Do You Have a Risk-Based Sanctions Compliance Program?: In the Event of a Ransomware Attack, OFAC Wants to Know

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

In the wake of increased ransomware attacks over the course of the last several months, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has updated a guidance it released last year on potential sanction risks if facilitating ransomware payments. As indicated in the original guidance, OFAC has designated several threat actors as “malicious cyber attackers,” including the developers of Cryptolocker, SamSam, WannaCry, and Dridex. OFAC has indicated that it will impose sanctions on those who financially (or otherwise support) these actors, including by making ransomware payments to them. Sanctions can range from non-public (for example No Action Letters or Cautionary Letters) to public actions (including for example payment of civil monetary penalties).

In this new guidance, OFAC has indicated what factors would be “more likely” result in the matter closing with a non-public action. They are improving cyber security practices prior to an incident and working closely with law enforcement in the event of an incident. Improvement measures mentioned by the guidance include keeping backups (offline), having an incident response plan, conducting training, updating virus software, using authentication protocols, and otherwise following the Cybersecurity and Infrastructure Security Agency’s 2020 guide on ransomware. In other words, a risk-based compliance program to mitigate potential exposure if a company finds itself in a position of potential exposure to sanctions’ violations. This guidance came on the heels of OFAC’s sanctions of a cryptocurrency for its involvement in payment to ransomware threat actors (see article on our sister blog).

Putting It Into Practice: Is your organization prepared for a potential cyber incident? The cyber security practices outlined in OFAC’s guide can not only help a company be prepared for a potential incident, but also put it in a better posture in the event a ransomware demand is made.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.