In 2020, the European Union imposed its first-ever cyber sanctions against several people and entities involved in cyber-attacks against the EU and its Member States, including travel bans and asset freezing. EU persons and entities were also prohibited from making funds available to those individuals.
According to the EU, malicious cyber activities pose a significant threat to the integrity, economic competitiveness, and security of the EU and may even undermine international security to such an extent that it leads to destabilization and an increased risk of conflict.
The pandemic and widespread lockdowns imposed by countries around the globe saw a surge in illegal activities directed against governments and government-led institutions, particularly coronavirus-related firms and healthcare businesses. High-profile hacks, including the SolarWinds attack and the attack against vaccine developer Pfizer by a North Korean hacker group.
As cybercrime continues to increase, firms must be aware of cybercrime penalties and cyber sanctions in order to remain on the right side of the law. Governments will likely not only impose trade embargoes and asset freezes but cyber sanctions to prevent and curb malicious attacks.
What Are Cyber Sanctions?
Cyber sanctions are a relatively recent development in the regulatory landscape. Like other sanctions, cyber sanctions are designed to prevent and punish cyber-attacks from malicious state actors. These cyber-attacks may involve phishing, hacking (in order to steal data or funds), theft of intellectual property, or in some instances, spreading false information via social networks.
Cyber sanctions function in the same way as well, prohibiting transactions, relationships and trading with sanctioned individuals and entities that have been found responsible for cyber-attacks or attempted attacks. In order to implement a cyber sanction, regulators go through a stringent attribution process that seeks to determine whether or not the individual or entity is responsible for the attack.
It is a complex process that involves investigating vast amounts of technical evidence, including computer code, IP addresses and other information related to the identity of the attacker while taking privacy issues and the possibility of identity falsification into account before the relevant national authority can make a sanctions designation.
However, once the designation has been made, non-compliance could lead to cybercrime penalties. Businesses have to take care to familiarize themselves with the applicable cybercrime laws and sanctions in their country of operation, as well as the jurisdictions where they conduct business.
Cyber Sanctions In The United States
The current cybercrime system in the US dates back to 2015. The first designations were made a year later. Sanctions are issued by OFAC (the Office of Foreign Assets Control) through their Specially Designated Nationals and Blocked Person List, which includes targets involved in cyber-related activities like election interference, phishing schemes, hacks and other forms of fraud and financial crime.
Cyber penalties are imposed on individuals who conduct cyber attacks from outside the US as well as individuals to attempt to exploit trade secrets or that provide financial or technical support to cyber-attackers. Any persons controlled or owned by perpetrators of such attacks may also be targeted.
Cyber Sanctions In The European Union
As previously mentioned, the EU first implemented its cybercrime sanctions regime in 2020 but was quick to make its first designations. Russian, North Korean and Chinese individuals involved in attacks dating back to 2017 were initially targeted. Sanctions may be imposed on any person that engages or attempts to engage in cyber attacks, provides material support to cyber attacks or is otherwise associated with persons involved in cyber attacks.
Cyber Sanctions In The UK
The United Kingdom has revised its cyber sanctioning program following their exit from the European Union, devising an independent regime known as the Cyber Sanctions (EU Exit) Regulations 2020. While the regime closely resembles that of the EU, the UK is able to add, remove and modify its own penalties. The country has also modified its licensing procedure and the mechanism through which targeted individuals can dispute their status.
Protecting Your Business Against Cyber Crime Penalties
As is the case with any sanction, banks, financial institutions and obligated entities have to be aware of the sanctions lists that apply to their jurisdiction, including cyber sanctions, the OFAC SDN List, the EU’s Consolidated List and the UK’s sanction list. Some of the steps companies should take includes the following:
- Customer due diligence, including the verification and establishment of customers’ identities so that they may be screened against sanctions lists.
- Ongoing transaction monitoring: Firms must monitor customers’ transactions for suspicious behavior and red flags that could indicate attempted sanctions evasion.
- Ongoing monitoring and screening: Sanctions lists can change at any time. Companies must continue to monitor their customers’ status to determine whether or not they are linked to any sanctioned entities.
Automated sanctions sceeening solutions, including the ones provided by sanctions.io, use AI and machine learning to simplify and improve the screening process in order to remain compliant with sanctions regimes. Reach out to our sanctions.io team for any information or help for setting up your sanctions compliance process.