Ransomware and OFAC Sanctions Compliance
We have all read about the high-profile malicious cyber-attacks and ransomware demands and payments. The Colonial Pipeline case demonstrated how responsive law enforcement can be in tracking down perpetrators and recovering ransom payments.
The Treasury Department’s Office of Foreign Asset Control (“OFAC”) has a vested interest in this enforcement arena. On September 21, 2021, OFAC issued an updated ransomware advisory on the topic (“Updated Advisory”).
OFAC issued the Updated Advisory for two purposes. First, to remind companies of the sanctions risks associated with ransomware payments and steps companies should take to mitigate these risks and gain credit as part of any enforcement action. Second, OFAC designated SUEX OTC S.R.O. (“SUEX”) as a Specially Designated National (“SDN”), the first virtual currency exchange so designated.
Ransomware Payment Mitigation Steps
OFAC took these actions in response to a 21 percent increase in reported ransomware cases, and a 225 percent increase in associated losses from 2019 to 2020. OFAC repeated its general advice discouraging payment of ransomware demands. The Updated Advisory noted that a significant mitigating factor in an enforcement actions is whether a company has adopted appropriate cybersecurity practices, referred to as “defensive and resilience measures.”
In particular, OFAC listed the practices set forth in the Cybersecurity and Infrastructures Security Agency’s September 2020 Ransomware Guide (“CISA Ransomware Guide”), including steps to: (1) Maintain offline backups of data; (2) Develop incident response plans; (3) Institute cybersecurity training; (4) Regularly update antivirus and anti-malware software; and (5) Employ authentication protocols. In addition to the CISA Ransomware Guides, OFAC recommended that companies review the National institute of Technology (“NIST”) and Cybersecurity Maturity Model Certification (“CMMC”) standards for additional insights and program improvements.
OFAC emphasized the importance of cooperation with law enforcement in response to a ransomware attack. To earn a significant mitigation factor, companies have to report a ransomware attack to law enforcement in a timely and voluntary manner to relevant law enforcement agencies (other than OFAC) including CISA, and the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (“OCCIP”).
OFAC stated that penalty mitigation and other enforcement benefits will be awarded to those companies that voluntarily disclose ransomware matters that (i) cooperate early, continuously and completely with other law enforcement agencies; (ii) make ransomware payments after confirming (through appropriate due diligence) that a payment has no apparent sanctions nexus; and (iii) later (post-payment) learn there was or may have been a sanctions nexus. By following these important steps, companies will enhance the likelihood of earning a non-public response (i.e., a No Action Letter or a Cautionary Letter) in the event of a sanctions violation arising from payments made in response to a ransomware attack.
Designation of SUEX as an SDN
OFAC designated SUEX as an SDN pursuant to Executive Order 13694 for facilitating financial transactions for ransomware actors. OFAC has specifically identified virtual currency exchanges as critical to the profitability of ransomware attacks. OFAC is expected to designate other entities and individuals in the virtual currency industry.