Department of the Treasury Issues New Advisory Regarding Ransomware Payments



On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released its Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “Updated Advisory”). The Updated Advisory follows on OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments and provides additional guidance for companies that may make or facilitate ransomware payments. 

In the first portion of the Updated Advisory, OFAC reiterates the reasons why the U.S. government has, and continues to, strongly discourage anyone from paying a ransom demanded in a cyber-attack. In particular, OFAC notes that making a ransom payment does not guarantee that a malicious actor will reprovision a company’s access to data or refrain from further attacks against the company, and that the availability of payments may encourage malicious actors to perpetrate more attacks. OFAC also highlights that paid ransom money can be used to fund activities adverse to U.S. interests, and that the law prohibits any U.S. person from engaging in a transaction, whether directly or indirectly, with a group or individual on its Specially Designated Nationals and Blocked Persons (“SDN”) List (or other block list). Related to this last point, OFAC reminds of its authority to enforce the law through both non-public responses like issuing a warning letter and public responses like imposing civil penalties. OFAC further reminds that, in the latter case, penalties can be imposed on a strict liability basis, meaning without regard to whether the company paying a ransom knew (or even had reason to know) its payment was legally prohibited.

While OFAC has previously expressed its position regarding the payment of ransoms, including reminders that companies who pay blocked individuals or groups risk breaking the law, the Updated Advisory provides some new guidance to those nonetheless making or facilitating payments.  Specifically, in the second portion of the Updated Advisory, OFAC describes certain “mitigating” factors it will take into consideration when determining how to respond to an apparent illegal ransom payment. OFAC explains that where these factors are present, it will be more likely to utilize a non-public resolution (like a letter) than a public resolution (like a monetary penalty). OFAC identifies three (3) mitigating factors:

  • First, OFAC will consider a company’s implementation of a regulatory compliance program. The program, OFAC instructs, should be risk-based and account for the possibility that a ransom demand may involve a malicious actor on the SDN or other block list.
  • Second, OFAC will consider a company’s “meaningful steps” to reduce the risk of cyber extortion.Here, OFAC suggests it will look for measures that decrease the likelihood that a company finds itself in a position where it needs to consider paying a malicious actor, such as regularly updating anti-malware software and maintaining offline backups, and points to the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide as a resource for organizations looking to take such meaningful steps.
  • Third, OFAC will consider a company’s decision to self-report a ransomware attack to OFAC, law enforcement, and other regulatory agencies, and to thereafter fully cooperate with any investigation from these groups. OFAC suggests a company should report an and provide all relevant details as soon as possible.

Given the frequency with which ransomware events are occurring and the difficulty in specifically identifying the perpetrator of the attacks, organizations should strongly consider following the guidance, including taking meaningful steps to adopt or improve cybersecurity practices. Through improved cybersecurity, an organization can hopefully avoid finding itself in a position in which it feels that it must make a ransom payment, but if it becomes necessary, by taking such steps, OFAC may be more likely to forego issuance of a public monetary penalty if it later turns out that payment was made to a blocked person or entity. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Written by:


Polsinelli on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.