EU adopts new sanctions framework targeting external cyber-attacks

Authors: Susannah Cogman, Daniel Hudson and Hannah Lau

On 17 May, the EU adopted legislation which will enable it to impose sanctions against persons and entities who engage in cyber-attacks against the EU and its member states. The sanctions will be designed “to deter and respond to cyber-attacks with a significant effect which constitute an external threat to the EU and its Member States”. The new regime underlines a clear commitment by the EU to continue to strengthen its capability to address its “[concern] at the rise of malicious behaviour in cyberspace”.

BACKGROUND

In recent years, the EU has taken a series of actions to tackle cyber threats. On 19 June 2017, the EU developed a framework for a joint response to malicious cyber threats (known as the “Cyber Diplomacy Toolbox”), and subsequent implementing guidelines envisaged sanctions as one of the tools available. The timing of the announcement of the new regime is also notable given its proximity to the EU Parliament elections which started on 23 May.

Reported concerns amongst officials from the EU and certain member states in the past have related to hacking incidents or threats linked to China, Russia and North Korea. However, the legislation explicitly states that the imposition of sanctions against a person or entity does not amount to attribution of responsibility to a third state, which is a political decision.

SCOPE OF THE SANCTIONS REGIME

The sanctions will target persons involved in cyber-attacks with a significant effect which constitute an external threat to the EU and/or its member states. It also covers attempted attacks with a potentially significant effect.

“External”

Cyber-attacks constituting an external threat include those which:

  1. originate, or are carried out, from outside the EU;
  2. use infrastructure outside the EU;
  3. are carried out by any person or entity established or operating outside the EU; or
  4. are carried out with the support, at the direction of or under the control of any person or entity operating outside the EU.

“Threat to member states or the EU”

Attacks which are a threat to member states are envisaged to be cyber-attacks targeting: (a) critical infrastructure; (b) social and economic services (such as in the energy, health and financial markets sector); (c) critical state functions (such as areas of defence and public elections); and (d) classified information.

Threats to the EU include cyber-attacks carried out against its various institutions and its common security and defence policy (“CFSP”). The legislation also reserves the right to apply sanctions in relation to cyber-attacks against third States and international organisations where deemed necessary to achieve CFSP objectives, giving it a potentially broad scope.

“Significant effect”

Whether an attack has a “significant effect” will depend on a range of factors including the scale of disruption, the number of persons or entities concerned, the loss caused, and the nature of the data stolen.

Who can be penalised

There is a broad scope for those who could be listed. The sanctions could target individuals or entities who:

  1. carry out (attempted) cyber-attacks;
  2. provide financial, technical or material support for such attacks including facilitating such attacks by action or omission; or
  3. are associated with those in (a) or (b) above.

The type of sanctions imposed

The sanctions available will include a ban on any listed persons from travelling to the EU and asset freezes. EU persons and entities will also be forbidden from making funds or economic resources available directly or indirectly to those listed.

PRACTICAL CONSIDERATIONS

The new regime emphasises the continuing willingness of the EU to use sanctions to address concerns, noting the similarity of these sanctions to recent EU sanctions aimed at targeting the use of chemical weapons. While no one has yet been listed under this framework, there is a continuing need for companies to ensure that they have thorough, up-to-date and ongoing screening to identify any listed persons they might directly or indirectly deal with.

It is noted that the UK government has said that in the event of a “no deal” Brexit, it will look to carry over all EU sanctions through regulations made under the Sanctions and Anti-Money Laundering Act 2018, in order to ensure a smooth transition. These UK regulations will come into force on 11 June 2019.

Susannah Cogman
Susannah Cogman
Partner, London
+44 20 7466 2580
Daniel Hudson
Daniel Hudson
Partner, London
+44 20 7466 2470
Hannah Lau
Hannah Lau
Associate, London
+44 20 7466 2314

Andrew Moir
Andrew Moir
Partner, London
+44 20 7466 2773
Elena Hogg
Elena Hogg
Associate, London
+44 20 7466 2590

OFAC Emphasizes Importance of Risk-Based Sanctions Compliance Programs for US and International Companies

Authors: John O’Donnell, Jonathan Cross, Geng Li, Christopher Milazzo, Susannah Cogman and Daniel Hudson

Further emphasizing its expectation that all companies whose business touches on the United States should maintain a robust, risk-based US economic sanctions compliance program (“SCP”), the US Treasury’s Office of Foreign Assets Control (“OFAC”) has published a detailed “Framework for OFAC Compliance Commitments” (the “Framework”) setting forth the key components of an adequate SCP. OFAC’s release of the Framework heightens the need for US and international companies to review their existing policies, procedures and controls relating to sanctions compliance, and to make appropriate changes to update relevant policies in line with OFAC’s guidance. As the number and scale of US sanctions enforcement actions increase, maintaining an effective SCP is an essential tool for managing sanctions risk; conversely, the Framework makes clear that the absence of an adequate SCP will be viewed negatively by OFAC pursuant to its Economic Sanctions Enforcement Guidelines.

The Framework includes a discussion of the typical “root causes” of sanctions violations leading to OFAC enforcement action; in most cases, SCP deficiencies are key elements in these examples. Thus, all companies whose business directly or indirectly involves the US or US persons should review their SCP carefully in consideration of these identified root causes.

Continue reading

No More “Significant Reduction Waivers” – The Trump Administration Further Strengthens Sanctions against Iran

On April 22, 2019, the White House announced that the Trump administration will not issue further “significant reduction waivers” exempting specified countries from the threat of secondary sanctions based on their purchases of Iranian crude oil. The move signals the Trump Administration’s intention to utilize economic sanctions to bring Iran’s level of oil exports to zero. The announcement follows the recent determination to designate the Islamic Revolutionary Guard Corps as a foreign terrorist group, both forming part of the Administration’s “maximum pressure” campaign with respect to Iran. The campaign aims to push Iran to take action in response to the Trump Administration’s “twelve demands,” which relate both to nuclear issues and to other aspects of Iran’s behaviour, such as its involvement in conflicts in Syria and Yemen and tensions with US allies in the region.

