Practical Issues in Cyber-Related Sanctions

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Development of US cyber-related sanctions regimes

Overview of the Cyber-Related Sanctions Program

The United States has been at the forefront of establishing a cyber-focused economic sanctions regime,[2] which is primarily administered by the US Department of the Treasury, Office of Foreign Assets Control (OFAC), although criminal prosecutions for certain wilful sanctions violations are the responsibility of the US Department of Justice.

OFAC administers a variety of sanctions targeting malicious cyber-related activities, such as cyberespionage, cyber-intrusions on critical infrastructure and computer networks, and disinformation campaigns conducted from abroad. The bulk of these sanctions are administered under OFAC’s ‘Cyber-Related Sanctions Program’, which was established in 2015 as part of the Obama administration’s response to malicious cyber-enabled activities originating from foreign countries that were directed at both US government agencies and private sector US entities. However, sanctions targeting malicious cyber-related activities are also authorised under other statutory and executive branch sanctions authorities, including the Countering America’s Adversaries Through Sanctions Act (CAATSA), as well as Executive Order (EO) 14024, ‘Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation’, issued on 15 April 2021.

Prior to the Obama administration’s first EO authorising cyber-related sanctions, malicious cyber-intrusions and cyberespionage from abroad were becoming increasingly frequent and severe. For example, on 19 May 2014, in its first major prosecution against a state actor for malicious cyber-enabled activities, the US Department of Justice indicted five Chinese nationals, allegedly affiliated with the Chinese military, for gaining unauthorised access to computer networks for the apparent purpose of engaging in economic espionage targeted at six US entities involved in the nuclear power, metals and solar products industries.[3] In September 2014, President Obama said his administration viewed cyber-enabled theft of trade secrets as ‘an act of aggression that has to stop’ and warned that the US was prepared to impose countervailing actions ‘to get [China’s] attention’.[4]

Before the establishment of OFAC’s cyber-related sanctions programme, US law enforcement agencies had legal authorities available to pursue charges against individuals engaged in various types of cyber espionage or unauthorised intrusions into US government and private sector computers and networks.[5] Nevertheless, facing an increasingly severe threat posed by foreign-based hackers targeting valuable US intellectual property and sensitive private data, among other things, US national security agencies viewed sanctions as a tool well-designed to address the extraterritorial nature of cyber-enabled attacks from foreign actors.

This culminated on 1 April 2015 when President Obama issued EO 13694, which declared a national emergency to deal with ‘the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States constituted by the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States’.[6] As with most US economic sanctions authorities, this EO was issued pursuant to the International Emergency Economic Powers Act[7] and the National Emergencies Act.[8]

On 28 December 2016, President Obama issued EO 13757, which amended EO 13694 to broaden the scope of cyber-related activities subject to sanctions. As amended, those EOs permit the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to impose blocking sanctions[9] on persons determined:

  • to be responsible for or complicit in, or to have engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of:
    • harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
    • significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
    • causing a significant disruption to the availability of a computer or network of computers;
    • causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain; or
    • tampering with, altering, or causing a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions; and
  • . . . to be responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means, knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;
  • to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, [certain activities described above] or any person whose property and interests in property are blocked pursuant to [EO 13694, as amended;
  • to be owned or controlled by, or to have acted or purported to act for or on behalf of, directly or indirectly, any person whose property and interests in property are blocked [pursuant to EO 13694, as amended]; or
  • to have attempted to engage in any of the activities described in [EO 13694, as amended].[10]

Cyber-related sanctions under CAATSA

On 2 August 2017, President Trump signed into law CAATSA, which authorised, inter alia, the imposition of cyber-related sanctions targeting Russia and codified the cyber-related sanctions imposed through EO 13694 and EO 13757.[11] On 20 September 2018, President Trump issued EO 13849, ‘Authorizing the Implementation of Certain Sanctions Set Forth in the Countering America’s Adversaries Through Sanctions Act (CAATSA)’, which delegates authority to impose sanctions under CAATSA to the Secretary of the Treasury.[12]

