On October 1, 2020, the Office of Foreign Assets Control (“OFAC”) issued guidance warning of potential sanctions risks for making ransomware payments related to malicious cybersecurity incidents. The same day, the Financial Crimes Enforcement Network (“FinCEN”) issued an advisory related to the role of financial institutions in processing ransomware payments.
Ransomware is a form of malicious software that generally blocks access to computer systems or data in order to extort ransom payments in exchange for restoring a victim’s access to that system or data. In some instances, the perpetrators have also threatened to publicly post sensitive data belonging to or held by the victim.
Companies without another way to access their data understandably want to act quickly to regain control and may wish to pay a ransom to do so. But ransomware payments may implicate national security concerns and violate OFAC and FinCEN regulations. As OFAC explains in its guidance, a victim of a ransomware attack faces the prospect of an enforcement action if the victim pays a blocked person in an effort to regain control of its systems or data. The action may arise because such payments may involve a transaction with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”), other blocked persons, or those covered by comprehensive country or territory embargoes. There are currently 130 SDNs designated pursuant to OFAC’s cyber-related sanctions program, which targets malicious cyber actors, and countless SDNs designated pursuant to other sanctions programs. U.S. persons are broadly prohibited from engaging in or facilitating transactions of any type with SDNs. Such payments may also trigger suspicious activity reporting obligations for financial institutions. Cybersecurity risks and incidents, including ransomware attacks and related payments, may trigger disclosure obligations for public companies under federal securities laws if they are material, as we previously discussed.
Liability for sanctions violations extends to both ransomware victims and third-party companies that facilitate ransomware payments, including financial institutions, cyber insurance companies (“CIC”), and digital forensics and incident response (“DFIR”) companies. Violations of OFAC’s sanctions regulations are subject to civil penalties based on strict liability, meaning that “a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know” it was engaging in a prohibited transaction. Willful conduct that violates an OFAC sanction can lead to criminal penalties.
OFAC and FinCEN encourage ransomware victims to promptly contact appropriate federal law enforcement agencies when issues arise. To incentivize reporting, OFAC advises that when it evaluates potential enforcement actions, it will consider as “significant mitigating factor[s]” a company’s (1) “self-initiated, timely, and complete report of a ransomware attack to law enforcement,” and (2) “full and timely cooperation with law enforcement both during and after a ransomware attack.” OFAC may also review “the existence, nature, and adequacy” of a company’s sanctions compliance program, which should “account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.”
OFAC warns that ransomware payments could enable illicit actors to engage in further activities adverse to U.S. national security and foreign policy objectives. Accordingly, OFAC’s new guidance advises that license applications involving ransomware payments will be reviewed on a case-by-case basis with a presumption of denial, setting a high bar for companies to obtain OFAC authorization to pay a ransom to cyber criminals who are on the SDN List.
Also, FinCEN emphasizes that information sharing among financial institutions under the safe harbor provision of the USA PATRIOT Act is “critical” to reporting and preventing ransomware attacks. To assist financial institutions in detecting suspicious activity, FinCEN’s new advisory identifies ten “red flags” that may indicate ransomware-related activity, including transactions between an organization and a DFIR or CIC.
To be prepared for potential ransomware attacks and reduce risk of liability, companies should carefully craft their sanctions compliance programs and develop, implement, and practice cybersecurity incident response plans. In addition to possible sanctions violations, such incidents may expose companies to breach-notification requirements and potential liability under various international, federal, state, and local laws governing data protection. Also, internal investigations into cybersecurity incidents and cooperation with related government investigations may create unique concerns regarding privilege and work product protections. Thus, companies should consider seeking outside legal advice when responding to or reporting cybersecurity incidents.