Back

Establish, implement, and maintain an external reporting program.


CONTROL ID
12876
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a reporting methodology program., CC ID: 02072

This Control has the following implementation support Control(s):
  • Provide identifying information about the organization to the responsible party., CC ID: 16715
  • Identify the material topics required to be reported on., CC ID: 15654
  • Define the thresholds for reporting in the external reporting program., CC ID: 15679
  • Include time requirements in the external reporting program., CC ID: 16566
  • Include information about the organizational culture in the external reporting program., CC ID: 15610
  • Include reporting to governing bodies in the external reporting plan., CC ID: 12923


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The licensed corporation should designate at least two individuals, being Managers-In-Charge of Core Functions (MICs) in Hong Kong, who have the knowledge, expertise and authority to access all of the Regulatory Records kept with an EDSP at any time, and who can ensure that the SFC has effective acc… (7.(g), Circular to Licensed Corporations - Use of external electronic data storage)
  • A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information… (Article 45-3(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Under CPS 234, an APRA-regulated entity must notify APRA of information security control weaknesses meeting specified criteria. An APRA-regulated entity would typically escalate material control weaknesses to the relevant governing bodies or individuals and formulate a remediation strategy. (89., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • As part of the ICT risk management framework, financial entities shall implement communication policies for internal staff and for external stakeholders. Communication policies for staff shall take into account the need to differentiate between staff involved in ICT risk management, in particular th… (Art. 14.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • effective processes and mechanisms for escalating concerns, issues, and regulatory feedback relating to their intragroup outsourcing arrangements to the whole firm or group. (§ 3.18 Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization shall apply all the reporting principles specified in section 4 of GRI 1: Foundation 2021. (Requirement 1(a), GRI 1: Foundation 2021)
  • The organization shall present information in a way that is accessible and understandable. (Clarity ¶ 1(a), GRI 1: Foundation 2021)
  • not present information in a way that is likely to inappropriately influence the conclusions or assessments of information users. (Balance Guidance ¶ 1 Bullet 5, GRI 1: Foundation 2021)
  • The organization shall report information in an unbiased way and provide a fair representation of the organization's negative and positive impacts. (Balance ¶ 1(a), GRI 1: Foundation 2021)
  • not overemphasize positive news or impacts; (Balance Guidance ¶ 1 Bullet 4, GRI 1: Foundation 2021)
  • The organization shall report information that is correct and sufficiently detailed to allow an assessment of the organization's impacts. (Accuracy ¶ 1(a), GRI 1: Foundation 2021)
  • A practical approach to external communication, targeting all interested parties, should be adopted in accordance with organization policy. (§ 7.4.3 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • A clear and timely escalation process should be adopted and communicated to ensure that all noncompliances are raised, reported and eventually escalated to relevant management, and that the compliance function is informed and able to support the escalation. Where appropriate, escalation should be to… (§ 10.1.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the stakeholder requirements for recording financial and non-financial information relevant to IT asset management, and for reporting on it both internally and externally. (Section 4.2 ¶ 1 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Disclosures should be defined, collected, recorded, and analyzed in such a way that the information reported is verifiable to ensure it is high quality. For future-oriented information, this means assumptions used can be traced back to their sources. This does not imply a requirement for independent… (§ F. Principle 6 Bullet 3, Implementing the Recommendations of the Task Force on Climate-related Financial Disclosures, October 2021)
  • Requesting that senior management (and the engaging party, if different) consult with an appropriately qualified third party, such as the service organization's legal counsel or a regulator (¶ 3.191 Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Communicating with third parties (such as a regulator) (¶ 3.191 Bullet 6, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor may be precluded from reporting such incidents to parties outside the service organization because of the service auditor's professional duty to maintain the confidentiality of client information. However, the service auditor's legal responsibilities may vary by jurisdiction and,… (¶ 3.195, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Communicating with third parties (such as a regulator) (¶ 3.222 Bullet 6, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Every insurer required to file an audited financial report pursuant to this regulation that has annual direct written and assumed premiums, excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, of $500,000,000 or more shall prepare a report of the insure… (Section 17.A., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Extensions of the June 1 filing date may be granted by the commissioner for thirty-day periods upon a showing by the insurer and its independent certified public accountant of the reasons for requesting an extension and determination by the commissioner of good cause for an extension. The request fo… (Section 4.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • An insurer with direct written and assumed premium, excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, less than $500,000,000 may make application to the commissioner for a waiver from the Section 14 requirements based upon hardship. The insurer shall… (Section 14.I., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • To exercise the election of the controlling person to designate the audit committee for purposes of this regulation, the ultimate controlling person shall provide written notice to the commissioners of the affected insurers. Notification shall be made timely prior to the issuance of the statutory au… (Section 14.F., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The insurer shall file, with its annual statement filing, the approval for relief from Subsection L(1) with the states that it is licensed in or doing business in and the NAIC. If the nondomestic state accepts electronic filing with the NAIC, the insurer shall file the approval in an electronic form… (Section 7.L.(2), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The lead (or coordinating) audit partner (having primary responsibility for the audit) may not act in that capacity for more than five (5) consecutive years. The person shall be disqualified from acting in that or a similar capacity for the same company or its insurance subsidiaries or affiliates fo… (Section 7.D.(1), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The insurer shall file, with its annual statement filing, the approval for relief from Subsection D(1) with the states that it is licensed in or doing business in and with the NAIC. If the nondomestic state accepts electronic filing with the NAIC, the insurer shall file the approval in an electronic… (Section 7.D.(2), Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • TIMING AND FORM OF REPORTING.—The information required to be reported under this subsection shall be reported regularly (but not less often than monthly) and in such form and manner as the Secretary prescribes. Such information shall first be required to be reported on a date specified by the Secr… (§ 1128E(b)(4), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • GENERAL PURPOSE.—Not later than January 1, 1997, the Secretary shall establish a national health care fraud and abuse data collection program for the reporting of final adverse actions (not including settlements in which no findings of liability have been made) against health care providers, suppl… (§ 1128E(a), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification tes… (§ 3.2.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification tes… (§ 3.2.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Management should externally communicate the necessary quality information to achieve the entity’s objectives. (15.01, Standards for Internal Control in the Federal Government)
  • prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (§ 10 (a)(9), Connecticut Public Act No. 22-15, An Act Concerning Personal Data Privacy and Online Monitoring)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity. (§ 12D-110.(a)(9), Delaware Code, Title 6, Subtitle II, Chapter 12D. Delaware Personal Data Privacy Act)
  • Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security. (§ 501.716(1)(g), Florida Statutes, Title XXXIII, Chapter 501, Sections 701-721, Florida Digital Bill of Rights)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • Investigate, report, or prosecute those responsible for any such action. (§ 715D.7.1.i., Iowa Code Annotated, Section 715D, An Act Relating to Consumer Data Protection, Providing Civil Penalties, and Including Effective Date Provisions)
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions; (§ Section 11. (1)(i), Montana Consumer Data Privacy Act 2023)
  • fulfill applicable regulatory reporting obligations. (§ 500.2 Cybersecurity Program (b)(6), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action; (§ 47-18-3208.(a)(7), Tennessee Code Annotated, Title 47, Chapter 18, Parts 3201 through 3213, Tennessee Information Protection Act)
  • preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security; (§ 541.201 (a)(7), Texas Business and Commercial Code, Title 11, Subtitle C, Chapter 541, Subchapter A, Section 541)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; (§ 59.1-582.A.7., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)