Anti-Corruption Policy

Introduction

The Forum of Incident Response and Security Teams, Inc. (FIRST) is committed to conducting its business ethically and in compliance with all applicable laws and regulations, including the U.S. Foreign Corrupt Practices Act (FCPA) and similar laws in other countries that prohibit improper payments to obtain a business advantage. This document describes FIRST’s Policy prohibiting bribery and other improper payments in the conduct of FIRST business operations, as well as individual responsibilities for ensuring implementation of the Policy. Questions about the Policy or its applicability to particular circumstances should be directed to the Executive Director.

Policy Overview

FIRST strictly prohibits bribery or other improper payments in any of its business operations. This prohibition applies to all business activities anywhere in the world, whether involving government officials or other commercial enterprises. A bribe or other improper payment to secure a business advantage is never acceptable and can expose individuals and FIRST to possible criminal prosecution, reputational harm, or other serious consequences including imprisonment and massive fines. This Policy applies to everyone at FIRST, including all directors, officers, and members, as well as other intermediaries acting on FIRST’s behalf. Each director, officer, and member of FIRST has a personal responsibility and obligation to conduct FIRST’s business activities ethically and in compliance with all applicable laws based on the countries wherein FIRST does business. Failure to do so may result in disciplinary action, up to and including possible suspension or revocation of membership.

Improper payments prohibited by this policy include bribes, kickbacks, excessive gifts or entertainment, or any other payment made or offered to obtain an undue business advantage. These payments should not be confused with the very limited exceptions for token, nominal, or inexpensive gifts, reasonable business entertainment, and other legitimate activities directly related to the conduct of FIRST’s business.

FIRST has developed a program for implementing this Policy, including appropriate guidance, training, and oversight. The Executive Director has overall responsibility for the program, supported by the Board of Directors of FIRST. The Executive Director is responsible for giving advice on the interpretation and application of this policy, supporting training and education, and responding to reported concerns. The prohibition on bribery and other improper payments applies to all business activities, but is particularly important when dealing with government officials. The U.S. Foreign Corrupt Practices Act and similar laws in other countries strictly prohibit improper payments to gain a business advantage and impose severe penalties for violations. The following summary is intended to provide personnel engaged in international activities a basic familiarity with applicable rules so that inadvertent violations can be avoided, and potential issues can be recognized in time to be properly addressed.

Common Questions about Anti-Bribery Laws

What do anti-bribery laws prohibit?

The FCPA and other anti-bribery laws make it unlawful to bribe a foreign official to gain an “improper business advantage”. An improper business advantage may involve efforts to obtain or retain business, as in the awarding of a government contract, but also can involve regulatory actions such as licensing or approvals. Examples of prohibited regulatory bribery include paying a foreign official to ignore an applicable customs requirement. A violation can occur even if an improper payment is only offered or promised, and not actually made; it is made but fails to achieve the desired result; or the result benefits someone other than the giver (for example, directing business to a third party). Also, it does not matter that the foreign official may have suggested or demanded the bribe, or that a company feels that it is already entitled to the government action.

Who is a “foreign official”?

A “foreign official” can be essentially anyone who exercises governmental authority. This includes any officer or employee of a foreign government department, agency, or any foreign political party, including any foreign party official or candidate for foreign political office, and any person acting on behalf of any one or combination of these, including part-time government employees and any other person if there is reason to believe that such person would pass on a prohibited payment or benefit to an officer or employee of a foreign government, whether in the executive, legislative, judicial, or other branch of government, and whether at the national, state, or local level. Officials and employees of government-owned or controlled enterprises also are covered, as are private citizens who act in an official governmental capacity. Foreign official status often will be apparent, but not always. In some instances, individuals may not consider themselves officials or be treated as such by their own governments, but nevertheless exercise authority that would make them a “foreign official” for purposes of anti-bribery laws. FIRST directors, officers, and members engaged in international activities are responsible under this Policy for inquiring whether a proposed activity could involve a foreign official or an entity owned or controlled by a foreign government, and should consult with the Executive Director when questions about status arise.

