Currencies

Practical Issues in Cyber-Related Sanctions


Development of US cyber-related sanctions regimes

Overview of the Cyber-Related Sanctions Program

The United States has been at the forefront of establishing a cyber-focused economic sanctions regime, which is primarily administered by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), although criminal prosecutions for certain wilful sanctions violations are the responsibility of the US Department of Justice.

OFAC administers a variety of sanctions targeting malicious cyber-related activities, such as cyberespionage, cyber-intrusions on critical infrastructure and computer networks, and disinformation campaigns conducted from abroad. The bulk of these sanctions are administered under OFAC’s Cyber-Related Sanctions Program, which was established in 2015 as part of the Obama administration’s response to malicious cyber-enabled activities originating from foreign countries that were directed at both US government agencies and private sector US entities. However, sanctions targeting malicious cyber-related activities are also authorised under other statutory and executive branch sanctions authorities, including the Countering America’s Adversaries Through Sanctions Act (CAATSA), as well as Executive Order (EO) 14024, ‘Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation’, issued on 15 April 2021.

Prior to the Obama administration’s first EO authorising cyber-related sanctions, malicious cyber-intrusions and cyberespionage from abroad were becoming increasingly frequent and severe. For example, on 19 May 2014, in its first major prosecution against a state actor for malicious cyber-enabled activities, the US Department of Justice indicted five Chinese nationals, allegedly affiliated with the Chinese military, for gaining unauthorised access to computer networks for the apparent purpose of engaging in economic espionage targeted at six US entities involved in the nuclear power, metals and solar products industries. In September 2014, President Obama said his administration viewed cyber-enabled theft of trade secrets as ‘an act of aggression that has to stop’ and warned that the US was prepared to impose countervailing actions ‘to get [China’s] attention’.

Before the establishment of OFAC’s cyber-related sanctions programme, US law enforcement agencies had legal authority to pursue charges against individuals engaged in various types of cyberespionage or unauthorised intrusions into US government and private sector computers and networks. Nevertheless, facing an increasingly severe threat posed by foreign-based hackers targeting valuable US intellectual property and sensitive private data, among other things, US national security agencies viewed sanctions as a tool well-designed to address the extraterritorial nature of cyber-enabled attacks from foreign actors.

This culminated on 1 April 2015 when President Obama issued EO 13694, which declared a national emergency to deal with ‘the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States’ arising from ‘the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States’. As with most US economic sanctions authorities, this EO was issued pursuant to the International Emergency Economic Powers Act and the National Emergencies Act.

On 28 December 2016, President Obama issued EO 13757, which amended EO 13694 to broaden the scope of cyber-related activities subject to sanctions. As amended, those EOs permit the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose blocking sanctions on persons determined:

  • to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of:
    • harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
    • significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
    • causing a significant disruption to the availability of a computer or network of computers;
    • causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain; or
    • tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions; and
  • [t]o be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;
  • to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, [certain activities described above] or any person whose property and interests in property are blocked pursuant to [EO 13694, as amended];
  • to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked [pursuant to EO 13694, as amended]; or
  • to have attempted to engage in any of the activities described in [EO 13694, as amended].

Cyber-related sanctions under CAATSA

On 2 August 2017, President Trump signed into law CAATSA, which authorised, inter alia, the imposition of cyber-related sanctions targeting Russia and codified the cyber-related sanctions imposed through EO 13694 and EO 13757. On 20 September 2018, President Trump issued EO 13849, ‘Authorizing the Implementation of Certain Sanctions Set Forth in the Countering America’s Adversaries Through Sanctions Act (CAATSA)’, which delegates authority to impose sanctions under CAATSA to the Secretary of the Treasury.

With respect to Russia, Section 224 of CAATSA includes additional sanctions provisions targeting malicious cyber activities that are distinct from OFAC’s Cyber-Related Sanctions Program. Specifically, Section 224(a)(1) of CAATSA requires the President to impose blocking sanctions on any person that the President determines ‘(A) knowingly engages in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation; or (B) is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly’ that person. ‘Significant activities undermining cybersecurity’ include:

  • significant efforts:
    • to deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or
    • to exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of:
      • conducting influence operations; or
      • causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain;
  • significant destructive malware attacks; and
  • significant denial of service activities.

