Shearman & Sterling LLP | FinReg | UK Secondary Legislation Published to Combat Cyber-Attacks
Financial Regulatory Developments Focus
This links to the home page
Financial Regulatory Developments Focus
  • UK Secondary Legislation Published to Combat Cyber-Attacks

    The Cyber-Attacks (Asset-Freezing) Regulations 2019 have been made and will come into force on June 11, 2019.

    The U.K. Regulations put in place measures applicable to U.K. nationals, U.K. incorporated entities and certain regulated institutions that will help enforce the financial sanctions provisions of the EU's new Cyber-Attacks Regulation, which came into force on May 18, 2019. The Cyber-Attacks Regulation is designed to combat cyber-attacks emanating from outside the EU against EU institutions and Member States. Its provisions include granting the Council of the European Union the ability to freeze assets of persons or entities suspected of involvement in such attacks. In order to enforce the sanctions regime throughout the EU, Member States are required to put in place legislation specifying the penalties that will be imposed upon those found to be implicated in a breach of the EU Cyber-Attacks Regulation.

    HM Treasury has produced national regulations that set out restrictions upon the dealings that a U.K. individual, U.K.-incorporated entity or "relevant institution" may have with persons listed under the EU Cyber-Attacks Regulation as being subject to asset-freezing sanctions. "Relevant institutions" include (i) those granted permission under the Financial Services and Markets Act 2000 to carry on regulated activities, (ii) EEA firms listed under FSMA as having the right to accept deposits and (iii) undertakings that operate currency exchange offices, transmit money or cash checks. The U.K. Regulations are applicable regardless of whether the relevant actions take place within or outside the U.K. Restricted activities include dealing with funds or economic resources owned by a person designated under the Cyber-Attacks Regulation and making funds or economic resources available to, or for the benefit of, such a person. Relevant institutions that receive funds transferred to a frozen account are permitted to credit the relevant account. However, they are also obliged to pass specified information to the Treasury, including if they know, or reasonably suspect, a person is a designated person under the EU Cyber-Attacks Regulation or has committed an offence under the U.K. Regulations. It is a criminal offence to breach the Regulations. Penalties include imprisonment, a fine, or both.

    View the U.K. Cyber-Attacks (Asset-Freezing) Regulations 2019.

    View the EU Cyber-Attacks Regulations 2019.

    View details of the Cyber-Attacks Regulations 2019.

    Return to main website.