On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released its Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “Updated Advisory”). The Updated Advisory follows on OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments and provides additional guidance for companies that may make or facilitate ransomware payments. 

In the first portion of the Updated Advisory, OFAC reiterates the reasons why the U.S. government has, and continues to, strongly discourage anyone from paying a ransom demanded in a cyber-attack. In particular, OFAC notes that making a ransom payment does not guarantee that a malicious actor will reprovision a company’s access to data or refrain from further attacks against the company, and that the availability of payments may encourage malicious actors to perpetrate more attacks. OFAC also highlights that paid ransom money can be used to fund activities adverse to U.S. interests, and that the law prohibits any U.S. person from engaging in a transaction, whether directly or indirectly, with a group or individual on its Specially Designated Nationals and Blocked Persons (“SDN”) List (or other block list). Related to this last point, OFAC reminds of its authority to enforce the law through both non-public responses like issuing a warning letter and public responses like imposing civil penalties. OFAC further reminds that, in the latter case, penalties can be imposed on a strict liability basis, meaning without regard to whether the company paying a ransom knew (or even had reason to know) its payment was legally prohibited.

While OFAC has previously expressed its position regarding the payment of ransoms, including reminders that companies who pay blocked individuals or groups risk breaking the law, the Updated Advisory provides some new guidance to those nonetheless making or facilitating payments.  Specifically, in the second portion of the Updated Advisory, OFAC describes certain “mitigating” factors it will take into consideration when determining how to respond to an apparent illegal ransom payment. OFAC explains that where these factors are present, it will be more likely to utilize a non-public resolution (like a letter) than a public resolution (like a monetary penalty). OFAC identifies three (3) mitigating factors:

• First, OFAC will consider a company’s implementation of a regulatory compliance program. The program, OFAC instructs, should be risk-based and account for the possibility that a ransom demand may involve a malicious actor on the SDN or other block list.
• Second, OFAC will consider a company’s “meaningful steps” to reduce the risk of cyber extortion.Here, OFAC suggests it will look for measures that decrease the likelihood that a company finds itself in a position where it needs to consider paying a malicious actor, such as regularly updating anti-malware software and maintaining offline backups, and points to the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide as a resource for organizations looking to take such meaningful steps.
• Third, OFAC will consider a company’s decision to self-report a ransomware attack to OFAC, law enforcement, and other regulatory agencies, and to thereafter fully cooperate with any investigation from these groups. OFAC suggests a company should report an and provide all relevant details as soon as possible.

Given the frequency with which ransomware events are occurring and the difficulty in specifically identifying the perpetrator of the attacks, organizations should strongly consider following the guidance, including taking meaningful steps to adopt or improve cybersecurity practices. Through improved cybersecurity, an organization can hopefully avoid finding itself in a position in which it feels that it must make a ransom payment, but if it becomes necessary, by taking such steps, OFAC may be more likely to forego issuance of a public monetary penalty if it later turns out that payment was made to a blocked person or entity.