Back

Include reporting to governing bodies in the external reporting plan.


CONTROL ID
12923
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an external reporting program., CC ID: 12876

This Control has the following implementation support Control(s):
  • Submit confidential treatment applications to interested personnel and affected parties., CC ID: 16592


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The licensed corporation should seek approval for the premises used for keeping Regulatory Records under section 130 of the SFO. See Part D below. (7.(h), Circular to Licensed Corporations - Use of external electronic data storage)
  • apply for approval under section 130 of the SFO for the data centre(s) used by the EDSP at which the Regulatory Records of the licensed corporation will be kept; (8. ¶ 1 (a), Circular to Licensed Corporations - Use of external electronic data storage)
  • apply for approval under section 130 of the SFO. (24. Bullet 2, Circular to Licensed Corporations - Use of external electronic data storage)
  • The licensed corporation should notify the SFC of the proposed transition arrangement at least 30 calendar days prior to any termination, expiration, novation or assignment of the service agreement with the EDSP. The licensed corporation should ensure that the EDSP gives it sufficient notice before … (10., Circular to Licensed Corporations - Use of external electronic data storage)
  • When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. (Article 23-3(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this cas… (Article 23-3(2), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). (Article 56(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • An institution should notify MAS as soon as possible of any adverse development arising from its outsourcing arrangements that could impact the institution. Such adverse developments include any event that could potentially lead to prolonged service failure or disruption in the outsourcing arrangeme… (4.2.1, Guidelines on Outsourcing)
  • The Board, governing bodies and individuals would typically define their information requirements (e.g. schedule, format, scope and content) to ensure they are provided with sufficient and timely information to effectively discharge their information security roles and responsibilities. Reporting to… (13., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Under CPS 234, an APRA-regulated entity must notify APRA of information security control weaknesses meeting specified criteria. An APRA-regulated entity would typically escalate material control weaknesses to the relevant governing bodies or individuals and formulate a remediation strategy. (89., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Member States shall notify their national cybersecurity strategies to the Commission within three months of their adoption. Member States may exclude information which relates to their national security from such notifications. (Article 7 3., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • A firm must deal with its regulators in an open and cooperative way, and must disclose to the FCA appropriately anything relating to the firm of which that regulator would reasonably expect notice. (2.1.1 Principle 11 Relations with regulators, Principles for Businesses)
  • Although Notifications 2.3(1)(e) only apply to material outsourcing arrangements, material non-outsourcing third party arrangements may constitute 'information of which the PRA would reasonably expect notice' within the meaning of Fundamental Rule 7 and Senior Manager Conduct Rule/Conduct Standard 4… (§ 5.17, SS2/21 Outsourcing and third party risk management, March 2021)
  • Notifications 2.3(1)(e) requires all PRA-regulated firms, including credit unions and NDFs, to notify the PRA when 'entering, or significantly changing a material outsourcing arrangement'. The PRA expects these notifications to be made before entering into the outsourcing arrangement. The PRA also e… (§ 5.14, SS2/21 Outsourcing and third party risk management, March 2021)
  • Where data is encrypted, firms should ensure that any encryption keys or other forms of protection are kept secure by the firm or outsourcing provider. The data protected by encryption (although not necessarily the encryption keys themselves) should be provided to the PRA in an accessible format if … (§ 7.12, SS2/21 Outsourcing and third party risk management, March 2021)
  • The processes for vendor due diligence and for assessing the materiality and risks of outsourcing arrangements (including notification to the PRA where required). (Table 4 Column 2 Row 2 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization shall notify GRI of the use of the GRI Standards and the statement of use by sending an email to reportregistration@globalreporting.org. (Requirement 9(a), GRI 1: Foundation 2021)
  • The link to the GRI content index. (Requirement 9 Guidance ¶ 1 Bullet 2, GRI 1: Foundation 2021)
  • The legal name of the organization. (Requirement 9 Guidance ¶ 1 Bullet 1, GRI 1: Foundation 2021)
  • The link to the report, if publishing a standalone sustainability report. (Requirement 9 Guidance ¶ 1 Bullet 3, GRI 1: Foundation 2021)
  • A contact person in the organization and their contact details. (Requirement 9 Guidance ¶ 1 Bullet 5, GRI 1: Foundation 2021)
  • The legal name of the organization. (Notify GRI Guidance ¶ 1 Bullet 1, GRI 1: Foundation 2021)
  • The link to the GRI content index. (Notify GRI Guidance ¶ 1 Bullet 2, GRI 1: Foundation 2021)
  • The organization shall notify GRI of the use of the GRI Standards and the statement of use by sending an email to reportregistration@globalreporting.org. (Notify GRI (a), GRI 1: Foundation 2021)
  • A contact person in the organization and their contact details. (Notify GRI Guidance ¶ 1 Bullet 5, GRI 1: Foundation 2021)
  • list all its entities included in its sustainability reporting; (Disclosure 2-2 ¶ 1(a), GRI 2: General Disclosures, 2021)
  • describe its policy and practice for seeking external assurance, including whether and how the highest governance body and senior executives are involved; (Disclosure 2-5 ¶ 1(a), GRI 2: General Disclosures, 2021)
