurred. Public companies would have to determine materiality as soon as reasonably practicable after the discovery of the incident. Some state data breach notification laws allow entities to delay notification to the relevant authorities in order to avoid impeding with a law enforcement investigation. The SEC, however, explicitly distinguishes this reporting obligation by stating that in “a situation in which a state law delay provision would excuse notification, there is a possibility a registrant would be required to disclose the incident on Form 8-K even though it could delay incident reporting under a particular state law”.

To the extent known at the time of the filing, public companies would be required to provide particular information about the material cybersecurity incident, including:

  1. The date the incident was discovered, and if the incident remains live.
  2. The nature and scope of the incident.
  3. If any data was stolen, altered, accessed, or used for any other unauthorized purpose.
  4. The impact of the incident on company operations.
  5. If the incident has been remediated or is in the process of being remediated.

The SEC does clarify it does not expect public companies to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems. Notably, the proposed rules do not include a definition of materiality as it relates to cybersecurity incidents.

Periodic incident reporting (Forms 10-K and 10-Q)

Because the Form 8-K disclosure requirement, if adopted, will lead to reports with incomplete information about a material cybersecurity incident, proposed Item 106(d)(1) of Regulation S-K would require public companies to disclose any material changes, additions, or updates to prior cybersecurity incidents in periodic reports.

Some examples of a material change include becoming aware of additional information, such as learning more about the scope of the incident or whether data was somehow altered, and any material impact of the incident on the public company’s operations and financial condition.

The SEC also recognizes that incidents previously considered immaterial may become material in the aggregate, triggering a reporting obligation. Proposed Item 106(d)(2) would require disclosure when a series of previously undisclosed individually immaterial cybersecurity incidents become material in the aggregate. Public companies will need to analyze related cybersecurity incidents for materiality, both individually and in the aggregate.

Cybersecurity policies and procedures

In addition to the disclosures regarding cybersecurity incidents, the SEC’s proposed Item 106 of Regulation S-K would require public companies to describe any policies and procedures in place to identify and manage cybersecurity risks in great detail. The SEC’s proposed rules suggest public companies should disclose whether cybersecurity policies or procedures play a role in the company’s financial planning, capital allocation and business strategy. Any mechanisms the company has in place to mitigate cybersecurity risks that arise from third-party interactions or access to company data would be disclosed as well.

Board involvement in cybersecurity

Board processes

As part of the proposed disclosure regarding a company’s policies and procedures, the SEC focused on disclosures related to the role governance plays in protecting against cybersecurity incidents. Proposed Item 106 of Regulation S-K would require public companies to disclose details about the board’s oversight of cybersecurity risk, including disclosure about how frequently the board discussed its cybersecurity incidents, policies and procedures.

Management processes

The disclosures under proposed Item 106 of Regulation S-K would require public companies to discuss management’s role in assessing and managing cybersecurity risks and implementing the company’s cybersecurity policies and procedures as well. Under the proposed rules, companies would be required to disclose whether or not they have a Chief Information Security Officer, as well as that person’s background and expertise.

Comment Period

This rulemaking represents proposals by the SEC and the Commission is currently seeking public comment. The comment period for this rule proposal will be open for 60 days from the date on which the proposal appears in the Federal Register. Once comments are received, the SEC will consider those comments prior to issuing a final rule.

Director expertise

The SEC’s proposed rules include an amendment to Item 407 of Regulation S-K that would require annual reporting or proxy disclosure about the board of directors’ cybersecurity expertise if any. Specifically, proposed amendments to Item 407(j) would require public companies to disclose the names of any directors with expertise in cybersecurity and detail the nature of their expertise.

To read the full provisions of the proposed requirements, click here. If you have any questions about potentially commenting on this rule proposal, or about any public company, financial services rule, or privacy or cybersecurity law, please contact your Baker McKenzie lawyers.

The post United States: SEC proposes required cybersecurity disclosures appeared first on Global Compliance News.

