Jan 62016

OFAC issues Cyber-Related Sanctions Regulations

Alan Charles Raul, Edward R. McNicholas, Robert Torresen, David Simon and Barbara Broussard
, , ,

In the aftermath of the cyber attack on the Office of Personnel Management and the significant loss of corporate intellectual property, the U.S. government has announced new tools to respond to and to deter such harmful attacks.  On December 31, 2015, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued new U.S. Cyber-Related Sanctions Regulations, set forth in 31 C.F.R. § 578 (“Cyber-Related Sanctions Regulations”).  The Cyber-Related Sanctions Regulations are designed to implement Executive Order 13694, which targets perpetrators of malicious cyber-activities (e.g., hacking and Distributed Denial of Service (DDoS) attacks) as well as those who support such activities and certain recipients and users of stolen trade secrets.

In its December 31 publication of the Cyber-Related Sanctions Regulations, OFAC stated that it was publishing the regulations in an abbreviated form and expressed its intention to supplement the regulations with a more comprehensive set of regulations.  The regulations, as currently published, largely mirror OFAC’s standard abbreviated regulations for programs involving blocked persons.

The U.S. government has not yet designated any parties under this new sanctions program.  Therefore, for the time being, companies need not take any action.  However, once parties are blocked for cyber-related sanctions purposes, their names will be added to the OFAC Specially  Designated Nationals List, which must be checked and complied with.  Finally, while OFAC has not provided any specific channel for companies to identify possible cyber-related sanctions targets to the U.S. government (i.e., foreign hackers), we believe that OFAC and other agencies would be receptive to receiving such information from companies with potentially relevant information.

The Cyber-Related Sanctions Regulations, currently without elaboration, prohibit all transactions prohibited under E.O. 13694, including dealing in the property or interests in property, that come within the United States, of blocked persons.  Under E.O. 13694, any party may be blocked if the U.S. government determines that the party is responsible for or complicit in, or has engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside of the United States that have the purpose or effect of:

  • Harming or otherwise significantly compromising the provision of services by a computer or network of computers that supports one or more entities in a critical infrastructure sector;
  • Significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
  • Causing a significant disruption to the availability of a computer or network of computers; or
  • Causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.

The Order also permits the Secretary of the Treasury to designate parties who derive commercial or economic gain from trade secrets misappropriated through cyber-enabled means; who have materially assisted, sponsored or provided financial, material or technological support for, or goods or services in support of such activities; or are owned or controlled by parties blocked under the Executive Order.  OFAC defined “financial, material, or technological support” as any property, tangible or intangible, including, but not limited to, currency, securities, weapons, false documentation, communications equipment, electronic devices, lodging, transportation, goods, or technologies.  In addition, the Order blocks designated individuals from entering the United States.

Similar to other regulations concerning blocked persons, the Cyber-Related Sanctions Regulations require any U.S. persons holding blocked funds to place them in interest bearing accounts outside of the control of the blocked person.

In addition to the definitions included in other sanctions regulations concerning blocked persons, OFAC has provided a definition of “technologies” as “specific information necessary for the development, production, or use of a product.”  OFAC also stated that it may provide a definition of “cyber-enabled” activities in the more comprehensive regulations that it will publish later.  OFAC currently anticipates that the definition will include “any act that is primarily accomplished through or facilitated by computers or other electronic devices.”

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Robert Torresen

rtorresen@sildley.com

David Simon

dsimon@sidley.com

Barbara Broussard

bbroussard@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.

Digital Health Transformation: A Practical Guide for Life Sciences Companies

In 2022, many if not most pharmaceutical, medical device, and other life sciences companies established strategies to innovate digital health technology complementary to their existing strategic focus. The digital transformation of the life sciences industry is still widely unfolding across the marketplace. In 2023 and beyond, the race is on to launch the next generation of digital health technologies to innovate the delivery of therapies to patients.