OFAC Issues Cyber-Related Sanctions Regulations

January 6, 2016

On December 31, 2015, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued regulations to implement Executive Order 13694 of April 1, 2015 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” “E.O. 13694”). E.O. 13694 requires the blocking of any assets of, and prohibits transactions with, individuals and entities that are determined by the U.S. government to be responsible for, or complicit in, malicious cyber-enabled activities that significantly threaten the national security, foreign policy, economic health or financial stability of the United States. (Please see here for our previous publication discussing E.O. 13694.) The names of individuals and entities identified pursuant to E.O. 13694 whose property and interests in property therefore are blocked are incorporated into OFAC’s List of Specially Designated Nationals and Blocked Persons List with the identifier “[CYBER].” OFAC’s implementing regulations, codified at 31 C.F.R. part 578, are comparable to regulations that OFAC has adopted in connection with other targeted asset blocking sanctions programs. Blocking is required for all property and interests in property that are in the United States, and the transactional prohibitions apply to all U.S. persons.

In addition to authorizing the identification of primary actors for engaging in malicious cyber-enabled activity, E.O. 13694 also authorizes the designation of any person (U.S. or non-U.S.) who has provided “financial, material, or technological support” for malicious cyber-enabled activity or persons whose property and interests in property have already been blocked under E.O. 13694. OFAC’s regulations define the term “financial, material, or technological support” in the same way as other targeted asset blocking sanctions programs, e.g., the Global Terrorism Sanctions Regulations, to mean: “any property, tangible or intangible, including but not limited to currency, financial instruments, securities, or any other transmission of value; weapons or related materiel; chemical or biological agents; explosives; false documentation or identification; communications equipment; computers; electronic or other devices or equipment; technologies; lodging; safe houses; facilities; vehicles or other means of transportation; or goods.” Accordingly, non-U.S. persons who may not be required to comply with the transactional prohibitions of E.O. 13694 due to the lack of a U.S. jurisdictional tie nevertheless face significant risk that they may be targeted by these sanctions if they engage in transactions with individuals and entities that have already been targeted by sanctions under E.O. 13694.

Neither E.O. 13694 nor the regulations define what constitutes “cyber-enabled” activities. However, in a set of FAQs published concurrently with E.O. 13694, OFAC stated that “malicious cyber-enabled activities include deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.” OFAC stated in the Federal Register release accompanying the new regulations that it intends to supplement part 578 with a more comprehensive set of regulations, which may include additional interpretive and definitional guidance and additional general licenses and statements of licensing policy.