On June 20, 2024, the Bureau of Industry and Security (BIS) issued its first Information and Communications Technology and Services (ICTS) Final Determination pursuant to Executive Order 13873 and 15 C.F.R. Part 7, prohibiting Kaspersky Lab, Inc. and its affiliates (collectively “Kaspersky”) from providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons.  BIS issued the Determination after finding that Kaspersky’s products “can be used strategically to cause harm” to the United States. 

The Determination applies to the following three types of “ICTS transactions” involving Kaspersky products:

1. ICTS transactions involving any Kaspersky cybersecurity product or service;
2. ICTS transactions involving any Kaspersky anti-virus software; and 
3. ICTS transactions involving the integration of Kaspersky software into third-party products or services (e.g., “white labeled” products or services).

BIS published an Appendix listing examples of software subject to the Determination.  The prohibitions do not apply to Kaspersky Threat Intelligence products and services, Kaspersky Security Training products and services, or Kaspersky consulting or advisory services that are purely informational or educational.

The prohibitions become effective over the next 90 days, as follows:

• July 20, 2024: Kaspersky is prohibited from entering into any new agreement with U.S. persons involving one or more ICTS transactions identified above.
• September 29, 2024:
  • Kaspersky is prohibited from:
    • Providing any anti-virus signature updates and codebase updates associated with the ICTS transactions identified above; 
    • Operating the Kaspersky Security Network (KSN) in the United States or on any U.S. person's information technology system.
  • The following is prohibited:
    • Reselling Kaspersky cybersecurity or anti-virus software;
    • Integrating Kaspersky cybersecurity or anti-virus software into other products and services; and
    • Licensing Kaspersky cybersecurity or anti-virus software for purposes of resale or integration into other products or services.

In its press release and accompanying Frequently Asked Questions, BIS clarifies that the Final Determination does not affirmatively require U.S. companies or individuals to halt use of or remove Kaspersky software, but that doing so is recommended as updates to the software will be prohibited, impacting the effectiveness of the products. 

Accompanying Entity List and SDN Designations

Along with the prohibition on ICTS transactions, BIS added three Kaspersky entities to the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian Government’s cyber intelligence objectives. This designation means that no person (U.S. or non-U.S.) may provide any item subject to U.S. jurisdiction under the Export Administration regulations, including goods, software or technology, in any transaction which one of these entities is a purchaser, end user, or consignee. The entities added were:

• AO Kaspersky Lab (Russia)
• OOO Kaspersky Group (Russia)
• Kaspersky Labs Limited (United Kingdom)

On June 21, 2024, the Treasury Department’s Office of Foreign Assets Control (OFAC) added 12 individuals in executive and senior leadership roles at AO Kaspersky Lab to its Specially Designated Nationals (SDN) List.

 As a result of the SDN designations, all property and interests in property of those individuals located in the United States or in the possession or control of a U.S. person are blocked and must be reported to OFAC. Additionally, the SDN designation also blocks the property interests of any entities 50 percent or more owned, directly or indirectly, by one or more SDNs.  This has the effect of banning transactions with these entities in which a U.S. person directly or indirectly has a role.

Of note, in this round of SDN designations, OFAC did not designate Kaspersky Lab, its parent or subsidiary companies, or its CEO.

Special thanks to Kurt Vinson who contributed to this post.