OFAC Advisory: Ransomware and Sanctions Risk

Author: John Farley

In October, 2020, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) issued an advisory warning that making ransom payments to malicious cyber actors who are designated sanctions targets or in sanctioned territories may violate U.S. sanctions laws.¹ The advisory states that making or facilitating payments to malicious cyber actors in sanctioned jurisdictions may undermine national security and work against current U.S. foreign policies.

This advisory is among various measures demonstrating increased focus by government regulators and enforcement agencies on ransomware and other cyber-attacks.

The advisory cites recent increasing ransomware attack trends, including the FBI's 2018 and 2019 Internet Crime Reports, which revealed a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019.^2,3 OFAC reasons that continuing the practice of making ransom payments will serve to embolden cyber criminals and encourage future attacks.

What cyber activity is prohibited?

U.S. sanctions laws such as International Emergency Economic Powers Act ("IEEPA") and the Trading with the Enemy Act ("TWEA") prohibit making payments to or engaging in direct or indirect transactions with:

• Governments, individuals or organizations who are designated sanctions targets, including OFAC listed Specially Designated Nationals (SDNs). Sanctions targets could include parties engaged in terrorism or terrorist financing, weapons of mass destruction proliferation, narcotics drug trafficking, human rights violations, or malign cyber activity, as well as current and former governments of sanctioned territories.
• Comprehensively embargoed territories, including Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria.

The advisory does not change any applicable legislation or OFAC regulations. U.S. sanctions law had already prohibited payments to SDNs and insurance or reinsurance claims payments for reimbursement of ransom payments to SDNs. However, the Advisory serves as a reminder to organizations and cyber insurers of the existing regulatory framework, and suggests that this area may be an enforcement focus for OFAC.

Financial institutions should be cognizant also of their compliance obligations under regulatory requirements of the Financial Crimes Enforcement Network (FinCEN). 

From a practical perspective, sanctions concerns can arise for organizations paying ransom or ransom claims if threat actors or their payment channels are sanctions targets. In addition, organization they may face gaps in insurance cover if ransom payments are made to threat actors who are sanctions targets because insurers could be prohibited from paying claims that reimburse for such ransom payments. 

To whom does the Advisory apply?

The OFAC advisory has potential global impact at a time when many governments are focused on malign cyber activity.

While U.S. sanctions laws generally apply to U.S. nationals, U.S. companies and their foreign branches, and in the case of Cuba and Iran sanctions, to foreign subsidiaries of U.S. companies, U.S. sanctions can have implications for companies globally, particularly where they are making payments through the U.S. financial system.

Implications of the advisory arise not only for organizations hit by ransomware attacks. OFAC specifically references the following in the Advisory:

• Companies involved in providing cyber insurance and reinsurance
• Digital forensics and incident response providers
• Financial services companies that are involved in processing ransom payments (including depository institutions and money services businesses)

What to do if you are a victim of a ransomware attack

In the event your organization becomes a victim of a ransomware attack it is important that you leverage the resources that come with any applicable insurance policies. Many cyber insurance policies provide 24/7 access to outside experts, including breach coaches, IT forensics investigators, extortion negotiators, data asset restoration experts and others. Be mindful of insurance policy claim reporting requirements and policy wording that may require utilizing only pre-approved insurance panel experts.

Increasingly, subjects of ransomware attacks and their appointed forensics providers will have to consider whether the threat actors perpetrating the attacks are SDNs or other sanctions targets. Consider reviewing SDNs lists and other sanctions watch lists when determining if and even through which financial channels ransom should be paid.

It may be possible to seek OFAC licenses to make ransomware payments to SDNs. However, OFAC will review these requests on a case-by-case basis with a "presumption of denial." 

We suggest that you consult with your legal counsel for additional guidance on sanctions compliance obligations.

Penalties for violating OFAC regulations

OFAC can impose civil penalties, for those who are non-compliant, regardless of whether or not those facilitating payment were aware they were transacting with a person or entity that is prohibited by U.S. sanctions laws. Civil penalties range depending on the program, but can be approximately US$312,000 or higher per violation or twice the value of the transaction, whichever is higher. Criminal penalties including jail time are possible for intentional violations.

The advisory states "OFAC will also consider a company's full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome."

For information regarding cyber insurance coverage, please contact your Gallagher team member.