On April 1, the president signed Executive Order 13694, which created a new sanctions regime for fighting cyberattacks. This creates opportunities for companies that are facing or may face cyberattacks. The Executive Order provides additional tools for victims of cyberattacks to punish the perpetrators by working with the government. The Executive Order creates framework to allow the government to take action in response to attacks on private companies and take all measures necessary to punish co-conspirators. The Executive Order also creates several issues that individuals and companies with international dealings should consider taking into consideration to avoid potential liability.
The Executive Order grants the Secretary of the Treasury authority to “block” the assets of anyone who conducts or aids “cyber-enabled activities . . . reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States . . . .” The Executive Order also grants the power to sanction any individual or entity that gives support to, assists in anyway, or sponsors such a cyber-attacker. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) will work in coordination with other U.S. government agencies to identify individuals and entities that engage in prohibited cyber activities and designate them for sanctions. Persons designated under this Executive Order will be added to OFAC’s list of Specially Designated Nationals and Blocked Persons (SDN List). U.S. persons are prohibited from engaging in most all transactions with designated individuals and entities named on the SDN List or entities owned by such designated persons. Additionally, designated persons sanctioned under the Executive Order will be blocked from entering the United States.
Given the growing nature of cyberattacks and the Executive Order’s potentially broad reach, individuals and companies with international business should consider taking steps to ensure their business partners do not meet the criteria of cyberattackers. For example, payments from persons designated as cyberattackers will be blocked by U.S. financial institutions and U.S. persons that engage in transactions with such persons could be subject to substantial penalties. Accordingly, U.S. businesses engaged in international transactions should consider updating their compliance programs and screening procedures to ensure they are not dealing with any persons designated on the SDN List, or that are owned 50 percent or more by such designated persons.
The Executive Order represents a turning point for the administration. It signals that the administration will take a more active role in fighting attacks that are often diffuse and difficult to investigate. Barnes & Thornburg has worked with the government to track down hackers who have levied corporate cyberattacks. In light of the Executive Order, there can be little doubt that the government will redouble its efforts to help victim companies, presenting opportunities for companies to work with the government in its efforts to track down and stop the perpetrators. This is good news for fighting cyberattacks.