On September 21, 2021, the Department of Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory “to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks.” The Updated Advisory notes that in enforcement actions, it would consider those proactive steps to be “mitigating factors” against potential sanctions. This Updated Advisory follows on OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments and provides additional guidance for companies that may make or facilitate ransomware payment.
Ransomware is a form of malicious software or more aptly “malware,” designed to block access to a computer system to extort ransom payments from victims in exchange for restoring the victim’s access to its systems. The Updated Advisory explains how ransomware attacks continue to increase in the U.S. with greater focus and sophistication. According to the FBI, there was a nearly 21% increase in reported ransomware cases and a 225% increase in associated losses from 2019 to 2020. Cyber actors have not only targeted private businesses but also governmental entities.
The Updated Advisory emphasizes that the U.S. government “strongly discourages” victims from making ransom payments or paying extortion demands and recommends focusing on strengthening defensive measures to prevent and protect against ransomware attacks. The Updated Advisory stated that the reason the U.S. government continues to strongly discourage anyone from paying a ransom demand in a cyber-attack is because making a ransom payment does not guarantee that a malicious actor will reprovision a company’s access to data or refrain from further attacks against the company. OFAC further states that the availability of payments not only enrich malicious actors but also incentivize other malicious actors to perpetuate additional attacks.
OFAC goes on to explain that ransom payments can be used to fund activities adverse to the national security and foreign policy objectives of the United States. Importantly, OFAC highlights that U.S. law prohibits anyone from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), or other blocked lists. Related to this point, the Updated Advisory reminds of OFAC’s authority to impose civil penalties for sanctions violations which is based on strict liability; meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under U.S. law.
While OFAC states that individuals or companies who pay ransom payments to blocked individuals or groups risk breaking the law, the Updated Advisory provides new guidance to those finding themselves in a position of making or facilitating payments. In the Updated Advisory, OFAC describes certain “mitigating factors” a company can take which OFAC may consider when determining an appropriate enforcement response to an apparent violation of U.S. sanctions laws or regulations.
One of the mitigating factors OFAC will consider is whether a company implemented a risk-based compliance program to mitigate exposure to ransom demands by malicious actors on the SDN or another block list. The Updated Advisory recommends adopting guidelines contained in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide. This resource provides guidance on the “meaningful steps” companies can take to reduce the risk of extortion by a sanctioned actor. According to the Updated Advisory, improving cybersecurity practices will be considered a “significant mitigating factor” in an enforcement proceeding.
Another factor that OFAC will consider is the reporting of ransomware attacks to appropriate U.S. government agencies and cooperation with OFAC, law enforcement, and other relevant agencies, including whether an apparent violation of U.S. sanctions is voluntarily self-disclosed.
The OFAC advisory makes it all the more important for businesses to have an OFAC compliance program in place to address the possibility of ransomware attack. Businesses are encouraged to review the OFAC policies and procedures to avoid inadvertently violating U.S. law and subjecting itself to sanctions.