Additionally, the President is required to impose five or more menu-based sanctions on persons the President determines knowingly ‘materially assists, sponsors, or provides financial, material, or technological support for, or goods or services (except financial services)’ in support of, the cyber-related activity described in CAATSA Section 224(a)(1). Those menu-based sanctions include restrictions on a sanctioned person’s ability to participate in, conduct or obtain: US export licences; loans or assistance from certain US and foreign financial institutions, including the US Export-Import Bank; certain foreign exchange transactions; various transactions involving property in the United States; or US visas. These authorities have been delegated to the Secretary of the Treasury in consultation with the Secretary of State.

For a person the President determines ‘provides financial services’ in support of the cyber-related activities described in CAATSA Section 224(a)(1), CAATSA requires the President to impose three or more menu-based sanctions, described separately at 22 USC Section 8923. These include many of the same types of sanctions mentioned above.

Cyber-related sanctions under the new EO targeting harmful foreign activities of Russia

On 15 April 2021, President Biden issued EO 14024, which is aimed at countering a wide array of malign Russian government-sponsored activities, including interference in the 2020 US presidential election and the SolarWinds cyberattack. EO 14024 significantly expands the categories of Russian persons that can be targeted for sanctions by the United States, and includes persons determined ‘to be responsible for or complicit in, or to have directly or indirectly engaged or attempted to engage in . . . malicious cyber-enabled activities’. Sanctions may also be imposed under EO 14024 on the spouses and adult children of persons subject to sanctions under this EO, as well as those determined by the Secretary of the Treasury, in consultation with the Secretary of State, to have materially assisted, sponsored or provided financial, material or technological support for, or goods or services to or in support of, among other things, malicious cyber-enabled activities. Notably, EO 14024 has been the tool of choice for the US to impose blocking and non-blocking sanctions targeting Russia in response to its military invasion of Ukraine in February 2022.

Re-issue of Cyber Related Sanctions Regulations

On 6 September 2022, OFAC published regulations replacing the original Cyber-Related Sanctions Regulations to ‘further implement’ EOs 13694 and 13757 and Section 224 of CAATSA. The re-issued regulations effectively add interpretive guidance, definitions, general licences and other regulatory provisions, some of which conform the scope of restrictions and regulations with other OFAC sanctions programmes. The regulations include, for example, provisions prohibiting actions that evade or avoid, have the purpose of evading or avoiding, cause a violation of, or attempt to violate any of prohibitions under the Cyber-Related Sanctions Regulations, which is a restriction found in nearly all of the other OFAC sanctions programmes. Additionally, the re-issued regulations also now explicitly define ‘critical infrastructure sector’ as ‘any of the designated critical infrastructure sectors identified in Presidential Policy Directive 21 of February 12, 2013’ and ‘cyber-enabled activities’ as ‘any act that is primarily accomplished through or facilitated by computers or other electronic devices’.

OFAC Ransomware Advisory

On 1 October 2020, OFAC issued its ‘Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’ (the 2020 Ransomware Advisory) to highlight the sanctions compliance risks associated with facilitating ransomware payments related to malicious cyber-enabled activities (e.g., by providing cyber insurance, digital forensics and incident response, and financial services related to processing ransom payments including by depository institutions and money services businesses). In the Advisory, OFAC warned that facilitating a ransomware payment may not only enable and embolden criminals, as well as adversaries with a nexus to a sanctioned party or country, but also, critically, may not guarantee that a victim regains access to stolen data, and noted that victims of a ransomware attack should: contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus; and contact the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a US financial institution or may cause ‘significant disruption to a firm’s ability to perform critical financial services’.

OFAC expanded its guidance on 21 September 2021 in a publication entitled ‘Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’ (the 2021 Ransomware Advisory), which OFAC issued ‘to highlight the sanctions risks associated with ransomware payments’ and ‘the proactive steps companies can take to mitigate such risks’, including those actions that OFAC would consider to be mitigating factors with respect to enforcement. The 2021 Ransomware Advisory adds to the 2020 Ransomware Advisory in several significant ways: it adds a strong discouragement of engaging in ransomware payments and a warning that entities making ransomware payments to a blocked person or a sanctioned jurisdiction are subject to strict liability and risk facing penalties, even without knowledge of a connection to a blocked person or sanctioned jurisdiction. Consequently, OFAC also recommends that companies expand controls to account for the risk of ransomware payments being made to prohibited persons. Further, OFAC strongly encourages, and even incentivises, companies to report ransomware demands to law enforcement and will consider cooperation with law enforcement as a mitigating factor when assessing penalties against entities that have been involved in making ransomware payments to blocked, or otherwise sanctioned, parties.