With respect to Russia, Section 224 of CAATSA included additional sanctions provisions targeting malicious cyber activities that are distinct from OFAC’s Cyber-Related Sanctions Program. Specifically, Section 224(a)(1) of CAATSA requires the President to impose blocking sanctions on any person that the President determines ‘(A) knowingly engages in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation; or (B) is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly’ such person.[13] ‘Significant activities undermining cybersecurity’ include:

  • significant efforts:
    • to deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or
    • to exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of:
      • conducting influence operations; or
      • causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain;
  • significant destructive malware attacks; and
  • significant denial of service activities.[14]

Additionally, the President is required to impose five or more menu-based sanctions on persons the President determines knowingly ‘materially assists, sponsors, or provides financial, material, or technological support for, or goods or services (except financial services)’ in support of, the cyber-related activity described in CAATSA Section 224(a)(1).[15] Those menu-based sanctions include restrictions on a sanctioned person’s ability to participate in, conduct or obtain: US export licences; loans or assistance from certain US and foreign financial institutions, including the US Export-Import Bank; certain foreign exchange transactions; various transactions involving property in the United States; or US visas.[16]

For a person the President determines ‘provides financial services’ in support of the cyber-related activities described in CAATSA Section 224(a)(1), CAATSA requires the President to impose three or more menu-based sanctions, described separately at 22 USC § 8923.[17] These include many of the same types of sanctions mentioned above.

Cyber-related sanctions under the new EO targeting harmful foreign activities of Russia

On 15 April 2021, President Biden issued EO 14024, ‘Blocking Property With Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation’, which is aimed at countering a wide array of malign Russian government-sponsored activities, including interference in the 2020 US presidential election and the SolarWinds cyberattack.[18] EO 14024 significantly expands the categories of Russian persons that can be targeted for sanctions by the United States, and includes persons determined ‘to be responsible for or complicit in, or to have directly or indirectly engaged or attempted to engage in . . . malicious cyber-enabled activities’.[19] Sanctions may also be imposed under EO 14024 on the spouses and adult children of persons subject to sanctions under this EO, as well as those determined by the Secretary of the Treasury, in consultation with the Secretary of State, to have materially assisted, sponsored or provided financial, material or technological support for, or goods or services to or in support of, among other things, malicious cyber-enabled activities. Notably, EO 14024 has been the tool of choice for the US to impose blocking and non-blocking sanctions targeting Russia in response to its military invasion of Ukraine in February 2022.

OFAC Ransomware Advisory

On 1 October 2020, OFAC issued its ‘Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’ (the 2020 Ransomware Advisory) to highlight the sanctions compliance risks associated with facilitating ransomware payments related to malicious cyber-enabled activities (e.g., by providing cyber insurance, digital forensics and incident response, and financial services related to processing ransom payments including by depository institutions and money services businesses).[20] In the Advisory, OFAC warned that facilitating a ransomware payment may not only enable and embolden criminals, as well as adversaries with a nexus to a sanctioned party or country, but also, critically, may not guarantee that a victim regains access to stolen data, and noted that victims of a ransomware attack should: contact OFAC immediately if they believe a request for a ransomware payment may involve a sanctions nexus; and contact the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection if an attack involves a US financial institution or may cause ‘significant disruption to a firm’s ability to perform critical financial services’.

OFAC expanded its guidance on 21 September 2021 in a publication entitled ‘Updated Advisory on Potential Sanctions risks for Facilitating Ransomware Payments’ (the 2021 Ransomware Advisory), which OFAC issued ‘to highlight the sanctions risks associated with ransomware payments’ and ‘the proactive steps companies can take to mitigate such risks’, including those actions that OFAC would consider to be mitigating factors with respect to enforcement. The 2021 Ransomware Advisory adds to the 2020 Ransomware Advisory in several significant ways:[21] it adds a strong discouragement of engaging in ransomware payments and a warning that entities making ransomware payments to a blocked person or a sanctioned jurisdiction are subject to strict liability and risk facing penalties, even without knowledge of a connection to a blocked person or sanctioned jurisdiction.[22] Consequently, OFAC also recommends that companies expand controls to account for the risk of ransomware payments being made to prohibited persons.[23] Further, OFAC strongly encourages, and even incentivises, companies to report ransomware demands to law enforcement and will consider cooperation with law enforcement as a mitigating factor when assessing penalties against entities that have been involved in making ransomware payments to blocked, or otherwise sanctioned, parties.[24]

