New cyber security sanctions regime

The UK Government has published details of the new cyber security sanctions regime in the form of the Cyber (Sanctions) (EU Exit) Regulations 2020 (SI 2020/597) (the Regulations).

The Regulations are intended to apply after the expiry of the transition period for Brexit (currently 31 December 2020). They will replace the current EU sanctions regime which operates in the UK (namely Council Regulation (EU) 2019/796 and the Cyber-Attacks (Asset-Freezing) Regulations 2019 (SI 2019/956).

Background

Cyber security has arguably never been more important as our world becomes increasingly digitised. This provides fertile soil for cyber criminals, who are using increasingly sophisticated methods of illegally accessing IT networks. As we have seen in a number of recent cases, the consequences of cyber-attacks for businesses can be severe from a financial, legal and reputational perspective.

Given the potential impact of cyber security attacks, businesses are investing increasing amounts of money on defending their IT systems against attack, both through technology and training for employees (for example, the certified training scheme backed by the National Cyber Security Centre).

Purpose of the Regulations

The Regulations have two main purposes:

• To help ensure that the UK can operate an effective cyber sanctions regime after the end of the transition period and deter those who are, or are considering, conducting or directing relevant cyber activity from a UK or international perspective.
• To grant the UK Government the power to amend the sanctions regime, for example by lifting sanctions or imposing new sanctions autonomously (something which the EU sanctions regime did not permit).

The explanatory notes, which accompany the Regulation, highlight the importance the UK Government places on an effective sanctions regime which achieves these purposes. In particular, the notes cite the challenges posed by the growth in intensity, complexity and severity of cyber-attacks, the increasing risk appetite of cyber criminals and their ability to affect critical national infrastructure, democratic institutions, businesses and the media.

The regime

For the most part the Regulations aim to maintain the status quo in relation to cyber regulations with a view to ensuring a level of harmonisation between the UK sanctions regime and the EU sanctions regime after the end of the transition period. As such the Regulations contain broadly similar concepts to the existing EU sanctions regime, for example in relation to freezing funds or assets of people who are, or have been, involved in relevant cyber activity.

The Regulations maintain the key provisions aimed at achieving the above purposes such as:

• Designated persons – the Regulations give the Secretary of State the power to designate and exclude from the UK any persons who are, or have been, involved in relevant cyber activity and impose financial sanctions on such designated persons, including freezing funds or other economic resources.
• Prohibitions – the Regulations set out various prohibitions in relation to dealing with designated persons, contravention or circumvention of which is a criminal offence, for example dealing with funds or economic resources of a designated person or making funds available to a designated person.
• Issuing licences for prohibited activities – the Regulations provide the Treasury with the power to issue licences in respect of prohibited activities, for example the release of funds of a designated person for medical reasons or for basic needs purchases such as food, utility bills etc.
• Information sharing – the Regulations also contain provisions aimed at facilitating the sharing of information to enable effective implementation and enforcement of the sanctions regime.

The key difference is that, unlike the existing EU sanctions regime, the Regulations provide HM Government with additional flexibility to amend the sanctions regime as well as amend or lift the sanctions autonomously.

Comment

Therefore on the face of it, it may seem little has changed in relation to the cyber security sanctions regime in the UK. However, it will be interesting to see whether the Regulations will provide HM Government with the agility, flexibility and autonomy it needs to effectively react to cyber security attacks as the digital landscape continues to evolve in a way it did not have previously. This could be an opportunity for the UK to lead the way in the fight against cyber security attacks.