Category Archives: Third Party Risk Management

It May Not Be Worth the Paper (or Pixel) It’s Written On (Part 2): A Fresh Look at Common Responses to Bolster Export Controls Compliance Programs as BIS Primes the Corporate Enforcement Engine

by Brent Carlson and Michael Huneke

Photos of the authors

Brent Carlson and Michael Huneke (photos courtesy of authors)

Amid reports of continued export controls diversion[1] to entities in locations including China, Russia, Iran, and North Korea, the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) has been priming the corporate enforcement engine.[2] This dynamic increases challenges for in-house legal and compliance teams to respond to BIS’ latest moves and bolster compliance program effectiveness. In this new environment, the greatest compliance risks revolve around explaining and defending relationships with distributors and resellers in the face of allegations and reports of product diversion or other “red flags” indicating the same—a task made more nuanced under the “high probability” standard of “knowledge” recently highlighted by BIS in new guidance issued on July 10, 2024 (the “July 10 BIS Guidance”).[3]

In Part 1 we previously discussed the practice of using letters of assurance—and the problems of relying solely upon them without resolving related red flags—to bolster export controls compliance programs in response to the new BIS enforcement playbook.[4] In Part 2 we now examine other common responses based on legacy approaches to export controls and why they are ineffective—and even detrimental—in today’s new and evolving enforcement environment.

Continue reading

Cyber Experts React to Court Decision in the SEC’s SolarWinds Enforcement Action

Editor’s Note: PCCE has been watching the developments in the SEC’s enforcement action against SolarWinds and its CISO over allegedly misleading disclosures and controls failures related to the compromise of its Orion product by putative Russian hackers. In this post, cybersecurity experts and lawyers discuss the recent decision by U.S. District Judge Paul Engelmayer to dismiss most of the SEC’s claims in the case.

Photos of the authors

Top left to right: Randal Milch, Judy Titera, James Haldin, and Alan Wilson. Bottom left to right: Matthew Beville, Elizabeth Roper, and Jerome Tomas. (Photos courtesy of authors)

Continue reading

European Union Finally Adopts Corporate Sustainability Due Diligence Directive

by Samantha Rowe, Patricia Volhard, Jin-Hyuk Jang, John Young, Ulysses Smith, Jesse Hope, Harry Just, and Andrew Lee

Photos of the authors

Top left to right: Samantha Rowe, Patricia Volhard, Jin-Hyuk Jang and John Young. Bottom left to right: Ulysses Smith, Jesse Hope, Harry Just and Andrew Lee. (Photos courtesy of Debevoise & Plimpton LLP)

On 24 May 2024, the European Council (the “Council”) formally adopted the Corporate Sustainability Due Diligence Directive (the “CSDDD” or the “Directive”). The regime introduces human rights, environmental and governance due diligence obligations for in scope companies’ and their subsidiaries’ operations, and in their “chain of activities”, which are companies’ supply and distribution chains.

Continue reading

EU Digital Operational Resilience Act (“DORA”): Incident and Cyber Threat Reporting and Considerations for Incident Response Plans

by Robert MaddoxStephanie ThomasAnnabella M. Waszkiewicz, and Michiko Wongso 

Photos of the authors

Left to right: Robert Maddox, Stephanie Thomas, Annabella M. Waszkiewicz, and Michiko Wongso (photos courtesy of Debevoise & Plimpton LLP)

With the EU Digital Operational Resilience Act (“DORA”) implementation deadline set for January 2025, many financial services firms are spending 2024 preparing for the new regime. Amongst many operational resilience and management oversight requirements, DORA will require covered entities to monitor for, identify, and classify Information and Communications Technology (“ICT”)-related incidents (“incidents”) and cyber threats and report them under certain circumstances to regulators, clients, and the public.

In this post, we take a closer look at DORA’s ICT-related incident and cyber threat reporting obligations (which can require notifications as fast as four hours) and how covered entities can prepare to address them within their existing incident response plans (“IRPs”).

For a more general overview of DORA’s requirements, please see our previous blog post here, along with our coverage of management obligations for covered entities under DORA and how DORA will impact fund managers and the insurance sector in Europe.

Continue reading