The 2021 Ransomware Advisory references several other agencies and encourages the adoption of practices laid out in the Cybersecurity and Infrastructure Security Agency’s Ransomware Guide[25] and consideration of applicable Financial Crimes Enforcement Network (FinCEN) regulatory obligations.[26]

Sanctions Compliance Guidance for the Virtual Currency Industry

On 15 October 2021, OFAC published guidance entitled ‘Sanctions Compliance Guidance for the Virtual Currency Industry’ (the Virtual Currency Guidance), which provides an overview of compliance best practices.[27] The Guidance clarifies that the sanctions compliance obligations imposed by OFAC apply equally to transactions involving virtual currencies and those involving traditional fiat currencies and that companies are responsible for ensuring that they do not engage in direct or indirect transactions that are prohibited by OFAC sanctions, when dealing in virtual currency.[28] The Virtual Currency Guidance acknowledges that OFAC sanctions have increasingly targeted persons that have used virtual currency in connection with various types of malign activity. Given the industry’s rising level of importance, the Guidance encourages companies to have in place a risk-based compliance programme, which includes internal controls to identify and stop virtual currency transactions that would violate OFAC sanctions. Ultimately, the Guidance makes clear that companies are under the same obligations with respect to virtual currency as they are for fiat currency when it comes to complying with OFAC sanctions.

FinCEN Advisory

As noted above, OFAC’s 2021 Ransomware Advisory made note of guidance from other agencies, including FinCEN. On 1 October 2021, FinCEN issued an advisory entitled ‘Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments’ (the FinCEN Advisory).[29] The FinCEN Advisory lists several red flag indicators to assist in identifying, preventing and reporting ransomware attacks and reminds financial institutions of their regulatory obligations regarding reporting suspicious activity involving ransomware. Financial institutions should note that although OFAC strongly encourages reporting of ransomware attacks and payments, the FinCEN Advisory makes clear in some instances that financial institutions may be required to report incidents.

OFAC enforcement and recent illustrative cases

OFAC’s use of cyber-related sanctions authorities appears to be on the rise. OFAC enforcement of these sanctions authorities generally can be divided in two parts:

  • the imposition of blocking or menu-based sanctions on individuals and entities for engaging in sanctionable activities (e.g., perpetrating cyberattacks or materially assisting by laundering funds obtained thereby); and
  • the imposition of civil penalties for the violation of sanctions (e.g., transacting with a blocked person sanctioned for malign cyber activities). Criminal prosecutions for sanctions violations, which typically focus on the most egregious wilful misconduct, are within the purview of the US Department of Justice.

Since 2015, OFAC has designated numerous parties under cyber-related sanctions authorities each year. However, OFAC has imposed relatively few civil penalties connected to cyber-related sanctions or other cyber-related sanctions compliance failures. Nevertheless, based on recent guidance, issued in 2020, and its recent imposition of civil penalties against certain internet-based businesses and entities involved in the use of digital currencies,[30] OFAC has demonstrated that it expects parties to implement full-fledged risk-based sanctions compliance programmes to address malign cyber activities and other cyber-related vulnerabilities.

