Baker McKenzie’s Sanctions Blog published the alert titled OFAC Issues New FAQs on Export Ban on Certain Services on 14 June 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC Issues New FAQs on Export Ban on Certain Services appeared first on Global Compliance News.


On May 16, 2022, the Biden administration announced the relaxing of certain limited Cuban sanctions and other regulatory changes to expand communication, travel, and commerce between the United States and Cuba. The related fact sheet can be found here.

The US State Department outlined four changes to Cuba policy in the announcement:

  • Facilitate family reunification: The Cuban Family Reunification Parole Program will be reinstated and capacity for consular services and visa processing will continue to increase, making it possible for more Cubans to join their families in the United States via regular migration channels.
  • Expand authorized travel: Scheduled and charter flights to locations beyond Havana will again be authorized following restrictions implemented in 2019 and 2020. The Biden administration will also implement regulatory changes to reinstate group people-to-people and other categories of group educational travel, as well as certain travel related to professional meetings and professional research. Our most recent blog post about travel restrictions against Cuba is here. On June 1, 2022, the US Department of Transportation issued a corresponding Order revoking previous actions restricting certain air services between the US and Cuba, which we previously blogged about herehere, and here.
  • Support greater access to US Internet services, applications, and e-commerce platforms: There will now be support for greater access to expanded cloud technology, application programming interfaces, and e-commerce platforms. Additionally, the United States will explore new options for Internet-based activities, electronic payments, and business with independent Cuban entrepreneurs, providing entrepreneurs’ access to microfinance and training.
  • Enable increased remittance flows to the Cuban people: Remittances will flow more freely to the Cuban people as a general matter. Specifically, the current limit on family remittances of $1,000 per quarter per sender-receiver pair will be removed and donative remittances, which will support independent Cuban entrepreneurs, will be authorized. We blogged about US restrictions on remittances to Cuba here.

These changes neither modify the US embargo of Cuba, Cuba’s designation as a state sponsor of terrorism, nor the majority of the restrictions on Cuba implemented by the Trump administration, which we previously blogged about here, here, here, and here.

Pursuant to the above policy changes, on June 9, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) amended the Cuban Assets Control Regulations to implement some of the elements of the President’s foreign policy to increase support for the Cuban people. The rule authorizes group people-to-people educational travel to Cuba and removes certain restrictions on authorized academic educational activities, authorizes travel to attend or organize professional meetings or conferences in Cuba, removes the $1,000 quarterly limit on family remittances, and authorizes donative remittances to Cuba.

The post United States: Biden Administration relaxes certain limited Cuban sanctions appeared first on Global Compliance News.


On May 26, 2022, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule (the “Final Rule”) updating the scope of License Exceptions Authorized Cybersecurity Exports (“ACE”) and Encryption Commodities, Software, and Technology (“ENC”) related to cybersecurity items in response to public comments on the interim final rule related to cybersecurity items published on October 21, 2021.  The interim final rule established a new control on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons and created License Exception ACE in Section 740.22 of the Export Administration Regulations (“EAR”), which authorizes exports of identified cybersecurity items to most destinations except in certain circumstances.

The Final Rule makes the following revisions to the EAR, as follows:

  1. An illustrative list of “Government end users” was added to License Exception ACE, which includes (i) international government organizations, (ii) government-operated research institutions, (iii) “more-sensitive government end users,” (iv) “less-sensitive government end users” (as both of these terms are already defined in Section 772.1 of the EAR), and (v) utilities, transportation hubs and services, and retail or wholesale firms wholly or partially operated or owned by a government or governmental authority.
    • “Partially operated or owned by a government or governmental authority” means that a foreign government owns or controls, directly or indirectly, 25 percent or more of the voting securities of the foreign entity or a foreign government or governmental authority has the authority to appoint a majority of board members of the foreign entity.
  2. In respect of exports of “digital artifacts” (related to a cybersecurity incident involving information systems owned or operated “government end user”) to “government end users” in Country Group D, License Exception ACE has been narrowed to only allow for such exports to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 and only for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
  3. A new end use restriction was added to License Exception ENC in Section 740.17(f) of the EAR such that ENC is not authorized for the following items if an exporter “knows” or has “reason to know” that the following items will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization of the owner, operator, or administrator of the information system:
    • “Cryptanalytic items,” classified in ECCNs 5A004.a, 5D002.a.3.a or c.3.a, or 5E002;
    • Network penetration tools described in Section 740.17(b)(2)(i)(F) of the EAR, and ECCN 5E002 technology therefor; or
    • Automated network vulnerability analysis and response tools described in Section 740.17(b)(3)(iii)(A) of the EAR, and ECCN 5E002 technology therefor.

