Boilerplate Cyber Sanctions Regulations Portend Coming Actions
Earlier today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued regulations for the Cyber-related sanctions program, now available at 31 C.F.R. Part 578. These regulations are currently in abbreviated form and are limited to the boilerplate provisions contained in all other targeted sanctions programs. As such, there are currently still no program-specific definitions, interpretive guidance, or general licenses. We expect OFAC to supplement the regulations in the near future, and define “cyber-enabled” activities to include “any act that is primarily accomplished through or facilitated by computers or other electronic devices.” Interpretive guidance will likely explain “malicious cyber-enabled activities as “deliberate activities accomplished through unauthorized access to a computer system, including by remote access; circumventing one or more protection measures, including by bypassing a firewall; or compromising the security of hardware or software in the supply chain.” OFAC provided this definition and guidance in an FAQ concurrently with the release of the Executive Order authorizing the sanctions program in April.
Although these regulations are not a prerequisite for placing individuals and entities on the List of Specially Designated Nationals (SDN List), the publication of the regulations indicates that this program will likely soon become active. However, publication of regulations does not always reflect coming designations. For example, the Venezuela-related designations are still limited to the individuals listed in program’s Executive Order, despite the publication of the Venezuela regulations in July of this year.
We will continue to monitor developments in the Cyber-related sanctions program and issue updates as significant events occur.