On 31 December 2015, the USA's Office of Foreign Assets Control (OFAC) issued in summary form the Cyber-Related Sanctions Regulations, 31 CFR Part 578, ("the Cyber Sanctions Regulations").
What is OFAC?
OFAC is responsible for managing sanctions arising from US foreign policy goals. It has traditionally sought to sanction the financial services sector but is now turning to cyber threats which threaten the USA such as hacking and corporate espionage.
OFAC publishes the Specially Designated Nationals (SDN) List. The SDN includes individuals, aircraft, ships as well as corporate entities with which American citizens and permanent residents of the USA are prohibited from doing business.
The scope of OFAC's work reaches beyond the USA's borders and can impact upon international transactions. And as cyber-attacks often herald from foreign countries, it is inevitable that this will have an impact on foreign companies as well as US companies.
Cyber Sanction Regulations
OFAC has yet to publish the detailed regulations and has not yet designated any individual for Cyber Sanctions. But the summary gives a useful indication as to the direction of travel and any company with operations in the US, trades with US dollars or who does business in the US will want to pay attention to how they can avoid directly or indirectly assisting individuals or entities on the SDN list
OFAC has indicated that more substantial regulations will follow but the documents provided so far by OFAC give a strong indication of how OFAC intends to regulate and impose sanctions in relation to malicious cyber activities.
Although the definition of "Cyber Activities" has yet to decided, OFAC has in its Frequently Asked Questions section, indicated that the public should be aware that the Cyber Sanctions Regulations are intended to include:
“deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.”
The Cyber Sanction includes the following guidance as to what kinds of "support" activities it will be seeking to police.
"any property, tangible or intangible, including but not limited to currency, financial instruments, securities, or any other transmission of value; weapons or related materiel; chemical or biological agents; explosives; false documentation or identification; communications equipment; computers; electronic or other devices or equipment; technologies; lodging; safe houses; facilities; vehicles or other means of transportation; or goods"
It is too soon to be able to provide detailed commentary on what the regulations will mean for UK companies or other companies with a parent or an associate group company doing business in the USA. OFAC regulations have in the past had a wide ranging impact on international transactions. As the intention is to sanction hackers and those deemed to be involved in corporate espionage, companies will need to consider compliance strategy. The summary of the Cyber Sanction Regulations underlines the need for companies to conduct adequate due diligence on all new customers and clients in order to ensure they are not on the SDN. Companies will need to consider the scope of "financial, material, or technological support" and whether they need to change their operations and internal security to ensure they have systems which ensure they avoid transactions with those listed on the SDN. We will provide a further update when the regulations have been published in full but this is yet another area where US policy is set to affect international trade.