BIS considered this change necessary to prevent evasion of one of the end-use restrictions in License Exception ACE, i.e., by adding cryptographic or cryptanalytic functionality to a cybersecurity item and exporting, reexporting, or transferring (in-country) the resulting item under License Exception ENC.

The authors acknowledge the assistance of Eweosa Owenaze in the drafting this post.

The post United States: BIS updates license exceptions related to cybersecurity items appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled OFAC Reissues General License Extending Authorization Period for Transactions Related to Energy on 16 June 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC reissues General License extending authorization period for transactions related to energy appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled OFAC Designates Additional Russian Parties and Amends and Issues Russia-Related General Licenses on 7 June 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC Designates Additional Russian Parties and Amends and Issues Russia-Related General Licenses appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled OFAC Publishes New and Amended FAQs Regarding the Russia Investment Ban on 8 June 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: OFAC Publishes New and Amended FAQs Regarding the Russia Investment Ban appeared first on Global Compliance News.


By Donna Steward, Director of Government Affairs, HITRUST

Complying with the Cyber Incident Reporting for Critical Infrastructure Act — which was passed into law in March of 2022 — may present new challenges for information security teams. Organizations in the 16 critical infrastructure sectors are the primary targets for the Act. However, any business acting as a vendor or supplier to an entity that is classified as part of the critical infrastructure, or any organization for which a cyber disruption would impact economic security or public health in the U.S., may also be impacted.

The Act requires those organizations subject to the law to report substantial cybersecurity incidents to the federal government within 72 hours. If an organization makes a ransomware payment, it has only 24 hours to make such a report. Even if an incident does not involve Personally Identifiable Information (PII), these requirements may still apply.

The Intent of the Cyber Incident Reporting for Critical Infrastructure Act

The principal intent of the Act is for the Cybersecurity and Infrastructure Security Agency (CISA), the enforcing agency for the Act, to gather, evaluate, analyze, and compile information related to system infiltrations that may lead to potential widespread system threats.

The data CISA will collect is meant to help stop the spread of successful attacks by identifying threat actors and helping identify and build defenses against their methodologies. Intelligence gained and potential aversion strategies will then be shared through public alerts to provide organizations with the information they need to block new threats and take action to protect their IT systems.

“You need to start thinking about how you prepare and plan for any type of cyber incident now.”5
Brandon Wales, Executive Director, U.S. Cybersecurity Infrastructure Security Agency (CISA)

CISA gov logo

During an interview at the 2022 Boston Conference on Cyber Security on June 1, 2022, Brandon Wales, Executive Director, U.S. Cybersecurity Infrastructure Security Agency (CISA), reinforced the value of this information in helping to stop the spread of cyber threats:

“A cybersecurity event can cause catastrophic impacts on public health and safety, the economy, or national security,” said Brandon Wales, Executive Director, CISA.1 “We’re there … to help make sure the next potential victim is able to stop an attack before it is successful.”2

Wales went on to say, “We think it’s (the Cyber Incident Reporting for Critical Infrastructure Act) an incredibly important piece of legislation that will over the long-term really be a seismic change in our ability to … use information to take action against adversaries and to protect the U.S. critical infrastructure.”3

Additional Clarification is Essential to Understand New Obligations

At present, general wording of the Act leaves room for interpretation. For example: covered entities must file a report for a significant cyber incident within 72 hours—after they reasonably believe a qualifying incident has occurred. Beyond critical infrastructure, which organizations could be considered covered entities? What type of incident will qualify as significant? And how will reasonably believe be defined?

Regulations must address these questions before the reporting requirements go into effect. CISA has until March 2024 to develop the new regulations, and then another 18 months to finalize them. However, given the increasing cyber threat landscape, it is highly likely CISA will accelerate this process so report results can more quickly be used to help reduce overall threats and mitigate potential losses.

