BIS Issues First Ever Final Determination Against U.S. Company for Relationship to Russia

Washington, D.C. (July 12, 2024) - On June 20, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) took several steps against Kaspersky Lab, Inc. (“Kaspersky”), a U.S. subsidiary of a Russian company and its affiliates. BIS issued a first-of-its-kind Final Determination prohibiting Kaspersky from providing its anti-virus software or cybersecurity services in the United States or to U.S. persons. Kaspersky is further prohibited from providing updates to software already in use within the United States. BIS also added three of Kaspersky’s affiliates to the Entity List for their cooperation with Russian military and intelligence authorities.

This Final Determination is the culmination of a lengthy investigation into Kaspersky. According to BIS, Kaspersky’s operations were found to present a national security risk due to the Russian government’s capacity to exploit the company’s operations and collect sensitive data from U.S. persons. BIS has strongly encouraged U.S. persons who utilize Kaspersky software to switch to new vendors as soon as possible in order to limit exposure of data to bad actors. However, BIS made it clear that U.S. persons who continue to use Kaspersky software will not face legal penalties, but will assume all of the risks in doing so. Effective July 20, 2024, Kaspersky may no longer enter into any new agreements with U.S. persons involving any of the prohibited transactions. Additionally, effective September 29, 2024, Kaspersky may no longer provide updates to its software to any U.S. person.

This Final Determination is BIS’s first exercise of authority established under Executive Order (EO) 13873 “Securing the Information and Communications Technology and Services Supply Chain” (May 15, 2019). EO 13873 grants the Secretary of Commerce authority to prohibit or impose mitigation measures on any Information and Communications Technology and Services (ICTS) transaction that poses undue or unacceptable risks to U.S. national security. The ICTS program began in 2022 and the Office of ICTS is charged with implementing EOs focused on protecting domestic information and communications systems from threats posed by foreign adversaries.

On the day following the Final Determination, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) designated twelve individuals who hold senior leadership roles with Kaspersky for their connection to the technology sector of the Russian Federation economy.

BIS and OFAC officials have noted their intention to continue taking action where necessary to protect national security. Their actions may signal a new era in the way this is done and an increase in investigations into U.S. companies with relations to Russia. U.S. businesses should avoid engaging in any transactions with Kaspersky, its affiliates, or the twelve individuals sanctioned by OFAC.

Lewis Brisbois’s attorneys are actively advising clients on managing legal and business risk in the rapidly-developing area of international sanctions and export controls. For more information, contact the author or editors of this alert, and visit our Ukraine Conflict Response Practice page for additional alerts in this area.

Author:

Rebecca Stoddard, Associate

Editors:

Jane C. Luxton, Managing Partner - Washington, D.C.

Andrew Pidgirsky, Partner and Chair of Ukraine Conflict Response Practice