1. Overview of the regulatory issues facing companies—and cyber insurers—that may need to respond to ransomware emanating from a threat actor or group with potential ties to entities on federal lists.

The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) administers and enforces economic sanctions programs against countries and groups of individuals, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.  As part of its efforts, OFAC maintains a consolidated sanctions list (the “OFAC List”), which includes Specifically Designated Nationals and Blocked Persons, as well as other sanctions lists.  OFAC has listed ransomware organizations on the OFAC List, and payment to those organizations would be a violation of economic sanctions laws.  Fines for violations vary depending on numerous factors and are updated annually, but civil and criminal penalties can exceed millions of dollars.

Payment of ransoms could also implicate laws relating to designated Foreign Terrorist Organizations (“FTOs”) and “Specifically Designated Global Terrorists” (“SDGTs”).  Pursuant to 18 U.S.C. 2339B, monetary contributions are to an FTO are considered material support.  Transfers of money to SDGTs are violations of economic sanctions pursuant to the International Emergency Economic Powers Act.

Finally, depending on how it structures the payment, payment of ransoms could put a company in a position where it may be in violation of anti-money laundering laws.  For example, payment of a ransom could put a company at risk of being categorized as a “money service business” (“MSB”) under the Bank Secrecy Act (“BSA”) and Treasury Department regulations.  MSBs must register with the Treasury Department, and they are subject to a complex array of laws and regulations designed to combat money laundering.  The Treasury Department (through the Financial Crimes Enforcement Network, or “FinCEN”)) and the Department of Justice can enforce through civil and criminal prosecutions.

2. How does the level of certainty relating to threat actor attribution play into potential liability?

OFAC has not issued guidance specifically addressing what level of certainty applies when assessing attribution of an attack to a threat actor or a threat actor’s affiliation with a blocked entity.  However, regulatory framework and guidance indicate that enforcement decisions will be made on a case-by-case basis, and a company may be able to mitigate liability through its overall compliance regime.  OFAC’s Economic Sanctions Enforcement Guidelines (the “Guidelines”) give it the authority to investigate “apparent violations,” defined to mean any conduct that constitutes an “actual or possible violation of U.S. economic sanctions laws.”  31 CFR App’x to Part 501, I.A.  OFAC therefore likely has the authority to investigate payments to blocked threat actors—even without certainty that the attack is attributable to that blocked group—as it could constitute a “apparent violation.”

Under its Framework for OFAC Compliance Commitments (the “Framework”), OFAC “strongly encourages organizations . . . to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).”  Components of an SCP include performing risk assessments, using sanctions screening software or filters,  conducting due diligence on customers/clients, and scrutinizing of non-traditional business methods.  While none of these components directly speak to threat actor attribution standards, they all demonstrate that OFAC will look whether a company is implementing procedures that generally lower the likelihood of payments to a blocked entity.

With respect to material support statutes, the standard for attribution would likely include an actual “knowledge” component—i.e., a company could only be found to have materially aided the FTO if it had actual knowledge that the threat actor was part of the FTO.  See 18 USC 2339B(a)(1) (“To violate this paragraph, a person must have knowledge that the organization is a designated terrorist organization . . .”).  It therefore appears that, in order to be liable for providing material support to an FTO, a company must know that an attack is attributable to a threat actor that is designated as or affiliated with an FTO.

3. What can a company do during the IR negotiation process to avoid the regulatory pitfalls?

Even before the incident response process, companies can mitigate OFAC liability risk by implementing a documented SCP.  At the very least, having an SCP can help position companies for more favorable treatment by OFAC if the company pays a ransom to a blocked entity.  See Framework at 1 (“When applying the Guidelines to a given factual situation, OFAC will consider favorably subject persons that had effects SCPs at the time of an apparent violation.  . . . OFAC may consider the existence, nature, and adequacy of an SCP, and when appropriate, may mitigate a [civil monetary penalty] on that basis.”).

During the IR negotiation process, companies should ensure that they enlist the help of experienced legal counsel and specialized recovery firms.  Recover firms should be registered with the Treasury Department and capable of paying the ransom without violating the BSA or other anti-money laundering laws.  They will also have cryptocurrency readily available to avoid logistical delays, as well has have up-to-date information on the OFAC List and developing knowledge on threat actor attribution—including changes in modus operandi, updating of the OFAC List, and mergers between threat actor groups.