Source

On March 2, 2022, in response to Belarus’s enabling of Russia’s further invasion of Ukraine, the US Commerce Department’s Bureau of Industry and Security (“BIS”) issued a final rule (“Final Rule”) effective on the same day, that implements sweeping export controls measures targeting Belarus. This Final Rule subjects Belarus to substantially the same export controls that were imposed on Russia and became effective on February 24, 2022. (Our blog post summarizing those export controls targeting  Russia is here). As stated in the White House statement announcing these new controls (among other future actions), by implementing these measures, the US Government aims to “prevent the diversion of items, including technology and software, in the defense, aerospace, and maritime sectors to Russia through Belarus, and degrade both nations’ ability to sustain military aggression.”

The new export controls imposed on Belarus in the Final Rule can be categorized as follows:

  • License requirement for items in the Commerce Control List (“CCL”) Categories 3-9, with a licensing policy of denial (except in limited cases) and only limited license exceptions available;
  • Extension of the new Foreign Direct Product (“FDP”) Rules imposed on Russia to Belarus and Belarusian military end use/end users (“MEUs”);
  • Expanded MEU and military-intelligence end use/end users (“MIEU”) restrictions to Belarus;
  • Additions of two Belarusian Entities to the Entity List; and
  • Country Group change for Belarus from A:4 to D:2 and D:4.

In addition, the Final Rule contains the following updates related to Russia: 

  • Revisions to the Entity List to remove previously available exclusions for Russian entities; and
  • the narrowing of the availability of license exceptions/end-users for encryption-related items, as further explained below.   

License Requirement for CCL Categories 3-9 – Section 746.8(a)(1) of the EAR

Exports, reexports, and transfers (in-country) of all items subject to the EAR and classified in CCL Categories 3 through 9 now require a license to Belarus (excluding deemed exports and reexports), subject to limited license exceptions and a licensing policy of denial (except in limited cases). CCL Categories 3 through 9 include many items that are not particularly sensitive from an export controls perspective and did not previously require a license to Belarus, such as telecommunications items and low-level encryption items.

Licensing Policy of Denial

Items requiring a license under these new controls will be reviewed under a licensing policy of denial, except that the following license applications will be reviewed by BIS on a case-by-case basis to determine whether the transaction would benefit the Belarusian government or defense sector or present a risk of diversion to Russia:

  • related to safety of flight or maritime safety
  • for civil nuclear safety
  • to meet humanitarian needs
  • in support of government space cooperation
  • for companies headquartered in Country Groups A:5 and A:6 to support civil telecommunications infrastructure
  • involving government-to-government activities
  • companies in Belarus that are:
    1. wholly-owned US subsidiaries;
    2. foreign subsidiaries of US companies that are joint ventures with other US companies;
    3. joint ventures of US companies with companies headquartered in Country Group A:5 and A:6;
    4. wholly-owned subsidiaries of companies headquartered in Country Group A:5 and A:6; or
    5. joint ventures of companies headquartered in Country Group A:5 and A:6 with other companies headquartered in Country Groups A:5 and A:6.

Limited License Exceptions, and Modification of End-Users for Encryption Items

Only the following EAR license exceptions are available:

  • License Exception TMP for items for use by news media;
  • License Exception GOV;
  • License Exception TSU for software updates for civil end users that are subsidiaries or joint of ventures of companies headquartered in the United States or country or countries from Country Groups A:5 and A:6;
  • License Exception BAG, excluding firearms and ammunition;
  • License Exception AVS (which now excludes any aircraft registered in, owned, or controlled by, or under charter or lease by Belarus or a national of Belarus);
  • License Exception ENC (though note narrowed application described below);
  • License Exception CCD (which previously only included Cuba and Russia, but now also includes Belarus). 

Notably, the Final Rule narrows License Exception ENC for both Belarus and Russia,  Specifically, License Exception ENC is now only available for exports and reexports to, and transfers in, Belarus and Russia for a narrower subset of end-users — i.e., (i) civil end-users that are wholly-owned US subsidiaries, (ii) foreign subsidiaries of US companies that are joint ventures with other US companies, (iii) joint ventures of US companies with companies headquartered in countries from Country Group A:5 and A:6 in supplement, (iv) the wholly-owned subsidiaries of companies headquartered in countries from Country Group A:5 and A:6, or (v) joint ventures of companies headquartered in Country Group A:5 and A:6 with other companies headquartered in Country Groups A:5 and A:6 (“Authorized ENC End-Users“).