  • Establish a plan to provide desired reports to management, the governing authority, and stakeholders, while ensuring compliance with mandatory reporting and filing requirements. (OCEG GRC Capability Model, v. 3.0, P3.1 Develop Reporting Plan, OCEG GRC Capability Model, v 3.0)
  • regulators; (§ 9.1.3 ¶ 1 Bullet 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should retain documented information as evidence of the results of management reviews and a copy should be provided to the governing body. (§ 9.3 ¶ 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • When organizations are required by law to report noncompliance, regulatory authorities need to be informed in accordance with the applicable regulations or as otherwise agreed. (§ 10.1.2 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • An independent audit function identifies, tracks, and reports significant changes in the organization's cyber risk exposure to the appropriate governing authority (e.g., the Board or one of its committees). (GV.AU-3, CRI Profile, v1.2)
  • in response to a court order or (¶ 3.195 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • in compliance with requirements for examinations of service organizations that receive financial assistance from a government agency. (¶ 3.195 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor suspects fraud involving senior management, communicating those suspicions to those charged with governance and discussing with them the nature, timing, and extent of procedures necessary to complete the examination (¶ 3.191 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor suspects fraud involving senior management, communicating those suspicions to those charged with governance and discussing with them the nature, timing, and extent of procedures necessary to complete the examination (¶ 3.222 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • All insurers shall have an annual audit by an independent certified public accountant and shall file an audited financial report with the commissioner on or before June 1 for the year ended December 31 immediately preceding. The commissioner may require an insurer to file an audited financial report… (Section 4.A., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Every insurer required to file an audited financial report pursuant to this regulation that has annual direct written and assumed premiums, excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, of $500,000,000 or more shall prepare a report of the insure… (Section 17.A., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Extensions of the June 1 filing date may be granted by the commissioner for thirty-day periods upon a showing by the insurer and its independent certified public accountant of the reasons for requesting an extension and determination by the commissioner of good cause for an extension. The request fo… (Section 4.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • If an accountant who was the accountant for the immediately preceding filed audited financial report is dismissed or resigns, the insurer shall within five (5) business days notify the commissioner of this event. The insurer shall also furnish the commissioner with a separate letter within ten (10) … (Section 6.C., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • ensure that the agency Chief Information Officer, in coordination with other senior agency officials, reports annually to the agency head on the effectiveness of the agency information security program, including progress of remedial actions; (§ 3554(a)(5), Federal Information Security Modernization Act of 2014)
  • IN GENERAL.—Each agency shall submit to the Director, the Secretary, the Committee on Government Reform, the Committee on Homeland Security, and the Committee on Science of the House of Representatives, the Committee on Homeland Security and Governmental Affairs and the Committee on Commerce, Scie… (§ 3554(c)(1)(A), Federal Information Security Modernization Act of 2014)
  • TIMING AND FORM OF REPORTING.—The information required to be reported under this subsection shall be reported regularly (but not less often than monthly) and in such form and manner as the Secretary prescribes. Such information shall first be required to be reported on a date specified by the Secr… (§ 1128E(b)(4), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • The enterprise monitors the status of systems and components and communicates out-of-bounds and out-of-spec performance to suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. The enterprise should also report this information to t… (MA-8 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • The enterprise monitors the status of systems and components and communicates out-of-bounds and out-of-spec performance to suppliers, developers, system integrators, external system service providers, and other ICT/OT-related service providers. The enterprise should also report this information to t… (MA-8 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • In conclusion, a Covered Entity may adopt the cybersecurity program of an affiliate. A DFS examination or investigation of the Covered Entity may include a review of the adopted portions of the cybersecurity program of that affiliate, and the Covered Entity is responsible for providing DFS with docu… (¶ 6, Adoption of an Affiliate’s Cybersecurity Program)
  • One way to ensure that DFS will be able to access the requisite documentation and information is to ensure that any agreement between a Covered Entity and its affiliate provides for such access. DFS must have access, at a minimum, to documentation including the affiliate's cybersecurity policies and… (¶ 5, Adoption of an Affiliate’s Cybersecurity Program)
  • Covered Entities are required to make available to DFS, upon request, all "documentation and information" relevant to their cybersecurity programs. 23 NYCRR § 500.2(d). This includes all documentation and information relevant to cybersecurity programs adopted from an affiliate. If a Covered Entity … (¶ 4, Adoption of an Affiliate’s Cybersecurity Program)