Cyber-attacks are not just used by individual criminals to perpetrate financial crimes and may also be used by state-level actors to attack other countries. In 2020, the theft of $281 million in cryptocurrency from a Singapore crypto exchange was linked to the North Korean government, while the December 2020 ‘SolarWinds’ hack attributed to the Russian government saw data stolen from 18,000 US government and private computers.
When cyber-crime is perpetrated by state actors, traditional economic sanctions such as trade embargoes and asset freezes may not be a suitable response and governments may instead seek to impose cyber sanctions as a way to prevent and punish the malicious activity. With that in mind, in a digital financial landscape firms must be aware of the relevance of cyber-crime penalties and the increasing importance of cyber-sanctions compliance.
Cyber sanctions are a relatively recent development in the international regulatory landscape but are increasingly implemented to prevent and punish cyber-attacks from malicious state actors. Types of state-level cyber-attack or cyber-crime may involve phishing and hacking for the purposes of data or financial theft, the theft of intellectual property, or the distribution of misinformation via social networks.
Cyber sanctions function in a similar way to a conventional sanction, prohibiting transactions, trading, and business relationships with the individuals and entities deemed responsible for cyber-enabled attacks or malicious activities. The implementation of a cyber sanction involves an attribution process in which regulators seek to determine responsibility for an attack. The attribution process is complicated: authorities must investigate vast amounts of technical evidence such as computer code, IP addresses and other data, while contending with privacy issues and the anonymity and potential for identity falsification associated with cyber-crime.
Once an attribution has been made, the relevant national authority may make a sanctions designation. Non-compliance with such a designation may lead to a range of cyber-crime penalties, including fines and prison sentences.
When a country implements a cyber sanctions regime it must be confident that the cyber crime penalties it imposes will have the desired impact upon their targets. Accordingly, regimes vary by global jurisdiction:
The United States’ cyber crime regime was established in 2015 and its first designations were made in 2016 against persons attempting to interfere in the 2016 general election. Targets of US cyber sanctions are included on the Office of Foreign Assets Control’s Specially Designated Nationals and Blocked Persons List (SDN list). Over 100 cyber sanction targets are listed by OFAC for cyber-related activities including election interference, phishing scams, hacking and malware attacks, and other types of fraudulent activity.
The US makes cyber sanctions designations against the following categories of person:
- Persons engaging in cyber attacks from outside the US that pose a significant threat to national security, foreign policy, or economic stability.
- Persons that seek to use trade secrets for commercial or financial gain.
- Persons that provide assistance to or financial or technological support for a cyber-attack.
- Persons that are owned or controlled by perpetrators of cyber-attacks.
Cyber sanctions designations are made against persons that engage in and attempt to engage in the listed activities.
The EU has implemented cyber crime penalties and sanctions at a slower pace than other countries: it did not introduce a cyber crime regime until May 2019 and did not make its first designations until July 2020. The first round of EU cyber sanctions targeted Russian, North Korean, and Chinese actors that were involved in attacks from 2017. The EU imposes cyber sanctions as a response to attacks on member states’ critical social and economic infrastructure and services, defense and diplomatic functions, and classified information.
Under the EU cyber sanctions regime, designations are made against the following categories of person:
- Persons that engage in or attempt to engage in cyber attacks.
- Persons that provide financial, technical, or material support for cyber attacks.
- Persons that associate with persons involved in a cyber attack.
Following Brexit, the UK updated its cyber sanctions, replacing the EU regime with its own autonomous regime known as The Cyber (Sanctions) (EU Exit) Regulations 2020. The new cyber sanctions regime broadly follows the function and objectives of the EU regime, but the UK is free to add, revoke, and amend its own sanctions autonomously. The UK has also adjusted the licensing process for its autonomous regime and the process through which designated persons can challenge their status.
Pandemic lockdown restrictions imposed in jurisdictions around the world have been accompanied by an increase in illegal activities such as cyber crime fraud and money laundering, and a similar surge in cyber attacks including those directed against governments and critical national infrastructure. In addition to 2020’s high profile SolarWinds hack, cyber-attacks on coronavirus-related firms and healthcare organizations were reported across Europe in early 2021, including an attack on vaccine-developer Pfizer by North Korean hackers.
In response to the elevated threat, governments are increasing their focus on the implementation of cyber-sanctions regimes in order to prevent and deter illegal activities. The EU, for example, recently extended its current cyber sanctions program until May 2021 in order to ensure member-states remain protected against malicious actors.
In most jurisdictions, the penalties for non-compliance with cyber sanctions include fines and prison sentences, and vary depending on the severity of the offence. Accordingly, In order to comply with cyber sanctions, banks, financial institutions and other obligated entities should be aware of the relevant sanctions lists that apply within their jurisdiction. Accordingly, firms must screen their customers against the sanctions lists such as OFAC’s SDN list, the EU’s Consolidated List, and the UK’s sanction list.
Effective cyber sanctions screening should be built on a robust know your customer (KYC) process, deployed as part of a risk-based AML/CFT program. In practice, this means implementing the following measures:
- Customer due diligence: Firms must establish and verify their customers’ identities in order to screen them accurately against the relevant sanctions list. In the context of cyber crime this may involve establishing IP addresses and digital identity.
- Transaction monitoring: Firms should monitor customers’ transactions for suspicious behavior that might indicate an attempt to evade cyber sanctions.
- Screening and monitoring: Firms should monitor their customers’ politically exposed person (PEP) status and for their customers’ involvement in adverse media stories that might link them to cyber sanctions.
Smart technology: Given the vast amounts of data required for the cyber sanctions screening process, firms should seek to implement suitable smart technology tools, including artificial intelligence and machine learning systems, to manage the compliance burden. Automated smart technology not only adds speed, efficiency, and accuracy to the screening process, but can better manage unstructured data generated by digital transactions and help firms detect or even anticipate changes in customer behavior.
Get Started Now
Our Sanctions Screening Tool Updates In Minutes and Screens Against 1,000s of Global Government Regulatory and Law Enforcement Watchlists and Over 100 International and National Sanctions Lists.