December 31, 2015: The Department of the Treasury’s Office of Foreign Assets Control (OFAC) has published its Cyber-Related Sanctions Regulations, 31 C.F.R. Part 578. These regulations implement the President’s April 2015 Executive Order (E.O.) 13694, which authorizes the imposition of broad economic sanctions on individuals and entities that are deemed responsible for “malicious cyber-enabled activities,” which may constitute a significant threat to the national security, foreign policy, and/or economic health or financial stability of the United States. The regulations and E.O. allow the application of sanctions to a broad range of activities, including both direct and indirect attempts to make cyber-enabled attacks. The regulations also authorize sanctions against persons or entities that provide financial, material, or technological support for such attacks.
The E.O. and regulations represent an important expansion of the enforcement tools available to the U.S. government in pursuing the perpetrators of harmful cyber-enabled activities. For example, the regulations allow the U.S. government to respond to cyber-attacks both on critical infrastructure and against U.S. companies.
However, neither the E.O. nor the regulations define key terms, including what may constitute “cyber-enabled” activities. OFAC indicated that it intends to supplement the regulations, by means that “may include additional interpretive and definitional guidance.” Such supplementation will likely prove critical, as, without additional guidance, the regulations and E.O. could be read to allow the sanctioning of persons and entities well beyond cyber-attack perpetrators, including hosting service, network, and software providers.
Once designated under the E.O., sanctioned parties will appear on OFAC’s Specially Designated Nationals (SDN) List. While no entities have yet been designated under these new sanctions, U.S. persons should continue to monitor the U.S. government prohibited parties lists and remain vigilant in conducting due diligence research and compliance checks.
The text of the new regulations as published in the Federal Register, to which the text of E.O. 13694 has been annexed, can be found here.