Related Attorneys:
Related Practices: Data Privacy & Cybersecurity
Banking & Finance

The “September 6th Rule”: OFAC Consolidates Seven-Year Patchwork of Laws, Reissues Cyber-Related Sanctions Regulations

September 07, 2022 On September 6, 2022, without notice or opportunity for public comment, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published a Rule – which took immediate effect – consolidating a seven-year patchwork of “Cyber-Related Sanctions Regulations.” The Rule did not revise any laws; it merely restated the U.S. government’s opposition to the provision of material support for malicious cyber-enabled activity originating outside the United States.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team

On September 6, 2022, without notice or opportunity for public comment, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) published a Rule – which took immediate effect – consolidating a seven-year patchwork of “Cyber-Related Sanctions Regulations” (Regulations). The Rule did not revise any laws; it merely restated the U.S. government’s opposition to the provision of material support for malicious cyber-enabled activity originating outside the United States. Although the public has become familiar with OFAC due to its enforcement of sanctions against Russia-based purveyors of ransomware, the “September 6th Rule” does not mention ransom. Instead, it provides a coherent consolidation of Executive Orders, Regulations, and related laws prohibiting material support for malicious cyber-enabled activity originating, at least in part, outside the United States.

The Rule reflects OFAC’s role in administering and enforcing economic and trade sanctions pursuant to U.S. foreign policy and national security goals. These sanctions target activities by foreign regimes, terrorists, international narcotics traffickers, purveyors of weapons of mass destruction, and other threats to U.S. national security, foreign policy, or economic interests. OFAC drafts the regulations and compiles lists of foreign entities deemed to be in violation of them. Any payments to these sanctioned entities by U.S.-based organizations must comply with the OFAC regulatory framework.

The patchwork of OFAC Regulations began in 2015 through a number of Executive Orders and regulatory actions. The initial Regulations implemented Executive Orders that intended to prohibit the transfer of property by persons engaged in significant malicious cyber-enabled activities. The Regulations were issued in an abbreviated format to provide immediate guidance to the public. In the seven years since these Regulations took effect, a series of Executive Orders modified them. These Orders granted the Secretary of the Treasury the right to enforce the Orders, including the right to block, seize, and forfeit property used in violation of the Orders. Subsequent Orders and related laws prohibited any activity undermining cybersecurity conducted on behalf of the Russian Federation and any attempts to evade the prohibitions, and established civil and criminal penalties for doing so. 

The OFAC “September 6th Rule” effectively consolidates the various Regulations, Orders, and laws pertaining to malicious cyber-enabled activity originating, at least in part, outside the United States. The Rule does not expand the previous prohibitions. In fact, the coherence of the restatement may serve to better focus the application of sanctions less on geocentric Russia-based activity and more on malicious cyber-enabled activity affecting U.S. economic interests, regardless of where outside the U.S. it originates. 

For more information on this topic, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.