Continue reading

New podcast on conducting internal investigations in Asia

Robert Hunt, a partner in the firm’s corporate crime and investigations practice, has recorded a podcast for the Corporate Compliance and Ethics Blog on trends in internal investigations in Asia.

Whilst investigations used to be largely corruption-related, Rob is seeing an increasing number of investigations into sales and revenue fraud, money laundering and sanctions. Robert discusses these as well as the rise of data privacy and privilege issues and the role played by language and culture in investigations.

Continue reading

Parliamentary Reports Back Improvements to the Supervision and Prosecution of Economic Crime

In this article we summarise some of the key points arising from two important reports regarding economic crime in the UK which have been published in recent weeks.

On 8 March 2019, the House of Commons’ Treasury Committee published its “Economic Crime – Anti-money laundering supervision and sanctions implementation” report (the “Treasury Committee Report”), which suggests improvements to be made in order to tackle economic crime and develop anti-money laundering (“AML”) supervision.

On 14 March 2019, the House of Lords’ Select Committee on the Bribery Act 2010 (“UKBA”) published a report titled “The Bribery Act 2010: post-legislative scrutiny” (the “UKBA Report”) which considered whether the Act is achieving its intended purposes.

We outline some of the key conclusions and recommendations of the reports, including in relation to:

  • Proposed Legislative Reform – including potential changes to corporate criminal liability and the Bribery Act Guidance in relation to the “adequate procedures” defence and corporate hospitality;
  • Deferred Prosecution Agreements (“DPAs”) – suggested improvements including in relation to the court’s discretion, discounts, the prosecution of individuals and their application to smaller companies;
  • AML Supervision – the risks of the current approach to AML supervision by multiple bodies and suggested improvements;
  • Financials Sanctions – the effectiveness of sanctions for economic crime, including the possibility of introducing a discretion to block UK listings on the grounds of national security and the influence of e.g. Russian money in the UK;
  • Derisking – recommend strategic action to combat derisking;
  • Suspicious Activity Reports (“SARs”) – consideration of the SARs reform programme and suggested improvements;
  • Information Flows – potential information flows at bank level and the National Economic Crime Centre’s (the “NECC”) role as a co-ordinator of law enforcement, regulators and the private sector; and
  • Resources and Delays – the impact of delays and a lack of resources on combatting economic crime.

Please click here to read our full briefing.

Continue reading

Corporate Crime Update – Winter 2019

Welcome to the Winter 2019 edition of our corporate crime update – our round up of developments in relation to corruption, money laundering, fraud, sanctions and related matters. Our update now covers a number of jurisdictions.

For the full update on each jurisdiction, please click on the name of the jurisdiction below. Below we provide a brief overview of what is covered in each update.

Continue reading

OFSI imposes its first monetary penalty — Raphaels Bank sanctions breach

Authors: Daniel Hudson, Partner, London and Daniel Hyde, Associate (Australia), London

On 25 February 2019, the UK Government’s Office of Financial Sanctions Implementation (“OFSI”) published a notification of its first imposition of a monetary penalty under new powers afforded to it under the Policing and Crime Act 2017 (“the Act”). The £5,000 penalty was imposed on Raphaels Bank for dealing, without a licence, with funds belonging to a designated person in breach of EU financial sanctions in relation to Egypt. The penalty amount represents a 50 per cent reduction of the baseline penalty amount initially assessed by OFSI as a result of Raphaels Bank’s voluntary disclosure of the breach and subsequent cooperation.

The notification is brief, seemingly because OFSI is making ongoing enquiries in connection with other aspects of the breach unconnected with Raphaels Bank. However, it is apparent that OFSI determined the penalty amount in accordance with its case assessment process set out in its monetary penalty guidance (“Guidance”), which makes this case a useful, albeit currently limited, illustration of its application of that process.

In this briefing, we discuss the significance of the first monetary penalty imposed by OFSI, particularly:

  • the reduction to the final penalty amount as a result of Raphaels Bank’s disclosure and co-operation;
  • the low-value of the breach;
  • the current brevity of the notification;
  • possible public interest considerations behind the penalty; and
  • the two procedural rights of review available under section 147 of the Act.

Continue reading

The importance of supply chain due diligence and the risks of modern slavery – OFAC settles North Korean sanctions case with fine

Authors: Kyle Wombolt, Jeremy Birch, Antony Crockett and Emily Purvis.

A recent enforcement action by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) against US company e.l.f Cosmetics Inc (ELF) highlights the importance of supply chain due diligence in conducting cross border business. The action against ELF reflects a global trend of increased regulatory focus on supply chains in relation to a range of business conduct issues, including corruption, modern slavery, and other human rights violations. To mitigate sanction violation risk, companies should verify the country of origin of goods and services in their supply chains.

Continue reading

HERBERT SMITH FREEHILLS’ 2019 GUIDE TO CORPORATE INVESTIGATIONS IN CHINA

Authors: Kyle Wombolt and Anita Phillips

Kyle Wombolt, global head of corporate crime and investigations, and Anita Phillips, professional support consultant, have updated their guide to corporate investigations in China. This forms part of GIR’s acclaimed text, The Practitioner’s Guide to Global Investigations 2019, third edition. It is regarded as the only text covering the nuts and bolts of multi-jurisdictional corporate investigations.

Continue reading