OFAC Warns Companies Again Not to Pay Ransomware Demands and Offers Helpful Hints for Mitigating Risks

Bilzin Sumberg

Bilzin Sumberg

On September 21, 2021, The Department of Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory “to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities.” The Updated Advisory supersedes OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. In addition to warning companies what not to do, the Updated Advisory also offers companies guidance on what to do. OFAC recommends companies take several proactive steps to mitigate the risks of ransomware attacks. It notes that, in enforcement actions, it would consider those steps to be “mitigating factors” against civil penalties.

The government “strongly discourages” private companies and citizens from paying ransomware or extortion demands. OFAC prohibits U.S. citizens from transacting business, directly or indirectly, with individuals or entities on OFAC’s “Specially Designated Nationals and Blocked Persons List” (“SDN List”) or in countries or regions for which trade and business is specifically under embargo, such as Cuba and North Korea. OFAC may impose criminal sanctions upon anyone who transacts business with these individuals or entities under a strict liability standard—meaning, even if the transaction is inadvertent. Paying a ransomware demand to a malicious actor who may be located within one of these countries, or who may be on the SDN List, is incredibly risky.

The Updated Advisory notes “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider” when it determines an appropriate enforcement response to an apparent violation of U.S. law. OFAC “encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” OFAC encourages companies to take “meaningful steps” to “reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices.”

OFAC offers the following examples of those “meaningful steps,” which are generally best practices for any company that collects or stores data:

  • Maintaining offline backups of data, to minimize disruption to the business, and thus, reduce the severity of a ransomware attack;
  • Developing thorough incident response plans
  • Instituting cybersecurity training of employees
  • Regularly updating antivirus and other security software
  • Employing multifactor authentication protocols

In addition to implementing these steps, OFAC will look favorably upon companies that report ransomware attacks to the relevant authorities promptly. “Full and ongoing cooperation with law enforcement both during and after a ransomware attack” is a “significant mitigating factor.” (emphasis added).

While nothing in the Updated Advisory is new or groundbreaking, it does evidence the Biden Administration’s attempts to encourage the public to implement enhanced cybersecurity measures to respond to the growing threat of ransomware. The government is paying attention to what companies do—and fail to do—to protect themselves.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bilzin Sumberg | Attorney Advertising

Written by:

Bilzin Sumberg

Bilzin Sumberg on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.