CISA recently confirmed their desire to accelerate the regulation development process, “We have two years to publish a draft rulemaking, and then 18 months after that to publish a final rule,” Wales said. “Obviously, we are going to try to move more quickly than that.”

Which Organizations Could Be Affected?

Most companies within critical infrastructure sectors are already aware they will be subject to the law and new reporting requirements. However, depending on how widely the net is cast, the final definition of covered entities is likely to include subcontractors, vendors, and/or suppliers that exchange data or share technology with a critical infrastructure organization. All critical infrastructure subcontractors, vendors and suppliers should pay close attention to the regulation development process and prepare early for new information protection responsibilities that may be needed in order to comply with the new law.

What Might Be Required?

In addition to who must report, what is to be reported must also be defined. Providing the information necessary to determine how a breach occurred (exploited vulnerability, new infiltration strategy, human error, etc.), and the likelihood that the incident can be replicated in other systems is essential to ensuring CISA can effectively identify and promote strategies to eliminate such threats. The information shared must be detailed enough to show the tactic — for instance: did the cybercriminal use a missing patch to traverse the network and bypass the antivirus system, which may call into question the overall security hygiene of the system that was breached.

In light of this, it seems likely that critical infrastructure organizations will be asking business partners and service providers to provide assurances that they have sufficient data security policies, procedures, and programs in place to comply with the new law.

Enforcement Provisions

If a system breach does occur, under the new law organizations that resist reporting and providing requested information can be subpoenaed and compelled to provide requested data and data system information. This gives CISA significant authority to demand information related to any impacted corporate record system. If CISA’s efforts to collect information fails, the agency has the authority to pass matters along to the Department of Justice.

Proper Preparation Helps Ensure Compliance

Given the time it takes to restructure cybersecurity programs and develop reporting mechanisms, organizations within the Critical Infrastructure ecosystem along with their third-party service providers, vendors, and suppliers, should consider taking steps as soon as possible to prepare for and avoid any complications that may arise from this new law.

“You need to start thinking about how you prepare and plan for any type of cyber incident now,” Wales stated.5

The first steps should be to review and update current incident response plans and discuss potential changes with information security and compliance professionals as soon as possible.

How HITRUST Can Help Prepare Your Organization

With the upcoming Cyber Incident Reporting for Critical Infrastructure Act regulations on the horizon, using HITRUST to help manage and assess your information risk management program assures both internal and external stakeholders that information protection controls are robust and effective will be more important than ever.

HITRUST offers a comprehensive information risk management program methodology that is integrated, maintained, and widely adopted to support your organization’s security and compliance goals. The HITRUST Approach addresses the key challenges of implementing and assessing data protection, information risk management, and compliance.

As a market-leading security, privacy, and compliance assessment, achieving HITRUST Certification can help you demonstrate to all relevant parties that your organization has taken the most proactive approach to data protection and risk mitigation, and is adhering to the highest information security standards.

Qualifying Organizations are Invited to Download the HITRUST CSF Free of Charge!

The foundation of all HITRUST programs and services is the HITRUST CSF, an industry-leading, certifiable information risk management and compliance framework that organizations can rely on to provide reliable, high-quality assurance results with transparency, accuracy, integrity, and consistency.

For more information regarding the Cyber Incident Reporting for Critical Infrastructure Act, or on preparing your organization, contact

Follow HITRUST on Twitter.
Follow HITRUST on LinkedIn.

Quotation References
In a fireside chat interview at the Boston Conference for Cyber Security, hosted on June 1, 2022, by Boston College and the FBI, Brandon Wales, Executive Director, U.S. Cybersecurity Infrastructure Security Agency (CISA), offered many comments about CISA and the Cyber Incident Reporting for Critical Infrastructure Act. The comments included in this blog are publicly available quotes taken from the video-recorded interview posted on YouTube.

YouTube Video: Timestamp 2:45-2:50
2 YouTube Video: Timestamp 9:04-9:13
YouTube Video: Timestamp 37:02-37:20
4 YouTube Video: Timestamp 35:16-35:26
5 YouTube Video: Timestamp 23:04-23:08


About the Author

Donna StewardDonna Steward, Director of Government Affairs, HITRUST

Donna leads HITRUST activities that monitor state and federal actions related to cybersecurity. With more than 20 years of legislative and regulatory expertise, Donna is a highly experienced policy analyst collaborating with legislators and regulators to accomplish key organizational objectives. Donna has vast knowledge across many fields, including healthcare.

