BIS Prohibition on Kaspersky Products

On June 20, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) issued a Final Determination that bans a range of transactions involving Kaspersky Lab, Inc. and its related entities’ (Kaspersky) cybersecurity and anti-virus products and services. The Final Determination prohibits Kaspersky from engaging in certain Information and Communications Technology and Services (ICTS) transactions in the United States or with U.S. persons. A non-exhaustive list of products and services covered by the Final Determination is available here. It outlines specific prohibitions that take effect at different times. Here is what U.S. businesses need to know:

  • From July 20, 2024: Kaspersky is prohibited from entering into any new agreement with U.S. persons involving one or more ICTS transactions identified in the Final Determination.
  • From September 29, 2024: Kaspersky is barred from providing any updates associated with the ICTS transactions; and operating the Kaspersky Security Network (KSN) in the U.S. or for U.S. persons. The following activities are prohibited:
    • Reselling Kaspersky cybersecurity or anti-virus software;
    • Integrating Kaspersky cybersecurity or anti-virus software into other products and services; and
    • Licensing Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services.

The implications of this Final Determination are far-reaching for U.S. persons and businesses that currently rely on Kaspersky’s products and services for cybersecurity protection. The prohibition requires the cessation of use and disengagement from Kaspersky’s products and the search for alternative solutions to ensure continued protection against cyber threats. BIS provides a window for transition, but it is imperative for those affected to act promptly to comply with the new regulations.

See more details on BIS website here.

BIS Adds Kaspersky Companies to Entity List

On June 20, 2024, BIS announced new export restrictions on three entities linked to Russian cybersecurity company Kaspersky, the final rule for which goes into effect on June 24, 2024. The entities are:

  • AO Kaspersky Lab, located in Russia;
  • OOO Kaspersky Group, located in Russia; and
  • Kaspersky Labs Limited, located in the United Kingdom.

The Entity List identifies entities that are subject to additional license requirements and limits the availability of most license exceptions for exports, reexports, and transfers (in-country) of items subject to the Export Administration Regulations (EAR). For the three entities added by this rule, a license is required for all items subject to the EAR, and the license applications will be reviewed under a presumption of denial.

The addition of the three Kaspersky entities to the Entity List is a significant development for U.S. exporters and other parties that deal with items subject to the EAR. Businesses will need to ensure that they comply with the new license requirements and review their transactions and relationships with these entities.

OFAC Designations

On June 21, 2024, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated 12 individuals in executive and senior leadership roles at AO Kaspersky Lab. All the individuals were designated pursuant to E.O. 14024 for operating in the technology sector of the Russian Federation economy.

As a result, all property and interests in property of the designated persons that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50% or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons. These prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any blocked person and the receipt of any contribution or provision of funds, goods, or services from any such person.