Cyber Sanctions: what are they, and are they here to stay?

Sanctions in the UK

Sanctions (including travel bans[1] and asset freezes) are a tool of foreign policy where the UK, as an EU member, not only implemented EU laws[2], but also played a leading role in making them.

While the policy lead for sanctions lies with the Foreign Office, the responsibility for enforcement lies with the Home Office (for travel bans) and HM Treasury, specifically the Office for Financial Sanctions Implementation (OFSI), which oversees a system of financial penalties for breaches of financial sanctions[3].

The UK’s Role in Cyber Sanctions

This continued notwithstanding the result of the referendum, and the UK was influential in the development of the EU Council’s ‘cyber diplomacy toolbox’[4], which set out the measures the EU could and would take against the problem of cyber-attacks, up to and including the use of sanctions against those responsible for them.

In parallel with that, the UK passed the Sanctions and Anti-Money Laundering Act 2018 (SAMLA)[5], which introduced a domestic framework for UK sanctions, and is primarily designed to convert EU sanctions into UK sanctions after we depart the EU system.

The EU Regime

The EU’s power to introduce sanctions to tackle the perpetrators of cyber-attacks was introduced by way of a Decision[6] and Regulation[7] on 17 May 2019, with UK regulations swiftly passed to enforce them[8].

The implementing regulations continue to be in force during the post-Brexit transition period under the EU-UK withdrawal agreement[9]. A separate set of domestic regulations has already been made under SAMLA to ensure continuity[10].

Sanctions in Transition

As at the date of these first designations under the EU regime, therefore, it is the first set of domestic implementing regulations that serve to enforce them in the UK. This will remain so until the end of transition period, when the second set of regulations (under SAMLA) will take over.

The expectation is that all those designated under EU sanctions at the end of the transition period will then be designated by ministers under the SAMLA regulations.

The Purpose of Cyber Sanctions

The EU Decision and Regulation, and in the UK, a UK ministers’ required report to Parliament for the SAMLA regulations[11], says that these sanctions aim to deter and respond to cyber-attacks, by imposing targeted measures on individuals and entities who are responsible for or provide support for them, or who are associated with such persons.

The first set of designations (again imposed by way of a Decision[12] and Regulation[13], both on 30 July 2020) are against six individuals and three entities responsible for or involved in various cyber-attacks, including the attempted attack against the OPCW (Organisation for the Prohibition of Chemical Weapons) and those publicly known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’.

The Impact on Businesses

These sanctions make it unlawful for all UK and EU businesses to deal with the assets of, or provide economic resources to, any of the designated individuals and entities without a licence from OFSI. Businesses in the regulated sector for the purposes of anti-money laundering and counter-terrorist financing regulations will largely rely on the same automated checks they use now to run AML, CTF and sanctions checks on customers and others with whom they do business, although it is important to recognise that the prohibitions apply not just to this sector but to all businesses.

Reporting and Guidance

There are also obligations to report and provide information on sanctions targets and breaches, which apply to a slightly broader set of businesses than the AML/CTF regulated sector. This includes solicitors’ firms, although the obligation does not extend to information subject to legal professional privilege.

OFSI has produced general guidance on licences[14] and the civil penalties regime[15], as well as specific guidance on these sanctions[16].

The Impact of Brexit

There will be some, mostly minor, changes to the UK version of these sanctions after the end of the transition period, including to the scope of licences that are allowed, and the means by which designations can be challenged. The UK will also be free to amend, revoke or add to these sanctions in any way it wishes. Based on its role in devising them and its stance on cyber-attacks in general, it is safe to presume that any changes will not have the general effect of lessening the impact of sanctions on UK businesses; if anything, they are more likely to add additional targets, and/or to make enforcement stricter.

If you wish to discuss any of the issues raised in this guide please do contact John Binns, in the strictest confidence.

John Binns is a specialist in proceeds of crime laws, cannabis regulation, sanctions, and tax investigations. He has extensive experience in financial crime, which also involves bribery and corruption, extradition, Interpol, fraud, market abuse, and the conduct of related civil proceedings. He is a prolific writer and speaker on a variety of topics.

[1] Under the Immigration Act 1971, Section 8B.

[2] Under the European Communities Act 1972.

[3] Under the Policing and Crime Act 2017, Part 8.

[4] https://www.consilium.europa.eu/en/press/press-releases/2017/06/19/cyber-diplomacy-toolbox/

[5] https://www.legislation.gov.uk/ukpga/2018/13/contents/enacted

[6] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.LI.2019.129.01.0013.01.ENG&toc=OJ:L:2019:129I:TOC

[7] https://eur-lex.europa.eu/legal-content/GA/TXT/?uri=CELEX:32019R0796

[8] Cyber Attacks (Asset-Freezing) Regulations 2019.

[9] European Union (Withdrawal Agreement) Act 2020.

[10] Cyber (Sanctions) (EU Exit) Regulations 2020.

[11] https://www.legislation.gov.uk/uksi/2020/597/pdfs/uksiod_20200597_en.pdf

[12] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.LI.2019.129.01.0013.01.ENG&toc=OJ:L:2019:129I:TOC