What types of payments are prohibited?

The FCPA prohibits offering, promising or giving “anything of value” to a foreign official to gain an improper business advantage. In addition to cash payments, “anything of value” may include:

Other less obvious items provided to a foreign official can also violate anti-bribery laws. Examples include in-kind contributions, investment opportunities, stock options in companies or positions in joint ventures, or favorable or steered subcontracts. The prohibition applies whether an item would benefit the official directly or another person, such as a family member, friend, or business associate.

Under the law, FIRST directors, officers, or members may be held liable for improper payments by an agent or other intermediary if there is actual knowledge or reason to know that a bribe will be paid. Willful ignorance – which includes not making reasonable inquiry when there are suspicious circumstances – is not a defense, and it also does not matter whether the intermediary is itself subject to anti-bribery laws. All individuals therefore must be alert to potential “red flags” in transactions with third parties.

FIRST and its affiliates must keep accurate books and records that reflect transactions and asset dispositions in reasonable detail, supported by a proper system of internal accounting controls. These requirements are implemented through FIRST’s standard accounting rules and procedures, which all personnel are required to follow without exception. Special care must be exercised when transactions may involve payments to foreign officials. Off-the-books accounts should never be used. Facilitation or other payments to foreign officials should be promptly reported and properly recorded, with respect to purpose, amount, and other relevant factors. Requests for false invoices or payment of expenses that are unusual, excessive, or inadequately described must be rejected and promptly reported. Misleading, incomplete, or false entries in FIRST’s books and records are never acceptable.

FIRST has established detailed standards and procedures for the selection, appointment, and monitoring of agents, consultants, and other third parties. These standards and procedures must be followed in all cases, with particular attention to “red flags” that may indicate possible legal or ethical violations. Due diligence ordinarily will include appropriate reference and background checks, written contract provisions that confirm a business partner’s responsibilities, and appropriate monitoring controls. Personnel working with agents and other third parties should pay particular attention to unusual or suspicious circumstances that may indicate possible legal or ethical concerns, commonly referred to as “red flags”. The presence of red flags in a relationship or transaction requires greater scrutiny and implementation of safeguards to prevent and detect improper conduct. Potential “red flags” include requests for payments in cash, claims by a prospective agent that it has connections or an inside track with government officials, requests for payments to third parties, requests for payments to accounts in a third country, or similar warning signs. More extensive due diligence should be performed in countries with reputations for corruption and bribery. Appointment of an agent or other third party ordinarily requires prior approval by an appropriate officer, description of the nature and scope of services provided in a written contract, and appropriate contractual safeguards against potential violations of law or FIRST policy.

This Policy imposes on all personnel specific responsibilities and obligations that will be enforced through standard disciplinary measures and properly reflected in membership records. All directors, officers, and members of FIRST are responsible for understanding and complying with the Policy, as it relates to their responsibilities. Every director, officer, and member has an obligation to:

Willful ignorance or the conscious disregard of any suspicious conduct or circumstances are not defenses to a charge of violating the FCPA if the circumstances would have alerted a reasonable person to a high probability of an FCPA violation.

Any individual who has reason to believe that a violation of this Policy has occurred, or may occur, must promptly report this information to the Executive Director. Any questions about this policy should also be directed to the Executive Director. Alternatively, information may be reported in confidence through the process documented at: www.first.org/about/policies/whistleblower-policy.

Retaliation in any form against an individual who has in good faith reported a violation or possible violation of this Policy is strictly prohibited. Individuals who violate this Policy will be subject to disciplinary action, up to and including possible suspension or revocation of membership. Violations can also result in prosecution by law enforcement authorities and serious criminal and civil penalties.

This Policy does not address every aspect of the FCPA or similar laws in other countries, but is instead intended to generally explain the FCPA and such similar laws, and to provide certain guidelines for FIRST directors, officers, and members. These guidelines are in addition to other policies in place at FIRST as to conduct in business activities.

Adopted by the FIRST Board of Directors on __ September 2020