Moreover, language has been added to the Russian sanctions provision (i.e., EAR § 746.8(a)(1)) to clarify that items controlled under ECCNs 5A992 and 5D992 (which previously required a license given their inclusion in Category 5 and the inapplicability of License Exception ENC for such items) can be exported/reexported, but only to Authorized ENC End-Users. 

Adding Belarus to the Scope of the New Russia FDP Rules – Sections 734.(9)(f) and (g) of the EAR

As described in our February 25 blog post (see here), the new export controls imposed against Russia on February 24, 2021 created new FDP rules: the first focused on reexports and transfers involving Russia (“Russia FDP Rule”), and the second focused specifically on Russian MEUs newly listed on the Entity List (“Russia-MEU FDP Rule”) (collectively, the “New Russia FDP Rules”). 

In the Final Rule, BIS has added Belarus as a second country subject to the New Russia FDP Rules, resulting in a near total ban on exports of items to both Russian and Belarusian MEUs. Specifically, the Russia FDP Rule has added Belarus as a destination, whereas the Russia-MEU FDP rule now also targets Belarusian MEUs in addition to Russian MEUs.

Expanded MEU and MIEU Restrictions – Section 744.21 and 744.22 of the EAR

The Final Rule adds Belarus to the the Russia MEU restrictions in Section 744.21 of the EAR, thereby requiring a license for all items subject to the EAR (including EAR99 times), except for food and medicine designated as EAR99. The Final Rule also added Belarus to the MIEU restrictions in section 744.22 of the EAR, identifying The Main Intelligence Directorate of the General Staff of the Armed Forces of Belarus as an MIEU.

Additions of Belarusian Entities to the Entity List

The Final Rule has added two entities, (i) JSC Integral and (ii) the Ministry of Defense of the Republic of Belarus (which encompasses the national armed services, including the army, navy, marine, air force, or coast guard; national guard and police; and government intelligence or reconnaissance organizations of Belarus), to the Entity List with a license requirement for all items subject to the EAR.

These two entities are added for “being closely aligned with the Russian military and helping to facilitate Belarus’s substantial enabling of Russia’s further invasion of Ukraine.” License applications involving parties on the Entity List are subject to a policy of denial. A footnote 3 designation was added to the entries for these two entities to establish that they are considered “military end users” for the Russia-MEU FDP Rule discussed above.

Country Group Change for Belarus

The Final Rule revises the Commerce Country Groups in supplement no. 1 to part 740 to remove Belarus from Country Group A:4 under the EAR and add it to Country Group D:2 and D:4 to reflect that Belarus is now a country of concern for both nuclear proliferation and missile technology proliferation. The inclusion of Belarus in these two Country Groups would mean additional and more stringent export license requirements and limited availability of license exceptions.

Revisions to the Entity List to Remove Exclusions for Russian (and Belarusian) Entities

The Final Rule modifies eight existing entries in the entity list under Russia to remove the exclusion that was previously available for ECCN 5A992.c and 5D992.c when not for Russian or Belarusian “government end users” and Russian or Belarusian state-owned enterprises (SoEs).  In other words, such items can no longer be exported/reexported to parties on the Entity List, regardless of whether associated with a government end user or not. 

Baker McKenzie will continue closely monitoring developments related to the Russia-Ukraine situation and will update this blog accordingly.

The post US Department of Commerce Extends the Significant Export Controls Imposed on Russia to Belarus, Narrows License Exceptions Available for Russia appeared first on Global Compliance News.

Source

On March 2, 2022, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued two new Russia-related general licenses, reissued two existing general licenses, and published and updated several frequently asked questions (“FAQs”) clarifying various aspects of the Russia-related sanctions imposed over the past weeks. In addition, on March 3, 2022, OFAC issued another new Russia-related general license and designated additional parties to the Specially Designated Nationals and Blocked Persons List (“SDN List”). We summarize these developments below.