Cyber-related sanctions designations

OFAC has designated numerous persons under its cyber-related sanctions programme over the past few years, making the most such designations in 2020. Persons designated under these authorities include individual hackers, money launderers, non-state actors such as organised ‘troll farms’ (e.g., Internet Research Agency), international cybercriminal organisations (e.g., Evil Corp, HydraMarket),[31] and even a few foreign government agencies (e.g., the Russian Federation Federal Security Service). OFAC has mainly focused on actors residing in or associated with foreign nation states perceived as hostile to the United States – primarily, Russia, China, Iran and North Korea – and engaging in certain malicious cyber-enabled activities, such as:

  • development and distribution of malware, ransomware and phishing and spoofing scams;
  • interference with electoral processes and institutions worldwide through false information or hacking;[32]
  • theft of economic resources, trade secrets, personal identifying information or financial information by cyber intrusions for private financial gain;
  • publication of stolen sensitive documents obtained and sometimes manipulated through cyber intrusions;
  • disruption of network access; and
  • compromise of US government entities and US critical infrastructure sectors.

OFAC civil penalties

To date, OFAC has not imposed any publicly disclosed civil penalties specifically tied to cyber-related sanctions violations. However, the following civil settlements generally illustrate OFAC’s compliance expectations in the cyber and digital areas. A constant theme is the offending company’s failure to apply relevant knowledge in its possession – particularly internet protocol (IP) addresses – to identify, prevent or block prohibited users or transactions. US enforcement agencies, including OFAC and the Departments of Justice and Commerce, called particular attention to a company’s failure to identify and screen transaction parties by their IP addresses in the following enforcement actions:

  • a settlement agreement that the German-based software company SAP SE entered into with OFAC on 29 April 2021 relating to 190 apparent violations of the US sanctions against Iran;[33]
  • a settlement agreement that US-based technology company BitGo, Inc entered into with OFAC on 30 December 2020 in connection with 183 apparent violations of multiple sanctions regimes;[34]
  • a settlement agreement that US-based company BitPay, Inc, a digital currency payment service provider, entered into with OFAC on 18 February 2021 in connection with 2,102 apparent violations of multiple sanctions programmes;[35] and
  • a settlement agreement that Payoneer Inc, a publicly traded New York-based online money transmitter and provider of prepaid access, entered into with OFAC on 23 July 2021 in connection with 2,220 apparent violations of multiple sanctions programmes.[36]

In its announcements of the BitGo and BitPay settlements, OFAC emphasised that US persons involved in the provision of digital currency services (including companies that facilitate or engage in online commerce or process transactions in digital currency) – like all other US persons – have ‘sanctions compliance obligations’. Additionally, citing the essential components of compliance in its ‘Framework for OFAC Compliance Commitments’, OFAC highlighted the importance of implementing technical controls, such as sanctions list and IP address screening and IP blocking mechanisms, to mitigate sanctions risks in connection with digital currency services.[37]

Cyber-related sanctions compliance risks

Ransom payments

As discussed in OFAC’s 2020 Ransomware Advisory, a compliance risk unique to cyber-related sanctions relates to ransomware attacks, specifically the payment of ransoms themselves.[38] Unless OFAC grants a specific licence, a person who makes ransom payments to sanctioned parties or jurisdictions may face penalties for violating OFAC regulations. Particularly for ransom payments made in a digital currency, the difficulty of definitively determining whether the transaction involves a sanctioned party or sanctioned jurisdiction can create serious compliance challenges. Although no public civil penalty has been announced in connection with this type of violation, OFAC has emphasised the risks related not only to direct payments of ransoms in contravention of sanctions regulations, but also to facilitating such payments (e.g., ransomware insurance businesses, payment processors).

Digital currency sector

Via its enforcement actions and guidance,[39] OFAC has also been clear that transactions and services involving digital currency present sanctions compliance risk. Thus, businesses that allow digital currency payments or that are involved in the digital currency market or sector (e.g., digital currency trading platforms, asset management, security) may need to consider how to implement appropriate risk-based compliance measures that address the specific vulnerabilities of digital currency. Without appropriate compliance measures, a digital currency service provider could incur liability not only for violating sanctions (e.g., by dealing with blocked persons or persons in sanctioned jurisdictions), but also for facilitating sanctions violations by other parties to a transaction (even if inadvertent).