The 2021 Ransomware Advisory references several other agencies and encourages the adoption of practices laid out in the Cybersecurity and Infrastructure Security Agency’s Ransomware Guide and consideration of applicable Financial Crimes Enforcement Network (FinCEN) regulatory obligations.

Sanctions Compliance Guidance for the Virtual Currency Industry

On 15 October 2021, OFAC published guidance entitled ‘Sanctions Compliance Guidance for the Virtual Currency Industry’ (the Virtual Currency Guidance), which provides an overview of compliance best practices. The Guidance clarifies that the sanctions compliance obligations imposed by OFAC apply equally to transactions involving virtual currencies and those involving traditional fiat currencies and that companies are responsible for ensuring that they do not engage in direct or indirect transactions that are prohibited by OFAC sanctions when dealing in virtual currency. The Virtual Currency Guidance acknowledges that OFAC sanctions have increasingly targeted persons that have used virtual currency in connection with various types of malign activity. Given the industry’s rising level of importance, the Guidance encourages companies to have in place a risk-based compliance programme, which includes internal controls to identify and stop virtual currency transactions that would violate OFAC sanctions. Ultimately, the Guidance makes clear that companies are under the same obligations with respect to virtual currency as they are for fiat currency when it comes to complying with OFAC sanctions.

FinCEN Advisory

As noted above, OFAC’s 2021 Ransomware Advisory made note of guidance from other agencies, including FinCEN. On 1 October 2021, FinCEN issued an advisory entitled ‘Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments’ (the FinCEN Advisory). The FinCEN Advisory lists several red flag indicators to assist in identifying, preventing and reporting ransomware attacks and reminds financial institutions of their regulatory obligations regarding reporting suspicious activity involving ransomware. Financial institutions should note that although OFAC strongly encourages reporting of ransomware attacks and payments, the FinCEN Advisory makes clear in some instances that financial institutions may be required to report incidents.

OFAC enforcement and recent illustrative cases

OFAC’s use of cyber-related sanctions authorities appears to be on the rise. OFAC enforcement of these sanctions authorities can generally be divided into two parts: (1) the imposition of blocking or menu-based sanctions on individuals and entities for engaging in sanctionable activities (e.g., perpetrating cyberattacks or materially assisting by laundering funds obtained thereby); and (2) the imposition of civil penalties for the violation of sanctions (e.g., transacting with a blocked person sanctioned for malign cyber activities). Criminal prosecutions for sanctions violations, which typically focus on the most egregious wilful misconduct, are within the purview of the US Department of Justice.

Since 2015, OFAC has designated numerous parties under cyber-related sanctions authorities each year. However, OFAC has, at least based on what has been made public, imposed relatively few civil penalties connected to cyber-related sanctions or other cyber-related sanctions compliance failures. Nevertheless, based on guidance issued in 2020 and OFAC’s recent imposition of civil penalties against certain internet-based businesses and entities involved in the use of digital currencies, OFAC has demonstrated that it expects parties to implement fully fledged risk-based sanctions compliance programmes to address malign cyber activities and other cyber-related vulnerabilities.

Cyber-related sanctions designations

OFAC has designated numerous persons under its cyber-related sanctions programme over the past few years, with more designations in 2022 than in any other year. Persons designated under these authorities include individual hackers, money launderers, non-state actors such as organised ‘troll farms’ (e.g., Internet Research Agency), international cybercriminal organisations (e.g., Evil Corp, Hydra Market, Garantex), virtual currency mixers (e.g., Tornado Cash) and even a few foreign government agencies (e.g., the Russian Federation Federal Security Service).

