On October 1, 2020, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding the potential sanctions risk for entities that facilitate ransomware payments.1 OFAC defined “ransomware” as:
During a ransomware attack, cyber actors often threaten to expose personal information and demand payment in exchange for the key to decrypt the files and restore user access. OFAC noted that ransomware attacks have increased exponentially over the last three years and have intensified during the COVID-19 pandemic. Due to the significant risk in this area, companies should consider having policies and procedures that integrate cyber security as a pillar for any export control program.
As a part of its sanctions enforcement efforts, OFAC designates individuals and entities that are owned or controlled by, or acting for or on behalf of, targeted countries as “Specially Designated Nationals" (SDNs). OFAC also designates certain individuals, groups, and entities, such as terrorists and narco-traffickers that are not country-specific as SDNs. Collectively, these individuals and entities are placed on a list published on the Department of Treasury’s website.2 Pursuant to the International Emergency Economic Powers Act and the Trading with the Enemy Act, U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with SDNs. OFAC is empowered to issue civil penalties for violations of these federal statutes.3
In the recent advisory, OFAC warns against ransomware payments made to sanctioned persons or SDNs. OFAC notes that it can impose civil penalties based on strict liability, meaning that liability can attach even if the individual or entity did not know that it was engaging in a transaction with a person on the SDN list. OFAC advised that these laws and regulations also apply to companies that engage with victims of ransomware attacks, particularly those that facilitate ransomware payments, such as cyber-insurance companies.
The advisory lists a number of factors that OFAC will consider in the event there is a violation of sanctions laws and regulations related to a ransomware attack.
First, OFAC encourages victims and those involved to immediately report the ransomware attack to law enforcement, and will consider a “self-initiated, timely, and complete report” and “cooperation” to be “significant mitigating factor[s] in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”
Second, the advisory states that victims should immediately contact OFAC if they believe the request for a ransomware payment involves a sanctions nexus. This means that payment demands from SDNs or blocked parties should prompt notification to OFAC. In the event the identity or affiliation of the cyber actors is unclear, victims should nonetheless notify OFAC in an abundance of caution. Notably, the advisory lists several “malicious cyber actors” that OFAC has already designated under its cyber-related sanctions program and other programs.
Third, and perhaps most significantly, OFAC emphasized the importance of establishing and maintaining a risk-based compliance program. In this regard, companies should implement an internal compliance program that establishes policies and procedures for responding to a ransomware attack. This program should incorporate guidelines that ensure compliance with the obligations imposed by OFAC and other regulatory agencies. It is important to consider the parallel jurisdiction of other governmental agencies, including the Department of Defense, Department of Health and Human Services, and individual State Attorney Generals related to security breaches and access to personal identifying information. Futhermore, there may need to be additional interaction with foreign countries related to those foreign nationals data. OFAC references its own publication, A Framework for OFAC Compliance Commitments as a guide for companies developing an effective compliance program.4 According to this Framework, an effective compliance program should incorporate five essential components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.
While business operations may be in flux during the COVID-19 pandemic, companies should consider proactively taking the time to develop or strengthen an existing compliance program as set forth above. Having an effective compliance program in place may not only strengthen a company’s ability to appropriately respond to a crisis like a ransomware attack; it can also improve the company’s odds of responding in a way that mitigates, or even eliminates, the risk of violating sanctions laws.