For example, just as with fiat currency, businesses involved in digital currency transactions would be expected to deploy risk-based sanctions screening for parties involved and to ensure that the funds are not destined for a sanctioned jurisdiction.[40] As described above, recent enforcement actions highlight OFAC’s expectation that internet-based businesses should use all relevant known information in the course of their business for sanctions compliance purposes as well. Specifically, OFAC has recently imposed civil penalties on multiple businesses that knew customers’ IP addresses (e.g., by their use of internet services) but did not ensure that customers with IP addresses in sanctioned jurisdictions were screened or blocked from using their services or transacting on their platforms.[41]

Cryptocurrency, a type of digital currency reliant on cryptography to secure and verify transactions, also presents risk because cybercriminals and other sanctioned parties (including the government of North Korea) may resort to using cryptocurrency as a tool to evade sanctions, launder money and facilitate other illegal activities (e.g., nuclear weapons proliferation[42]).[43] The proceeds of malicious cyber activities are regularly transferred to cryptocurrency exchanges and peer-to-peer marketplaces with negligible customer screening compliance programmes, or individual peer-to-peer or over-the-counter traders operating on exchanges that do not screen their customers.[44] More broadly, digital currency infrastructure has been targeted by some cybercriminals, who use illegitimate websites and malicious software to conduct phishing attacks on the digital currency sector.[45] Due diligence and controls to determine whether digital currency has been tainted by sanctionable or criminal cyber activity may be needed in certain transactions or businesses. In relation to this, OFAC has emphasised how anti-money laundering and combating the financing of terrorism controls play a vital role in sanctions and law enforcement generally because these can force cybercriminals to take measures to circumvent such controls that leave trails of evidence and traceability.[46] OFAC has begun a practice of identifying certain digital currency addresses[47] associated with SDNs and other blocked persons. This new type of information, which OFAC expects to be part of standard screening protocols, typically entails a more arduous screening process due to the difficulty of searching these addresses in the SDN List.[48]

OFAC has also noted that as various sanctioned jurisdictions (e.g., Iran, Russia, North Korea) resort to using or creating digital currencies, the risk entailed in the digital currency sector may increase.[49] The mere use of certain digital currencies could be subject to blanket prohibition, which has already occurred with respect to the ‘Petromoneda’ digital currency issued by the government of Venezuela.[50] As more government-backed digital currencies are issued, this will be an evolving risk area.

Inadvertent exports to sanctioned jurisdictions

Another potential area of compliance risk is the cybertheft of export-controlled information for use in a sanctioned jurisdiction. Any such cyber-enabled theft may represent an unauthorised and illegal export of controlled US technology or software. While such an event may raise more direct export control compliance concerns, especially depending on the nature of the stolen technology or software, OFAC could potentially consider a victim entity accountable for facilitating a sanctions violation for failing to implement appropriate risk-based measures to prevent the compromise and export of the controlled information (e.g., inadequate data security). This scenario highlights that in addition to sanctions regulations, entities should also consider other areas of related compliance risk implicated by malicious cyber-enabled activities, including export controls.

Practical considerations to mitigate cyber-related sanctions compliance risks

In response to the risks described above, and depending on the circumstances, companies may want to consider some of the following compliance measures.

Risk assessment and risk-based compliance programme

Depending on the nature of a company’s business activities, the risks and challenges in complying with cyber-related sanctions may differ substantially. Conducting an appropriate risk assessment, and tailoring a risk-based compliance programme appropriately, are essential steps in mitigating risk. This is especially true in the current environment due to the global pandemic, as businesses of any size that utilise the internet, even if only for email, may face an increasing risk of ransomware attacks, which raise cyber-related sanctions compliance concerns. It is also a particular concern following Russia’s military invasion of Ukraine and the expansion of US sanctions and other restrictions that target numerous sectors of the Russian economy, including the financial and energy sectors. Businesses involved in e-commerce could potentially face higher cyber-related sanctions compliance risks, including the risk of inadvertently providing goods or services to a sanctioned person or jurisdiction. Those involved in the digital currency sector, including companies that facilitate or engage in online commerce or process transactions using digital currencies, may be more likely to face malicious cyber-enabled attacks, incurring increased sanctions compliance risks, and, given the expanded sanctions on Russia and other regions, may also have to contend with sanctioned parties seeking to use digital currencies to evade US sanctions. These risks could be even greater for companies involved in providing cyber insurance, digital forensics services, cyberattack incident response services and financial services that facilitate ransom payments.