OFAC has mainly focused on actors residing in or associated with foreign nation states perceived as hostile to the United States – primarily Russia, China, Iran and North Korea – and engaging in certain malicious cyber-enabled activities, such as:

  • development and distribution of malware, ransomware and phishing and spoofing scams;
  • interference with electoral processes and institutions worldwide through false information or hacking;
  • theft of economic resources, trade secrets, personal identifying information or financial information by cyber intrusions for private financial gain;
  • publication of stolen sensitive documents obtained and sometimes manipulated through cyber intrusions;
  • disruption of network access;
  • compromise of US government entities and US critical infrastructure sectors; and
  • the use of virtual currency or other digital assets to evade or otherwise violate US sanctions.

OFAC’s 2022 designations indicate its continued focus on the virtual currency industry’s role in sanctions evasion.

More recently, OFAC has targeted state-backed groups engaging in cyber-enabled activities against the United States and its allies. In September 2022, for example, OFAC designated Iran’s Ministry of Intelligence and Security and its Minister of Intelligence, which it alleged ‘conducted malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors’, through networks of cyber threat actors such as the now-sanctioned groups Muddy Water and APT39, and engaged in malicious cyber activities that disrupted the Albanian government’s computer systems. OFAC also designated 10 individuals and two entities associated with the Islamic Revolutionary Guard Corps, which engaged in various forms of ransomware activity and cybercrime against small businesses, a children’s hospital, an accounting firm, a law firm, a New Jersey municipality, emergency service providers, healthcare practices, educational institutions and an electricity utility company serving a rural area.

As noted above, entities involved in providing cryptocurrency-related services are also becoming a more frequent target of OFAC sanctions designations, with several major cryptocurrency-related service providers being designated in 2022, often for engaging in or facilitating money laundering, sanctions evasion and ransomware attacks. On 8 November 2022, for example, OFAC sanctioned Tornado Cash, a virtual currency mixer that, according to OFAC, obfuscated the movement of over US$455 million stolen in March 2022 by the OFAC-designated, North Korea-controlled Lazarus Group in the largest known virtual currency heist to date. Previously, Blender.io, which OFAC described as ‘a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties’ was sanctioned under EO 13694, as amended, marking the first time a virtual currency mixer has been sanctioned by OFAC.

Another sanctions announcement from 2023 indicates increased coordination between the US and allied governments. On 9 February 2023, the US and UK jointly announced that a group of seven individuals who associated with a Russia-based cybercrime gang called Trickbot were being sanctioned for reportedly engaging in a string of illegal cyber activities, including ransomware attacks.

Most recently, on 5 April 2023, OFAC designated Genesis Market, a ‘criminal marketplace’ believed to be located in Russia, which has reportedly been involved in, among other things, ‘packaging’ computer and mobile device identifiers, email addresses, usernames, passwords and other credentials stolen through the use of malware from leading US and international companies and selling them on its website.

In many cases, persons that OFAC has found engaging in activities that are similar or analogous to those targeted under the Cyber-Related Sanctions Regulations have been designated under EOs or programmes that are distinct from the Cyber-Related Sanctions Regulations. For example, in addition to being designated under EO 13694, Tornado Cash’s sanctions designation was updated to note that it was also sanctioned under the North Korea sanctions programme pursuant to EO 13772, based on OFAC’s determination that the company had a role in ‘enabling malicious cyber activities, which ultimately support the [Democratic People’s Republic of North Korea]’s WMD program’. In the case of Garantex, while the company appeared to have facilitated various cyber-enabled activities sanctionable under the Cyber-Related Sanctions Regulations, OFAC ultimately imposed sanctions on the virtual currency exchange under EO 14024, an EO that falls under OFAC’s Russian Harmful Foreign Activities Sanctions programme, ‘for operating or having operated in the financial services sector of the Russian Federation economy’.

OFAC civil penalties

To date, OFAC has not imposed any publicly disclosed civil penalties specifically tied to cyber-related sanctions violations. However, the following civil settlements generally illustrate OFAC’s compliance expectations in the cyber and digital areas. A constant theme is the offending company’s failure to apply relevant knowledge in its possession – particularly internet protocol (IP) addresses – to identify, prevent or block prohibited users or transactions. US enforcement agencies, including OFAC and the departments of Justice and Commerce, called particular attention to a company’s failure to identify and screen transaction parties by their IP addresses in the following enforcement actions:

  • a settlement agreement that US-based company Bittrex, Inc, which provides an online virtual currency exchange and hosted wallet services, entered into with OFAC on 11 October 2022 relating to 116,421 apparent violations of multiple sanctions programmes, where the company failed to prevent persons apparently located in the Crimea region of Ukraine, Cuba, Iran, Sudan and Syria from using its platform to engage in over US$263 million worth of virtual currency-related transactions;
  • a settlement agreement that Payoneer Inc, a publicly traded New York-based online money transmitter and provider of prepaid access, entered into with OFAC on 23 July 2021 in connection with 2,220 apparent violations of multiple sanctions programmes;
  • a settlement agreement that the German-based software company SAP SE entered into with OFAC on 29 April 2021 relating to 190 apparent violations of the US sanctions against Iran;
  • a settlement agreement that US-based company BitPay, Inc, a digital currency payment service provider, entered into with OFAC on 18 February 2021 in connection with 2,102 apparent violations of multiple sanctions programmes; and
  • a settlement agreement that US-based technology company BitGo, Inc entered into with OFAC on 30 December 2020 in connection with 183 apparent violations of multiple sanctions regimes.

In its announcements of the Bittrex, BitGo and BitPay settlements, OFAC emphasised that US persons involved in the provision of digital currency services (including companies that facilitate or engage in online commerce or process transactions in digital currency) – like all other US persons – have ‘sanctions compliance obligations’. Additionally, citing the essential components of compliance in its ‘Framework for OFAC Compliance Commitments’, OFAC highlighted the importance of implementing technical controls, such as sanctions list and IP address screening, IP blocking mechanisms and blockchain tracing, to mitigate sanctions risks in connection with digital currency services.

Cyber-related sanctions compliance risks

Ransom payments

As discussed in OFAC’s 2020 Ransomware Advisory, a compliance risk unique to cyber-related sanctions relates to ransomware attacks, specifically the payment of ransoms themselves. Unless OFAC grants a specific licence, a person who makes ransom payments to sanctioned parties or jurisdictions may face penalties for violating OFAC regulations. Particularly for ransom payments made in a digital currency, the difficulty of definitively determining whether the transaction involves a sanctioned party or sanctioned jurisdiction can create serious compliance challenges. Although no public civil penalty has been announced in connection with this type of violation, OFAC has emphasised the risks related not only to direct payments of ransoms in contravention of sanctions regulations, but also to facilitating these payments (e.g., ransomware insurance businesses, payment processors). On 21 September 2021, OFAC released the ‘Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’, which emphasises the US government’s strong discouragement of payment of cyber ransom or extortion demands and the importance of improving cybersecurity practices and reporting to, and cooperating with, US government in the event of ransomware attacks.

Digital currency sector

Via its enforcement actions and guidance, OFAC has also been clear that transactions and services involving digital currency present sanctions compliance risk. Therefore, businesses that allow digital currency payments or that are involved in the digital currency market or sector (e.g., digital currency trading platforms, asset management, security) need to consider how to implement appropriate risk-based compliance measures that address the specific vulnerabilities of digital currency. Without appropriate compliance measures, a digital currency service provider could incur liability not only for violating sanctions (e.g., by dealing with blocked persons or persons in sanctioned jurisdictions), but also for facilitating sanctions violations by other parties to a transaction (even if inadvertent).

For example, just as with fiat currency, businesses involved in digital currency transactions would be expected to deploy risk-based sanctions screening for involved parties and to ensure that the funds are not destined for a sanctioned jurisdiction. As described above, recent enforcement actions highlight OFAC’s expectation that internet-based businesses should use all relevant known information in the course of their business for sanctions compliance purposes as well. Specifically, OFAC has recently imposed civil penalties on multiple businesses that knew customers’ IP addresses (e.g., by their use of internet services) but did not ensure that customers with IP addresses in sanctioned jurisdictions were screened or blocked from using their services or transacting on their platforms.