New and Revised General Licenses

OFAC issued three new general licenses, as follows:

  • General License No. 13 authorizes US Persons to pay taxes, fees, or import duties and to purchase or receive permits, licenses, registrations, or certifications, to the extent such transactions would otherwise be prohibited as involving Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, or the Ministry of Finance of Russia (the “Directive 4 Entities”) under Directive 4 issued under Executive Order 14024 (“EO 14024”), and provided such transactions are ordinarily incident and necessary to such persons’ day-to-day operations in Russia. This authorization only extends through 12:01 am ET on June 24, 2022, but does go some way to addressing immediate concerns over various administrative and regulatory fees, taxes, etc. having to be made into accounts in the name of the Central Bank of Russia. Our blog post on Directive 4 is available here.
  • General License No. 14 authorizes US Persons to engage in all transactions otherwise prohibited under Directive 4 with a Directive 4 Entity provided the Directive 4 Entity’s s sole function in the transaction is to act as an operator of a clearing and settlement system. The authorization is only valid if (i) there is no transfer of assets to or from a Directive 4 Entity and (ii) no Directive 4 Entity is either a counterparty or a beneficiary to the transaction, in either case unless separately authorized. The general license does not authorize any debit to an account on the books of a US financial institution of any Directive 4 Entity. In order to use this General License 14, companies will need to satisfy themselves that the actual Directive 4 Entity (e.g. the Central Bank of Russia) is acting “solely” as an “operator” of a clearing and settlement system. There is no expiration date for this general license.
  • General License No. 15 authorizes all otherwise prohibited transactions with any entity owned 50% or more, directly or indirectly, by Alisher Burhanovich Usmanov (the “Blocked Usamov Entities”), provided that such entities are not themselves identified on the SDN List. This general license was issued on March 3, 2022, the same day that Usmanov was designated as an SDN. The general license provides that all property and interests in property of the Blocked Usmanov Entities are unblocked, and that debits to accounts on the books of a US financial institution of the Blocked Usmanov Entities are authorized. There is no expiration date for this general license.

In addition, OFAC reissued General Licenses 9A and 10A related to EO 14024:

  • General License No. 9Aamends the former General License 9. It still authorizes all transactions through 12:01 am on May 25, 2022 that are ordinarily incident and necessary to dealings in debt or equity involving (i) State Corporation Bank for Development and Foreign Economic Affairs Vnesheconombank (i.e., “VEB Bank”); (ii) Otkritie; (iii) Sovcombank; (iv) Sberbank; (v) VTB Bank; or (vi) any entity in which one or more owns 50% or more individually or in the aggregate (collectively “Covered Entities”), provided that any divestment or transfer is to a non-US person, as previously discussed here.

The reissued version of the general license also authorizes all otherwise prohibited transactions that are ordinarily incident and necessary to the receipt of interest, dividend, or maturity payments in connection with debt or equity of the Directive 4 Entities issued before March 1, 2022.

This authorization does not authorize (i) the opening or maintaining of a correspondent account or payable-through account for or on behalf of an entity subject to Directive 2; (ii) any debit to an account on the books of a US financial institution of a Directive 4 Entity; or (iii) any transactions otherwise prohibited by the Russian Harmful Foreign Activities Sanctions Regulations. Our blog post on the correspondent and payable-through account sanctions set out in Directive 2 is available here.

  • General License No. 10A amends the former General License 10. It still authorizes all transactions through 12:01 am on May 25, 2022 ordinarily incident and necessary to the wind down of derivative contracts entered into prior to February 24, 2022 involving a Covered Entity, or that are linked to debt or equity of a Covered Entity, provided that any payments to an SDN are made into a blocked account, as previously discussed here.

The reissued version of the general license additionally authorizes all transactions otherwise prohibited by Directive 4 that are ordinarily incident and necessary to the wind down of derivative contracts, repurchase agreements, or reverse repurchase agreements entered into prior to March 1, 2022 that include a Directive 4 Entity as a counterparty.

