SHARE

FEATURED STORY October 15, 2021

OFAC Issues Updated Guidance on Paying Ransom - Buyer Beware of Sanction Risks

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all Law.com OnPractice content. Your subscription is free.
Subscribe Now

Key Takeaways

  • OFAC highly encourages victims of ransomware to report such attacks to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible.
  • Such efforts may lead to resolutions that could potentially avoid payment.
  • According to the Advisory, where resolutions that do not involve payment of ransomware exist, companies should consider pursuing such avenues, as payment of ransomware does not guarantee recovery of data or avoidance of future attacks.

On Sept. 21, the Treasury's Office of Foreign Assets Control (OFAC) issued an Advisory updating and superseding its previous advisory issued Oct. 1, 2020. OFAC is careful to note that the Advisory is not law, and does not modify statutes, Executive Orders, or regulations. However, the Advisory contains important guidance for entities that may consider paying a ransom or those that facilitate such payments.

Ransomware attacks have increased substantially during the COVID-19 pandemic. Cybercriminals recognize companies' reliance on distributed networks and have taken advantage of the remote environment to attack organizations across all industries. The Advisory points to reports from the Federal Bureau of Investigation (FBI) identifying a 21% increase in reported ransom cases and a 225% increase in associated losses from 2019-2021. There can be no argument that ransomware attacks are extremely profitable for criminal organizations, and it should be no surprise to anyone that the government wants to discourage these types of payments.

The Advisory does not change requirements related to ransom payments but instead appears to be intended to discourage payments of ransom and attempts to highlight the risk of sanctions associated with such payments. Notably, the Advisory states that companies that facilitate ransomware payment on behalf of victims "not only encourage future ransomware payment demands but also may risk violating OFAC regulations." This Advisory, coupled with the recent Executive Order issued by the White House, may signal an intent by the government to examine ransomware transactions more closely going forward.

OFAC points out that it may impose civil penalties for sanctions violations even if the entity or person "did not know or have reason to know that it was engaging" in a prohibited transaction. Companies are encouraged to implement a "risk-based compliance program to mitigate exposure to sanctions-related violations." Companies that facilitate ransom payments are specifically encouraged to consider whether a ransom payment involves a Specially Designated National (SDN) or blocked person, or an embargoed jurisdiction. OFAC also notes that it will consider a company's efforts to improve cybersecurity practices when determining whether a company committed a sanctionable violation, and points to the September 2020 Ransomware Guide issued by the Cybersecurity and Infrastructure Security Agency (CISA). The Guide encourages steps such as maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, and implementing other authentication protocols.

Organizations are also highly encouraged to notify law enforcement and other agencies and cooperate with any investigations. OFAC will consider early notification of law enforcement and other mitigation efforts of organizations in its determination of sanctions and penalties. Factors that are considered when determining an appropriate response are found within OFAC's economic sanctions enforcement guidelines, at 31 C.F.R. part 501, appx. A.

OFAC highly encourages victims of ransomware to report such attacks to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible. Such efforts may lead to resolutions that could potentially avoid payment. According to the Advisory, where resolutions that do not involve payment of ransomware exist, companies should consider pursuing such avenues, as payment of ransomware does not guarantee recovery of data or avoidance of future attacks.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Cybersecurity

UK: What are the risks of mandatory vaccination policies in the workplace?

By Ben Rouse Littler December 03 , 2021

As workplaces reopen after COVID-19, many employers in the United Kingdom are considering whether to implement policies requiring employees to be fully vaccinated before returning to the workplace.

ICO Looking to G7 Countries to Consider Solution for Cookie Pop-Up Fatigue

By Sarah Pearce Paul Hastings LLP November 30 , 2021

On 7 September 2021, the UK’s data protection authority, the Information Commissioner’s Office (ICO), announced that it will call on the G7 data protection authorities during virtual meetings on 7 and 8 September to “work together to overhaul cookie consent pop-ups, so people’s privacy is more meaningfully protected and businesses can provide a better web browsing experience”.

New York State Department of Health Designates COVID-19 an Airborne Infectious Disease under New York HERO Act

By Marc E Bernstein Paul Hastings LLP November 30 , 2021

On September 6, 2021, Governor Kathy Hochul announced the designation of COVID-19 as a “highly contagious communicable disease that presents a serious risk of harm to the public health” under the NY HERO Act.

Featured Stories
Publish Your Firm's Content on Law.com OnPractice

Become a publisher and expand your audience reach. More Info

Closeclose
Search
Menu

Working...