In the Biden Administration’s continuing effort to reduce the risk of cybersecurity spyware from foreign adversaries, including Russia, the United States Department of Commerce (Commerce) issued a final rule (Rule) on June 16, 2023, entitled “Protecting Americans’ Sensitive Data from Foreign Adversaries” and also amended a previously issued rule (“Securing the Information and Communications Technology Supply Chain”) that had been published under a Biden Executive Order. The new Rule gives Commerce authority to prohibit or regulate communications technology or services connected to foreign adversaries that pose a risk to national security, including software.

For the first time using the authority provided by the Rule, on June 19, 2024, Commerce issued a final determination prohibiting Kaspersky Lab, Inc., its affiliates, subsidiaries, and parent companies from “directly or indirectly” providing anti-virus software and cybersecurity products or services in the U.S. According to Commerce, “Kaspersky will generally no longer be able to, among other activities, sell its software within the United States or provide updates to software already in use. The full list of prohibited transactions can be found here. ” Kaspersky has until September 29, 2024, to cease doing business in the U.S. and provide existing customers anti-virus and codebase updates until that time.

Kaspersky has been selling software and services in the U.S. for years, so it is no doubt embedded in company cybersecurity programs throughout the U.S. according to Commerce:

            “Individuals and businesses that utilize Kaspersky software are strongly encouraged to expeditiously transition to new vendors to limit exposure of personal or other sensitive data to malign actors due to a potential lack of cybersecurity coverage. Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties under the Final Determination. However, any individual or business that continues to use Kaspersky products and services assumes all the cybersecurity and associated risks of doing so.”

Commerce determined that Kaspersky posed an undue or unacceptable risk to national security because “the ability to gather valuable U.S. business information, including intellectual property, and to gather U.S. persons’ sensitive data for malicious use by the Russian Government, pose an undue or unacceptable national security risk and therefore prohibits continued transactions involving Kaspersky’s products and services.”

On June 20, 2024, in coordination with Commerce, the Department of Treasury’s Office of Foreign Assets Control (OFAC) designated twelve executives and senior leadership from Kaspersky to the OFAC sanctions list. If you are using Kaspersky products or services, the final determination has a meaningful impact on your organization. This means that as of June 19, 2024, Kaspersky will no longer be able to provide support for any of its products or services in the U.S., and its executives are listed on the OFAC sanctions list. You may wish to heed Commerce’s recommendations if you hare in this position.