The post On the Horizon: Upcoming Cyber Incident Reporting for Critical Infrastructure Act Introduces New Compliance Requirements appeared first on HITRUST Alliance.


In brief

In the wake of last month’s collapse of the TerraUSD token, a broad array of regulators and government officials have attempted to introduce a legal framework around stablecoins. Recently, Japan passed comprehensive legislation around the issuance of stablecoins. Last week, Senators Lummis (R-WY) and Gillibrand (D-NY) introduced a bill into the US Congress that would, among other things set requirements for the amount of backing assets stablecoin issuers would be required to hold. 

The latest entrant is the New York State Department of Financial Services (DFS), which threw its regulatory hat in the ring by issuing public guidance on the issuance of stablecoins by its regulated entities when the stablecoins issued are backed by US Dollars (USD). 

In depth

Importantly, this guidance pertains only to stablecoin issuers who are already licensed or chartered by DFS. It does not limit the listing of any kind of stablecoin by DFS licensed, nor does it pertain to stablecoin issuers who are not licensed by DFS. For these few DFS licensed entities, it sets standards for their USD-backed stablecoins by introducing the following three requirements:

  1. Redeemability: Noting the concern expressed in last year’s report from the President’s Working Group (PWG) regarding the potential for “runs” or “mass redemption events” on stablecoins, the DFS guidance specifies that, at issue and until they has been burned, the tokens must be “fully backed by a reserve of assets” in order to ensure the ability of a stablecoin holder to redeem that token for fiat currency. Additionally, the guidance specifies that the issuer must obtain approval of their redemption policies, which must be clear and conspicuous and include a redemption period of no more than two full business days after receipt of a redemption order. Thus, every stablecoin issued by a DFS licensed entity must have an approved asset backing the value of that coin, and there must be a clear and well-articulated plan for how a user may redeem that coin for fiat. 
  2. Backing Assets Required: DFS also has narrowed the type of assets that may be held in reserve to the following: (i) cash reserves held at US banking institutions (whether federally or state chartered), (ii) US government money-market funds, (iii) over-collateralized reverse repo agreements that are fully collateralized by US Treasuries, and (iv) US Treasury Bills with less than three months to maturity. Notably, many GAAP “cash equivalents” have not been included in this list, such as treasury notes and bonds with little time to maturity, CD’s, and most notably commercial paper. In DFS’s view, limiting the types of assets that may be held is designed to ensure the value of the stablecoins is not tied to riskier or less liquid assets whose value may fluctuate.     
  3. Auditing of Assets: The third section of this guidance, which was possibly less expected than the first two, requires monthly audits to be conducted by an independent CPA, which must also file an attestation based on any findings to DFS. This needs to be instituted within a “reasonable period,” and the scope of the audit should include any additional restrictions placed on the issuing entity by DFS. This independent verification of the quantity and quality of the assets is understandable from a regulator’s point of view; however, it is too soon to see what, if any, effect this potentially costly and cumbersome requirement may have on these regulated entities.

Additional Questions: 

What does this mean for issuers of US-backed stablecoins? 

For those stablecoin issuers already licensed or charted by DFS, this likely has little effect in day-to-day operations. These entities have obtained their licenses, at least in part to signal to the industry that their stablecoins are safe bets. While there may be certain backing assets currently held that will have to be replaced within the next three months, we can anticipate that they will decide to meet these additional requirements.

For unlicensed stablecoin issuers, this guidance provides clarity to the market about what is required of their competition. Recently large stablecoin issuers have made headlines promoting the makeup of their backing assets. At a time in in the crypto industry when faith in the stability of certain stablecoins is vulnerable, it will be interesting to see whether we see a greater adoption of coins like BUSD, GUSD, ZUSD, and USDP based on this clarity. 

What does this mean for exchanges looking to offer USD backed stablecoins?

All licensed/registered exchanges, whether licensed by DFS or not, have the ability to list USD backed stablecoins. However, this guidance and the actions that might be taken as a result may provide insight, and potentially confidence, into a very few number of particular coins. Whether operating a centralized exchange or a DEX, crypto markets lately have evidenced uncertainty regarding the stability of stablecoins, and therefore the long-term assurance that customers will have access to adequate liquidity could help stabilize some of that concern.