Risk-based screening, due diligence and IP blocking measures

Depending on a company’s risk profile, it is often best to ensure that all relevant parties are properly screened before engaging in a transaction, to ensure no payments or deliveries of goods or services are made to sanctioned parties or jurisdictions. Reliable screening depends on the collection and review of information reasonably accessible to the company, which means companies should proactively consider ways to verify users’ identities and locations. As evidenced in the BitGo settlement, merely relying on attestations from users concerning their locations without conducting any further due diligence may not suffice to meet one’s compliance obligations in OFAC’s view.

As the world becomes more digitised, and certain sanctions programmes targeting particular jurisdictions (e.g., Russia and the Crimea, Donetsk and Luhansk regions of Ukraine) are introduced, the screening function must adapt as well. Companies should consider including a party’s IP address information in the screening process when this information is available. A company may need to implement IP blocking measures to prevent sanctioned persons and persons in sanctioned jurisdictions from opening accounts on the company’s website or platform that would allow them to access the company’s services.

Identify, block and report sanctioned digital currency

Companies engaged in or reliant upon digital currency have the same obligations with respect to US sanctions law compliance as they would when conducting transactions in traditional currencies. OFAC has included certain digital currency addresses associated with blocked persons as part of its set of identifiers on the SDN List, meaning that companies may have obligations to block digital currency payments associated with those digital addresses.[51] Companies that may transact routinely with the digital currency addresses should consider enhancing their screening and compliance processes to account for this information.

Screening a digital currency address is more involved than ordinary name or physical address screening, but OFAC has provided some guidance on how to search the SDN List for these addresses. OFAC guidance also provides two discrete methods companies may integrate into their compliance programme to block digital currencies held by sanctioned persons.[52] Companies dealing in digital currencies held by users in regions subject to expanded US sanctions, particularly Russia, will also need to be highly alert to the risk that parties subject to sanctions will try to evade US sanctions and obfuscate their identity or location by using digital currencies. Companies may block digital wallets associated with digital addresses identified and sanctioned by OFAC, or combine all digital wallets with digital addresses identified by OFAC into one digital wallet. OFAC also requires companies holding wallets with blocked digital addresses to report the digital currency to OFAC within 10 business days and to have a traceable audit trail.

Compliance related to making or facilitating ransom payments

Given the risks associated with ransomware payments and the possibility that sanctioned persons or jurisdictions may be involved in them, sanctions compliance programmes should incorporate risk-based procedures for responding to ransomware attacks, including, at a minimum, thorough enhanced screening procedures. In many cases, companies should strongly consider engaging with relevant law enforcement agencies when ransomware attacks arise, including OFAC if the ransomware attack or a requested ransom payment may potentially involve a sanctioned party or country.

Preventative measures regarding cyber intrusions

In looking to root causes, businesses may also reduce their cyber-related sanctions compliance risks by making efforts to prevent cyber intrusions in the first place. US government agencies, including FinCEN[53] and the US Department of Justice,[54] have provided guidance on best practices for companies to help them protect their systems from cyberattacks. Integrating these considerations into a company’s overall approach to risk management and, specifically, its sanctions compliance programme in the first instance can prevent sanctions violations arising from malicious cyber-enabled activities (e.g., ransomware attacks) carried out by a sanctioned party or country.