Cryptocurrency, a type of digital currency reliant on cryptography to secure and verify transactions, also presents risk because cybercriminals and other sanctioned parties (including the government of North Korea, Iranian entities and many Russian entities and individuals that have been designated by OFAC since the Russian invasion of Ukraine) may resort to using cryptocurrency as a tool to evade sanctions, launder money and facilitate other illegal activities (e.g., nuclear weapons proliferation). The proceeds of malicious cyber activities are regularly transferred to cryptocurrency exchanges and peer-to-peer marketplaces with negligible customer screening compliance programmes, or individual peer-to-peer or over-the-counter traders operating on exchanges that do not screen their customers. More broadly, digital currency infrastructure has been targeted by some cybercriminals who use illegitimate websites and malicious software to conduct phishing attacks on the digital currency sector. Due diligence and controls to determine whether digital currency has been tainted by sanctionable or criminal cyber activities may be needed in certain transactions or businesses. In relation to this, OFAC has emphasised how anti-money laundering and combating the financing of terrorism controls play a vital role in sanctions and law enforcement generally because these can force cybercriminals to take measures to circumvent the controls that leave trails of evidence and traceability. OFAC has been identifying certain digital currency addresses associated with Specially Designated Nationals (SDNs) and other blocked persons. This new type of information, which OFAC expects to be part of standard screening protocols, typically entails a more arduous screening process due to the difficulty of searching these addresses in the SDN List.

OFAC has also noted that as various sanctioned jurisdictions (e.g., Iran, Russia and North Korea) resort to using or creating digital currencies, the risk entailed in the digital currency sector may increase. The mere use of certain digital currencies could be subject to blanket prohibition, which has already occurred with respect to the ‘Petromoneda’ digital currency issued by the government of Venezuela. As more government-backed digital currencies are issued, this will be an evolving risk area.

Inadvertent exports to sanctioned jurisdictions

Another potential area of compliance risk is the cybertheft of export-controlled information for use in a sanctioned jurisdiction. Any cyber-enabled theft may represent an unauthorised and illegal export of controlled US technology or software. While this type of event may raise more direct export control compliance concerns, especially depending on the nature of the stolen technology or software, OFAC could potentially consider a victim entity accountable for facilitating a sanctions violation for failing to implement appropriate risk-based measures to prevent the compromise and export of the controlled information (e.g., inadequate data security). This scenario highlights that in addition to sanctions regulations, entities should also consider other areas of related compliance risk implicated by malicious cyber-enabled activities, including export controls.

Practical considerations to mitigate cyber-related sanctions compliance risks

In response to the risks described above, and depending on the circumstances, companies may wish to consider some of the following compliance measures.

Risk assessment and risk-based compliance programme

Depending on the nature of a company’s business activities, the risks and challenges in complying with cyber-related sanctions may differ substantially. Conducting an appropriate risk assessment, and tailoring a risk-based compliance programme appropriately with sanctions compliance training for relevant personnel, are essential steps in mitigating risk. Businesses of any size that utilise the internet, even if only for email, may face an increasing risk of ransomware attacks, which raises cyber-related sanctions compliance concerns. This is also a particular concern following Russia’s military invasion of Ukraine and the expansion of US sanctions and other restrictions that target numerous sectors of the Russian economy, including the financial and energy sectors. Businesses involved in e-commerce could potentially face higher cyber-related sanctions compliance risks, including the risk of inadvertently providing goods or services to a sanctioned person or jurisdiction. Those involved in the digital currency sector, including companies that facilitate or engage in online commerce or process transactions using digital currencies, may be more likely to face malicious cyber-enabled attacks, incurring increased sanctions compliance risks and, given the expanded sanctions on Russia and other regions, may also have to contend with sanctioned parties seeking to use digital currencies to evade US sanctions. These risks could be even greater for companies involved in providing cyber insurance, digital forensics services, cyberattack incident response services and financial services that facilitate ransom payments.

Risk-based screening, due diligence, IP blocking and geolocation measures

Depending on a company’s risk profile, it is often best to ensure that all relevant parties are properly screened before engaging in a transaction, to ensure no payments or deliveries of goods or services are made to sanctioned parties or jurisdictions. Reliable screening depends on the collection and review of information reasonably accessible to the company, which means companies should proactively consider ways to verify users’ identities and locations. As evidenced in the BitGo settlement, merely relying on attestations from users concerning their locations without conducting any further due diligence may not suffice to meet compliance obligations in OFAC’s view.