Entities licensed by DFS, whether through a BitLicense or a Limited Purpose Trust Charter, should also take into consideration this guidance when deciding what stablecoins to list on their exchange. While the guidance is clear that the requirements only pertain to stablecoins issued by licensed entities, the guidance does mention that these requirements should also be used as guidance when conducting due diligence before listing new coins. Therefore, this may necessitate the need for new approval and review procedures prior to listing.

What does this mean for issuers of non-USD backed stablecoins?

This guidance provides clarity around the regulation in place for specific stablecoins. It does not address any other type of stablecoin (for example, those backed by other currencies, commodities, other digital assets, or even algorithmic stablecoins).

This guidance is a step in the right direction for those have sought additional clarity in the space, and it may become a burden for those seeking to capitalize on uncertainty. At every level of government, officials are realizing they are no longer able to ignore virtual currency, and it is likely this is just the beginning of much to come. 

The post United States: Finally, an actual regulator steps into the cryptocurrency arena – NYS DFS issues stablecoin guidance appeared first on Global Compliance News.


On May 16, 2022, the US Departments of State and Treasury and the Federal Bureau of Investigation (“FBI”) issued a joint advisory alert to the public about attempts by the Democratic People’s Republic of Korea (“DPRK” a.k.a. North Korea) and DPRK information technology (“IT”) workers posing as non-DPRK nationals to obtain employment outside of North Korea.  The Advisory provides guidance to help prevent inadvertent recruitment, hiring, and facilitation of North Korean IT workers, as the hiring or support of DPRK IT workers may create business risks that range from theft of data, intellectual property, and funds, to sanctions-related risks under both US and United Nations (“UN”) authorities.

The advisory guide provides information on how DPRK IT workers operate and notes red flag indicators and due diligence measures to help companies avoid hiring DPRK IT workers and to help platforms identify DPRK IT workers abusing their services. Below we summarize key read flag indicators and risk mitigation recommendations highlighted in the Advisory fact sheet.

Red Flag Indicators of Potential DPRK IT Worker Activity Include:

  • Logins from multiple IP addresses (often from different countries) into one account within a short period of time;
  • Frequent transfers of money through payment platforms, often to People’s Republic of China (PRC) based bank accounts or requests for payments in cryptocurrency;
  • Inconsistency in information such as in name spelling, nationality, alleged work location, contact information, educational history, work history, and other details on freelance platforms, social media profiles, payment platforms, and external portfolio websites; and
  • An inability to conduct business during regular business hours and an inability to reach the worker in a timely manner, particularly through instant communication methods.

Due Diligence Measures the Private Sector Can Take to Prevent the Inadvertent Hiring of DPRK IT Workers:

  • Verify documents submitted to you as part of job applications directly with the listed company or educational institution in order to check for a different use of contact information from what was provided on submitted documentation;
  • Carefully scrutinize identity verification documents for forgery;
  • Conduct a video interview to verify a potential worker’s identity;
  • Conduct a pre-employment background check and or biometric (fingerprint) log to verify identity and claimed location;
  • Avoid payments in cryptocurrency and require banking information verification that corresponds to identifying documents;
  • Check the name spelling, nationality, claimed location, contact information, educational history, work history, and other details are consistent across the developer’s freelance platform profiles, social media, platform payment accounts, and assessed location of hours of work; and
  • Be suspicious if a developer is unable to receive items at the address on their identifying documents.

The authors acknowledge the assistance of Vanessa Keverenge in the preparation of this blog post.

The post The US Government Publishes Advisory on North Korean IT Workers appeared first on Global Compliance News.


Baker McKenzie’s Sanctions Blog published the alert titled United States: BIS Issues Temporary Denial Order Against Additional Russian Airline and Adds Aircraft to List of Aircraft Subject to General Prohibition 10 on 2 June 2022. Read the article via the link here. Please also visit our Sanctions Blog for the most recent updates.

The post United States: BIS Issues Temporary Denial Order Against Additional Russian Airline and Adds Aircraft to List of Aircraft Subject to General Prohibition 10 appeared first on Global Compliance News.