Potential benefits of cooperation with the US government in the cybersecurity context

We close by highlighting the strong incentives that US government enforcers provide in exchange for voluntary disclosure and robust cooperation by companies that have committed potential US sanctions violations, which apply equally in the cyber context. For example, in the OFAC ransomware advisories discussed above, OFAC emphasises that it would consider both a ‘self-initiated, timely, and complete report of a ransomware attack to law enforcement’ and ‘full and timely cooperation with law enforcement’ to be ‘significant’ mitigating factors in determining the proper enforcement outcome if a ransom payment is made and ‘if the situation is later determined to have a sanctions nexus’.[55] Likewise, in the SAP enforcement matter discussed above, the Department of Justice explained that SAP’s penalty ‘would have been far worse had they not disclosed, cooperated, and remediated. We hope that other businesses, software or otherwise, we [sic] heed this lesson.’[56] OFAC also touted SAP’s ‘substantial’ cooperation and significant remedial actions, as well as its voluntary disclosure, in explaining why the actual penalty was reduced substantially from the civil penalty recommended under OFAC’s enforcement guidelines. Although cooperation with US government enforcers is a complex, risk-based decision that must be considered carefully, the potential benefits are clear under the right circumstances.


[1] Brian Fleming and Timothy O’Toole are members, Christopher Stagg is counsel, Caroline Watson and Manuel Levitt are senior associates, and Mary Mikhaeel is an associate at Miller & Chevalier Chartered.

[2] Other jurisdictions, including the EU and UK, have begun taking significant steps to develop sanctions programmes to deter malicious cyber actors and respond to increasingly frequent and severe cyberattacks. See Council Decision 2019/797 2019 O.J. (L. 129/13) (EU); Council Regulation 2019/796 2019 O.J. (L. 129/1) (EU). See generally the Cyber (Sanctions) (EU Exit) Regulations 2020, While these developments are significant, the EU and UK have used sanctions far less frequently than the United States, with just eight persons and four entities sanctioned under the EU’s cyber-related sanctions framework thus far. See Council Decision 2020/1127, 2020 O.J. (L 246/12) (EU); European Commission Press Release, ‘Malicious cyber-attacks: EU sanctions two individuals and one body over 2015 Bundestag hack’ (22 October 2020),

[3] Press Release, US Dep’t of Justice, ‘US Charges Five Chinese Military Hackers for Cyber Espionage Against US Corporations and a Labor Organization for Commercial Advantage’ (19 May 2014),

[4] Graham Webster, ‘Obama: Cyber Theft “an Act of Aggression” but US and China Can Develop Norms’, The Diplomat (18 September 2015),

[5] Computer Fraud and Abuse Act, 18 USC § 1030; Economic Espionage Act of 1996, 18 USC 1831 et seq.

[6] EO No. 13,694, 80 Fed. Reg. 18,077 (1 April 2015), reprinted as amended in 22 USC § 9522.

[7] 50 USC §§ 1701–1708.

[8] 50 USC §§ 1601, 1621–1631, and 1641.

[9] Persons blocked pursuant to EO 13694, as amended by EO 13757, are included on the Specially Designated Nationals and Blocked Persons List maintained by OFAC. The initial designations under this authority were made on 28 December 2016.

[10] EO No. 13,757, 82 Fed. Reg. 1, 1–2 (28 December 2016).

[11] 22 USC § 9524. OFAC has since promulgated cyber-related sanctions regulations at 31 CFR Part 578.

[12] EO No. 13,849, 83 Fed. Reg. 48,195 (20 September 2018).

[13] 22 USC § 9524(a)(1).

[14] id. § 9524(d)(1)–(3).

[15] id. § 9524(a)(2).

[16] 22 USC § 9529.

[17] 22 USC § 9524(a)(3).

[18] EO 14,024, 86 Fed. Reg. 20,249 (19 April 2021).

[19] id.

[20] OFAC, ‘Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’ (1 October 2020) (the 2020 Ransomware Advisory),

[21] OFAC, ‘Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments’ (21 September 2021),

[22] id.

[23] id.

[24] id.