New and Revised FAQs

The following points in OFAC’s new and revised Russia sanctions FAQs are particularly noteworthy:

  • FAQ 1001 clarifies that the “50 Percent Rule” does not apply to Directive 4. For example, entities owned by the Central Bank of Russia are not subject to Directive 4 unless otherwise explicitly named.
  • FAQ 1002 clarifies that US Persons may not engage in indirect transactions with Directive 4 Entities unless those transactions are exempt or authorized by OFAC. The FAQ also states that US Persons should be on alert for non-routine foreign exchange transactions that may indirectly involve the Directive 4 Entities, and that they should exercise caution in engaging in foreign exchange transactions on the Moscow Exchange given the current heightened risk that the Central Bank of Russia could be a counterparty.
  • FAQ 1004 clarifies that Directive 4 does not “block” the Directive 4 Entities as SDNs, but does require that US Persons reject transactions involving the Directive 4 Entities unless those transactions are exempt or authorized by OFAC.
  • FAQ 1005 clarifies that Directive 4 does not prohibit trading in the secondary markets for debt or equity of the Directive 4 Entities, provided that no Directive 4 Entity is a counterparty to such a transaction. It also notes, however, that Directive 1A issued under EO 14024 prohibits US financial institutions from participation in the secondary market for ruble or non-ruble denominated bonds issued after March 1, 2022 by the Directive 4 Entities. Please see our blog post on Directive 1A here.
  • FAQ 1009 importantly clarifies that Executive Order 14065 (“EO 14065”) imposing comprehensive sanctions on the Donetsk People’s Republic (“DNR”) and Luhansk People’s Republic (“LNR”) does not sanction the entire Donetsk or Luhansk oblasts. However, the FAQ does not clearly indicate which areas are and are not covered by EO 14065. Please see our blog post on EO 14065 here.
  • FAQ 967 was updated to clarify that after the effective date of the Directive 2 correspondent and payable-through account sanctions, US financial institutions’ obligation to reject transactions from targeted non-US financial institutions includes rejecting transactions related to securities (including depository receipts) issued by such institutions, including secondary market trading. The FAQ also clarifies that Directive 2 prohibits US financial institutions from engaging in transactions with targeted non-US financial institutions in connection with their role as a local custodian for depository receipt issuances.
  • FAQ 981 was updated to include a warning that, notwithstanding the authorizations set out in General License Nos. 9A and 10A, US Persons should exercise caution in engaging in foreign exchange transactions given the heightened risks that the Central Bank of Russia could be a counterparty to such transactions.

Additional Parties to the SDN List

Finally, OFAC added additional parties to the SDN List, a list of whom is available here, and whom are described in a Treasury Department press release as “Russian elites” and “Russian intelligence-directed disinformation outlets.”  As a result of these designations, US Persons are generally prohibited from dealing directly or indirectly with SDNs, entities that are owned 50% or more by one or more SDNs, and their property or property interests. Non-US persons can be held liable for “causing” violations by US Persons involving transactions with SDNs and can also be subject to secondary sanctions risks (which would include, in particular, the risk of designation as an SDN themselves) for providing “material support” to SDNs.

The post US/Russia: OFAC Issues New General Licenses Authorizing Certain Transactions with the Central Bank of the Russian Federation, Designates Additional Russian Parties as SDNs, and Issues New Guidance appeared first on Global Compliance News.

Source

Baker McKenzie’s Sanctions Blog published the alert titled “BIS announces expanded export controls targeting Russia” on 25 February 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: BIS announces expanded export controls targeting Russia appeared first on Global Compliance News.

Source

Baker McKenzie’s Sanctions Blog published the alert titled “US Government imposes expansive OFAC sanctions on Russia, sanctions certain additional Belarussian entities” on 27 February 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: US Government imposes expansive OFAC sanctions on Russia, sanctions certain additional Belarussian entities appeared first on Global Compliance News.

Source