SAP Admits To Thousands Of Illegal Software Exports To Iran

SAP has reached a settlement with US investigators to close a prosecution relating to the violation of economic sanctions and the illegal export of software to Iran. 

The cloud software vendor admitted to violating existing sanctions and an embargo placed on the country by the United States.  

According to the US Department of Justice (DOJ), SAP violated both the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations "thousands" of times over a period of six years. 

On Thursday, the DoJ said the investigation into SAP's practices -- a global case also involving the Department of the Treasury, Office of Foreign Assets Control (OFAC), Department of Commerce, and Bureau of Industry and Security (BIS) -- revealed two "principle" ways that economic sanctions had been broken. 

From 2010 to 2017, SAP and overseas partners exported US-origin software -- including upgrades and security fixes -- to users in Iran over 20,000 times. The majority of 'exports' went to a total of 14 "Iranian-controlled front companies" located in countries including Turkey, UAB, and Germany, whereas others were directly downloaded from Iranian IPs. 

During the same time period, SAP's Cloud Business Group (CBGs) units allowed over 2,300 users in Iran to access US-based cloud services. 

"Beginning in 2011, SAP acquired various CBGs and became aware, through pre-acquisition due diligence as well as post-acquisition export control-specific audits, that these companies lacked adequate export control and sanctions compliance processes," the DoJ claims. "Yet, SAP made the decision to allow these companies to continue to operate as standalone entities after acquiring them and failed to fully integrate them into SAP's more robust export controls and sanctions compliance program."

SAP, as noted by US investigators, voluntarily admitted to the accusations, leading to a settlement worth $8 million to avoid further action and prosecution. 

Under the terms of the agreement, SAP will hand over $5.14 million in "ill-gotten gain."

The software giant has also spent over $27 million on remediation and compliance, including the development of geolocation IP blocking, the removal of user accounts that would violate sanctions, and the hiring of staff specialized in export controls. 

"SAP will suffer the penalties for its violations of the Iran sanctions, but these would have been far worse had they not disclosed, cooperated, and remediated," commented Assistant Attorney General John Demers. "We hope that other businesses, software or otherwise, will heed this lesson."

In a statement, SAP said the company "aims for the highest standards of corporate integrity" and welcomes the settlement. 

"SAP conducted a thorough and extensive investigation into historical export controls and economic sanctions violations," SAP said. "We accept full responsibility for past conduct, and we have enhanced our internal controls to ensure compliance with applicable laws. Our significant remediation efforts, combined with our full and proactive cooperation with US authorities, have led to a mutually agreeable resolution of the Iran investigation without the imposition of an external monitor."

Previous and related coverage

• SAP issues advisory on the exploit of old vulnerabilities to target enterprise applications
  
  
• How SAP, Apple, and the NHL are transforming the world's fastest game
  
  
• SAP Q1 2021: Cloud gains momentum while operating profit takes a hit
  
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0