President Obama today signed an Executive Order granting authority to the Department of the Treasury’s Office of Foreign Assets Control (OFAC) to impose sanctions on individuals and entities determined to be “responsible for or complicit in malicious cyber-enabled activities” that result in harms “reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.”  For purposes of the Executive Order, “malicious cyber-enabled activities” include deliberate activities accomplished through unauthorized access to a computer system, including

  • by remote access;
  • circumventing one or more protection measures, including by bypassing a firewall; or
  • compromising the security of hardware or software in the supply chain.

OFAC will work in coordination with other U.S. government agencies to identify individuals and entities whose conduct meets the criteria set forth in the Executive Order and designate them for sanctions. Persons designated under this authority will be added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List).   There are no immediate compliance obligations for U.S. companies under this Executive Order, however, once Treasury has made designations pursuant to this authority, U.S. persons (and persons otherwise subject to OFAC jurisdiction) must ensure that they are not engaging in trade or other transactions with persons named on OFAC’s SDN List pursuant to this Executive Order or any entity owned by such persons.

The Executive Order is available here.   OFAC has issued a series of related Frequently Asked Questions here.