Potential Additions to ICPs

ICP guidance generally identifies 7 elements as detailed below. This section seeks to identify specific additions to ICPs.

Common elements of an ICP as laid out in other, existing, guidance.[1]

  • Top-level management commitment to compliance
  • Organisation structure, responsibilities and resources
  • Training and awareness raising
  • Transaction screening process and procedures
  • Performance review, audits, reporting and corrective actions
  • Recordkeeping and documentation
  • Physical and information security

Many of the following elements would be associated with a number of elements in the generic ICP structure detailed above and relate to thematic pillars of ICPs such as customer onboarding, transaction screening, business travel, and cybersecurity.

Customer Onboarding

  • Ensure due diligence and disclosure measures require all available information necessary to establish that a counterparty is not involved in the military end use enterprise. This may include names of board of directors, lists of subsidiaries and parent companies, names of major investors, and other data.​

Hiring

  • Ensure the hiring process includes contractual information including strong non-disclosure agreements and policies restricting removal or unauthorized transfer of company property or sensitive data.​
  • When conducting background checks on potential hires, seek to identify links with Chinese military linked entities and Russian strategic entities. Refer concerns to relevant export licensing authorities.

Travel

  • To address the potential vulnerability that business-related foreign travel can present, when possible, sanitize all electronics to remove intellectual property or personal information before traveling overseas, and check electronics after return.​
  • Require staff to liaise with compliance officials before giving external presentations on technical topic related to controlled or emerging technology

Physical Security

  • Monitor visitors if they are given access to areas containing sensitive technology, products, or personal information. ​

Audit

  • Establish internal audit processes to ensure ongoing compliance verification and early detection of unauthorized technology transfers or IP theft.​

Whistleblowing and Reporting

  • Ensure whistleblower protection policies are in place and available to report issues related to theft of intellectual property or diversion of technology.​
  • Ensure appropriate and effective consequences for violation of disclosure requirements and engagement that do not align with company policies.​

Cybersecurity

  • Ensure physical security personnel and information technology security personnel have sufficient expertise, threat detection software, countermeasure tools, and protective processes in place.​
  • Establish and maintain effective data security measures to improve data security, internal breach prevention, incident response processes, and maintain compliance with relevant requirements.​

 

 

[1] See for example https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019H1318&from=EN

 

Site Maintained By The James Martin Center for Nonproliferation Studies (Washington DC Office) Suite 1225, 1400K Street, Washington DC, 20005, USA. Email [email protected]