Home » ISO Articles » The Cyber (Sanctions) (Overseas Territories) Order 2020
The Cyber (Sanctions) (Overseas Territories) Order 2020
Overview
The Cyber (Sanctions) (Overseas Territories) Order 2020 is an important legislative framework designed to combat cyber threats and promote cybersecurity in the Overseas Territories of the United Kingdom. Enacted to enhance national security, this order imposes sanctions on individuals, entities, and states involved in malicious cyber activities.
The Order enables the UK government to impose targeted sanctions on individuals and entities engaging in cyber-related activities that pose a threat to the UK’s national security, and supports the UK’s cybersecurity strategy by deterring and disrupting cyberattacks, preventing the proliferation of cyber weapons, and safeguarding critical infrastructure.
Key Requirements under the Cyber (Sanctions) (Overseas Territories) Order 2020 include:
- Designation and Sanctions: The order provides a legal framework for designating individuals, entities, and states involved in malicious cyber activities as sanctioned parties. These designations may include asset freezes, travel bans, trade restrictions, and other financial measures.
- Reporting Obligations: The order imposes reporting obligations on businesses. If a business knows, or has reasonable cause to suspect, that a person they deal with is a designated person under the order, they are required to report this information to the Office of Financial Sanctions Implementation (OFSI). Timely reporting is crucial for maintaining compliance with the order.
- Due Diligence and Risk Assessment: Businesses are expected to implement robust due diligence processes and risk assessment frameworks to identify and mitigate potential risks associated with designated persons. This includes conducting thorough background checks, monitoring customer transactions, and implementing adequate internal controls to prevent inadvertent dealings with sanctioned entities.
- Compliance Programs: Businesses must establish and maintain effective compliance programs to ensure adherence to the requirements of the Cyber (Sanctions) (Overseas Territories) Order 2020. This includes providing training to relevant staff, maintaining records of compliance activities, and implementing internal procedures for identifying and handling potential sanctions breaches.
The Cyber (Sanctions) (Overseas Territories) Order 2020 was made on the 11th of March 2020 and came into force on the 8th of April 2020.
The Cyber (Sanctions) (Overseas Territories) Order 2020 applies to the following countries:
- Anguilla;
- British Antarctic Territory;
- British Indian Ocean Territory;
- Cayman Islands;
- the Falkland Islands;
- Montserrat;
- Pitcairn (including Henderson, Ducie and Oeno Islands);
- St Helena;
- Ascension and Tristan da Cunha;
- South Georgia and the South Sandwich Islands;
- the Sovereign Base Areas of Akrotiri and Dhekelia;
- the Turks and Caicos Islands; and
- the Virgin Islands
Does the Cyber (Sanctions) (Overseas Territories) Order 2020 affect my business?
The Cyber (Sanctions) (Overseas Territories) Order 2020 has several implications for businesses operating within the Overseas Territories. Here are some key ways in which businesses are affected:
- Compliance Obligations: Businesses must develop a comprehensive understanding of the order’s requirements and ensure compliance with the designated sanctions. This includes staying updated on the OFSI’s published list of designated persons and taking appropriate actions to avoid engaging in prohibited activities.
- Due Diligence and Risk Management: Businesses are responsible for conducting due diligence on their customers, suppliers, and business partners to identify any connections to designated persons. Implementing robust risk management processes enables businesses to mitigate the risks associated with inadvertent dealings with sanctioned entities.
- Reporting Requirements: Businesses have a legal obligation to report any knowledge or suspicions of dealing with designated persons to the OFSI promptly. Compliance with reporting requirements is crucial to assist in the enforcement and effectiveness of the order.
- Reputational and Financial Risks: Non-compliance with the Cyber (Sanctions) (Overseas Territories) Order 2020 can lead to reputational damage, financial penalties, and legal consequences. It is essential for businesses to take the necessary steps to understand and meet their obligations under the order to safeguard their operations and reputation.
Businesses operating within the listed territories must understand and comply with the designated sanctions, reporting obligations, and compliance requirements outlined in the order. By implementing robust due diligence processes, maintaining effective compliance programs, and staying informed about the designated persons, businesses can mitigate risks, avoid penalties, and contribute to the overall cybersecurity objectives of the order.
Do I need the Cyber (Sanctions) (Overseas Territories) Order 2020 in my ISO Compliance Register?
The Cyber (Sanctions) (Overseas Territories) Order 2020 impacts a wide range of businesses operating within the Overseas Territories. Therefore, you will need the order in your ISO Compliance Register if your business is included among the affect business types below:
- Financial Institutions: Banks, credit unions, investment firms, and other financial institutions are directly impacted by the order. They must implement robust compliance programs to ensure adherence to the designated sanctions and reporting requirements.
- Technology Companies: Businesses involved in the development, distribution, or provision of technology products and services are subject to the order. This includes software developers, cybersecurity firms, telecommunications providers, and internet service providers.
- Critical Infrastructure Operators: Entities operating critical infrastructure, such as energy facilities, telecommunications networks, transportation systems, and water supply networks, are likely to be affected. They must ensure compliance with the order to safeguard the integrity and security of their operations.
- Exporters and Importers: Businesses engaged in the export or import of technology-related goods and services need to be aware of the designated sanctions under the order. They must conduct due diligence on their trade partners to avoid inadvertently dealing with sanctioned entities.
- Professional Service Providers: Lawyers, accountants, consultants, and other professional service providers have a role to play in assisting businesses with compliance. They need to stay updated on the order’s requirements to provide accurate guidance to their clients.
- Cybersecurity Service Providers: Companies providing cybersecurity services, including threat intelligence, incident response, and vulnerability assessments, have a vital role in supporting businesses to manage cyber risks and ensure compliance with the order.
Legislation related to Cyber (Sanctions) (Overseas Territories) Order 2020
Legislation related to Cyber (Sanctions) (Overseas Territories) Order 2020 include:
- Sanctions and Anti-Money Laundering Act 2018
- The Global Anti-Corruption Sanctions Regulations 2021
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
- The Export Control Order 2008
- Data Protection Act 2018
More information
Visit the Cyber (Sanctions) (Overseas Territories) Order 2020 on the legislation.gov.uk website.
Create an account in the ISO Compliance Register App and add this article to your Register.