On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory outlining the risks involved with facilitating ransom payments to malicious actors conducting ransomware attacks on U.S. entities. The advisory also offered guidance on the steps that businesses or public entities affected by a ransomware attack can take to mitigate potential enforcement actions resulting from inadvertent violations of OFAC regulations.
In the immediate aftermath of a ransomware attack, a victim’s most immediate concern will generally be recovering access to the systems and data that were stolen by the cybercriminal. Many times, the most straightforward path to achieving this goal is to work with cyber insurance carriers, incident response teams, and digital forensics firms to make a ransom payment to the attacker. Unfortunately, by making a ransom payment, victims run the risk of engaging in direct or indirect transactions with individuals or entities that would put the victim company or individual at risk for liability. These entities or individuals include those that have been sanctioned by the United States, including individuals on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, or entities covered by comprehensive country or region embargoes (i.e. Cuba, the Crimea region of Ukraine, North Korea, Iran, and Syria).
Engaging in financial transactions with sanctioned actors is prohibited under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), both of which are enforced by OFAC. Entities that run afoul of the IEEPA and TWEA may be held strictly liable for any violations, meaning that they may be subject to enforcement actions by OFAC even when they did not know or have any reason to know that that they were engaging in a prohibited transaction. Depending on the severity of the infraction and any mitigating factors taken into account, OFAC’s enforcement actions will range from non-public responses, including issuing a No Action Letter or a Cautionary Letter, to public responses, such as a civil monetary penalty.
The Department of the Treasury’s recent advisory gave several examples of mitigating factors that OFAC would consider when determining the appropriate enforcement response in the event of a violation of the IEEPA and the TWEA. Those factors include:
- The existence, nature, and adequacy of a risk-based compliance program to mitigate exposure to sanctions-related violations. These compliance programs should account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.
- Companies involved in facilitating ransomware payments on behalf of victims (i.e. depository institutions and money services businesses) should consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.
- The adoption and improvement of cybersecurity practices to limit the risk of extortion by a sanctioned actor, as outlined in the September 2020 Ransomware Guide issued by the Cybersecurity and Infrastructure Agency (CISA), will be considered a “significant mitigating factor in any OFAC enforcement response.” Such practices would include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols.
- In the case of ransomware payments that may have a sanctions nexus, OFAC will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies, such as CISA or the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), made as soon as possible after the discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response.
- OFAC will also consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack — e.g., providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible — to be a significant mitigating factor.
Unfortunately, understanding the potential risks involved with making ransom payments to malicious cyber-actors is a necessity in today’s increasingly digitized world. Thankfully, it is possible to take proactive steps to guard against these cyber criminals, and to ensure that you are prepared in the event that you become a victim of a ransomware attack.
Our Privacy, Cybersecurity and Data Management Team will continue to monitor the latest developments in the areas of information security and ransomware attack preparedness.