On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” While this advisory explicitly supersedes OFAC’s previous ransomware advisory from October 2020, it does not fundamentally alter OFAC’s approach towards ransom payments. Like the prior guidance, OFAC’s recent advisory reiterates the U.S. policy of “strongly discouraging” ransom payments, warns that such payments carry sanctions risk, and lists a number of “significant mitigating factors” that OFAC will consider when deciding whether to bring an enforcement response. Still, there are several significant takeaways from the updated guidance:
- OFAC Is Targeting Cryptocurrency Exchanges, Not Ransomware Victims. In conjunction with the revised OFAC advisory, OFAC announced sanctions against SUEX, a Moscow-based cryptocurrency exchange that OFAC says caters to criminals. This is the first such sanction against a cryptocurrency exchange.
- CISA’s “Best Practices” Are Becoming More Than Mere Suggestions. One new significant mitigating factor that appears in the updated guidance is whether the victim company had taken meaningful steps to reduce the risk of extortion and ransomware by implementing “cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide.” Such practices “could include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.” Accordingly, reducing the risk of an OFAC enforcement response is yet another reason that companies should take steps to meet at least minimal cybersecurity standards and maintain “artifacts of compliance” to prove it to regulators in the event of a breach.
- Notification of Ransomware Attack to Additional Government Agencies. Based on OFAC’s 2020 advisory, a company’s “self-initiated, timely and complete report of a ransomware attack to law enforcement” would be considered a significant mitigating factor. OFAC’s recent guidance expanded the list of government agencies that companies should consider when voluntarily reporting ransomware attacks to law enforcement and/or CISA. OFAC suggested that reporting such incident to the relevant government agencies will be “[a]nother factor that OFAC will consider under the Enforcement Guidelines” and reiterated the importance of complete and ongoing cooperation with law enforcement and other relevant government agencies during and after such ransomware attack, including “providing all relevant information, such as technical details, the ransom payment demand and ransom payment instructions.”
- Notification of Ransomware Payments That May Have a Sanctions Nexus to Additional Government Agencies. This week’s guidance not only expanded the scope of government agencies that companies should or may notify in the case of ransomware attacks, but also, in the case of ransomware payments that may have a sanctions nexus, the guidance suggest that companies should report such potential ransomware attack and payment to OFAC and the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) and, in doing so, the company can receive a significant mitigation from OFAC. The revised guidance indicates an enlarged role for OCCIP in thwarting ransomware attacks and payments to suspects with a potential sanctions nexus; OFAC’s previous guidance suggested notifying OCCIP only if an attack involved a “U.S. financial institutions or may cause significant disruption to a firm’s ability to perform critical financial services,” whereas this week’s guidance suggests that all companies should report ransomware attacks and payments to OCCIP where there is a sanctions nexus.