As the world becomes more digitised, bad actors become more sophisticated and determined to conceal their identity or location, and certain sanctions programmes targeting particular jurisdictions (e.g., Russia and the Crimea, Donetsk and Luhansk regions of Ukraine) are introduced, the screening function must adapt as well. Companies should consider including a party’s IP address information in the screening process when this information is available and utilising more advanced geolocation and IP spoofing detection tools to ensure that dealings with parties, including the provision of services and payments, do not involve parties in sanctioned jurisdictions. A company may need to implement IP blocking and ‘geofencing’ measures to prevent sanctioned persons and persons in sanctioned jurisdictions from opening accounts on the company’s website or platform that would allow them to access the company’s services. Where a company becomes aware that its customers, partners or account holders are located in jurisdictions subject to OFAC sanctions, it may be necessary to promptly put restrictions on those accounts and investigate whether US sanctions have been violated.

Identify, block and report sanctioned digital currency

Companies engaged in or reliant upon digital currency have the same obligations with respect to US sanctions law compliance as those conducting transactions in traditional currencies. OFAC has included certain digital currency addresses associated with blocked persons as part of its set of identifiers on the SDN List, meaning that companies may have obligations to block digital currency payments associated with those digital addresses. Companies that may transact routinely with the digital currency addresses should consider enhancing their screening and compliance processes to account for this information.

Screening a digital currency address is more involved than the screening of ordinary names or physical addresses, but OFAC has provided some guidance on how to search the SDN List for these addresses. OFAC guidance also provides two discrete methods companies may integrate into their compliance programmes to block digital currencies held by sanctioned persons. Companies dealing in digital currencies held by users in regions subject to expanded US sanctions, particularly Russia, will also need to be highly alert to the risk that parties subject to sanctions will try to evade US sanctions and obfuscate their identity or location by using digital currencies. Companies may consider implemented blockchain tracing software to assist in identifying and blocking virtual currency addresses associated with sanctioned persons. As seen in the Bittrex settlement, OFAC considers blockchain tracing as one of the significant remedial measures taken by companies to curtail apparent violations of US sanctions. Companies may block digital wallets associated with digital addresses identified and sanctioned by OFAC or may combine all digital wallets with digital addresses identified by OFAC into one digital wallet. OFAC also requires companies holding wallets with blocked digital addresses to report the digital currency to OFAC within 10 business days and to have a traceable audit trail.

Compliance related to making or facilitating ransom payments

Given the risks associated with ransomware payments and the possibility that sanctioned persons or jurisdictions may be involved in them, sanctions compliance programmes should incorporate risk-based procedures for responding to ransomware attacks, including, at a minimum, thorough enhanced screening procedures. In many cases, companies should strongly consider engaging with relevant law enforcement agencies when ransomware attacks arise, including OFAC if the ransomware attack or a requested ransom payment may potentially involve a sanctioned party or country.

Preventative measures regarding cyber intrusions

In looking to root causes, businesses may also reduce their cyber-related sanctions compliance risks by making efforts to prevent cyber intrusions in the first place. US government agencies, including FinCEN and the US Department of Justice, have provided guidance on best practices for companies to help them protect their systems from cyberattacks. Integrating these considerations into a company’s overall approach to risk management and, specifically, its sanctions compliance programme in the first instance can prevent sanctions violations arising from malicious cyber-enabled activities (e.g., ransomware attacks) carried out by a sanctioned party or country.

Potential benefits of cooperation with the US government in the cybersecurity context

We close by highlighting the strong incentives that US government enforcers provide in exchange for voluntary disclosure and robust cooperation by companies that have committed potential US sanctions violations, which apply equally in the cyber context. For example, in the OFAC ransomware advisories discussed above, OFAC emphasises that it would consider both a ‘self-initiated, timely, and complete report of a ransomware attack to law enforcement’ and ‘full and timely cooperation with law enforcement’ to be ‘significant’ mitigating factors in determining the proper enforcement outcome if a ransom payment is made and ‘if the situation is later determined to have a sanctions nexus’. Likewise, in the SAP enforcement matter discussed above, the Department of Justice explained that SAP’s penalty ‘would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, we [sic] heed this lesson.’ OFAC also touted SAP’s ‘substantial’ cooperation and significant remedial actions, as well as its voluntary disclosure, in explaining why the actual penalty was reduced substantially from the civil penalty recommended under OFAC’s enforcement guidelines. Although cooperation with US government enforcers is a complex, risk-based decision that must be considered carefully, the potential benefits are clear under the right circumstances.


Footnotes



Source link

Leave a Response