Ransomware attacks – cyber attacks in which the hackers encrypt and disable an organization’s computers and demand a ransom to provide the decryption key – continue to hit organizations throughout the country. Perhaps even more worrisome, the size of the ransom demands has grown substantially – multi-million dollar asks are now common – and appear to be based on the attacker's research into how much a particular company can afford to pay.
Organizations (and their insurers) often feel they have no choice but to pay the ransoms to restore their crippled systems, believing that rebuilding their systems (and remaining offline while they do) will cost far more than the amount of the ransom. Yesterday the Office of Foreign Assets Control (“OFAC”) of the Department of the Treasury issued an advisory that will complicate that calculation.
Though paying ransoms is not in and of itself illegal, it is illegal to make any payment to entities or persons on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). What’s more, despite it being nearly impossible for a victim to know the identity of the person or group attacking it, the Treasury Department warned that “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
To address this danger the advisory encourages companies to implement risk-based compliance programs in order to mitigate exposure to sanctions-related violations, noting that the OFAC will consider whether such a program is in place (as well as other factors) in determining the appropriate response to an apparent sanctions violation.
The Treasury Department is not alone in looking more closely at ransomware payments. Other federal and state agencies have also started questioning how companies decide to make these payments, the notifications they provide to consumers or investors about these kinds of attacks, and the security protocols whose failure may have allowed an attack to occur. Companies need to remain vigilant – before and after an attack – to ensure that they can navigate these rough waters.