[25] See Cybersecurity and Infrastructure Security Agency, ‘Ransomware Guide’ (September 2020),

[26] See FinCEN, ‘Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments’ (1 October 2020) (the FinCEN Advisory),

[27] OFAC, ‘Sanctions Compliance Guidance for the Virtual Currency Industry’ (October 2021),

[28] id.

[29] The FinCEN Advisory was a revised version of a similar advisory published in October 2020 (see footnote 26).

[30] OFAC defines ‘digital currency’ to include ‘sovereign cryptocurrency, virtual currency (non-fiat), and a digital representation of fiat currency’. OFAC, ‘FAQ 559’ (19 March 2018),

[31] OFAC, ‘Treasury Sanctions Russia-Based Hydra, World’s Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex’ (5 April 2022),,dangerous%20drugs%2C%20and%20other%20illegal.

[32] See, e.g., OFAC, ‘Treasury Sanctions Iran Cyber Actors for Attempting to Influence the 2020 U.S. Presidential Election’ (18 November 2021),

[33] OFAC, ‘Enforcement Release: April 29, 2021’ (SAP Settlement) (29 April 2021),

[34] OFAC, ‘Enforcement Release: December 30, 2020’ (BitGo Settlement) (30 December 2020),

[35] OFAC, ‘Enforcement Release: February 18, 2021’ (BitPay Settlement) (18 February 2021)

[36] OFAC, ‘Enforcement Release July 23, 2021’ (23 July 2021),

[37] See BitGo Settlement at 3, BitPay Settlement at 3.

[38] The 2020 Ransomware Advisory, footnote 20.

[39] OFAC has also periodically released FAQs addressing various topics relating to cyber-related sanctions and digital currency compliance issues more broadly. See OFAC, ‘Cyber-Related Sanctions FAQs’,; OFAC, ‘Virtual Currency FAQs’, (accessed 3 May 2021).

[40] OFAC, ‘Virtual Currency FAQ 560’ (19 March 2018),

[41] See SAP Settlement, BitGo Settlement and BitPay Settlement.

[42] Michelle Nichols and Raphael Satter, ‘UN experts point finger at North Korea for $281 million cyber theft, KuCoin likely victim’, Reuters (9 February 2021),

[43] See Press Release, OFAC, ‘Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses’ (28 November 2018),; Press Release, OFAC, ‘Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group’ (2 March 2020),

[44] id.

[45] See ‘Treasury Sanctions Individuals Laundering Cryptocurrency for Lazarus Group’, footnote 44.

[46] See Press Release, OFAC, ‘Treasury Sanctions Russian Cyber Actors for Virtual Currency Theft’ (16 September 2020),

[47] OFAC, ‘Virtual Currency FAQ 559’, footnote 30 (OFAC defines a ‘digital currency address’ as ‘an alphanumeric identifier that represents a potential destination for a digital currency transfer. A digital currency address is associated with a digital currency wallet’).

[48] See OFAC, ‘Virtual Currency FAQs 562’ (19 March 2018), ‘563’ (6 June 2018) and ‘594’ (6 June 2018),

[49] See, e.g., ‘Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses’, footnote 43.

[50] EO No. 13,827, 83 Fed. Reg. 12,469 (19 March 2018).

[51] See OFAC, ‘Virtual Currency FAQs 562–63, 594’, footnote 48. See, generally, OFAC, ‘Virtual Currency FAQs’,

[52] See OFAC, ‘Cyber-Related Sanctions FAQ 646’ (28 November 2018),

[53] FinCEN, ‘Advisory on Illicit Activity Involving Convertible Virtual Currency’ (9 May 2019),

[54] US Dep’t of Justice et al., ‘How to Protect Your Networks from Ransomware: Interagency Technical Guidance Document’ (June 2016),

[55] OFAC, footnote 20, at 4.

[56] Department of Justice, ‘SAP Admits to Thousands of Illegal Exports of its Software Products to Iran and Enters into Non-Prosecution Agreement with DOJ’ (29 April 2021),

Unlock unlimited access to all Global Investigations Review content