OFAC Issues Updated Guidance on Paying Ransom – Buyer Beware of Sanction Risks
On Sept. 21, the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory updating and superseding its previous advisory issued Oct. 1, 2020. OFAC is careful to note that the Advisory is not law, and does not modify statutes, Executive Orders, or regulations. However, the Advisory contains important guidance for entities that may consider paying a ransom or those that facilitate such payments.
Ransomware attacks have increased substantially during the COVID-19 pandemic. Cybercriminals recognize companies’ reliance on distributed networks and have taken advantage of the remote environment to attack organizations across all industries. The Advisory points to reports from the Federal Bureau of Investigation (FBI) identifying a 21% increase in reported ransom cases and a 225% increase in associated losses from 2019-2021. There can be no argument that ransomware attacks are extremely profitable for criminal organizations, and it should be no surprise to anyone that the government wants to discourage these types of payments.
The Advisory does not change requirements related to ransom payments but instead appears to be intended to discourage payments of ransom and attempts to highlight the risk of sanctions associated with such payments. Notably, the Advisory states that companies that facilitate ransomware payment on behalf of victims “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” This Advisory, coupled with the recent Executive Order issued by the White House, may signal an intent by the government to examine ransomware transactions more closely going forward.
OFAC points out that it may impose civil penalties for sanctions violations even if the entity or person “did not know or have reason to know that it was engaging” in a prohibited transaction. Companies are encouraged to implement a “risk-based compliance program to mitigate exposure to sanctions-related violations.” Companies that facilitate ransom payments are specifically encouraged to consider whether a ransom payment involves a Specially Designated National (SDN) or blocked person, or an embargoed jurisdiction. OFAC also notes that it will consider a company’s efforts to improve cybersecurity practices when determining whether a company committed a sanctionable violation, and points to the September 2020 Ransomware Guide issued by the Cybersecurity and Infrastructure Security Agency (CISA). The Guide encourages steps such as maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, and implementing other authentication protocols.
Organizations are also highly encouraged to notify law enforcement and other agencies and cooperate with any investigations. OFAC will consider early notification of law enforcement and other mitigation efforts of organizations in its determination of sanctions and penalties. Factors that are considered when determining an appropriate response are found within OFAC’s economic sanctions enforcement guidelines, at 31 C.F.R. part 501, appx. A.
OFAC highly encourages victims of ransomware to report such attacks to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible. Such efforts may lead to resolutions that could potentially avoid payment. According to the Advisory, where resolutions that do not involve payment of ransomware exist, companies should consider pursuing such avenues, as payment of ransomware does not guarantee recovery of data or avoidance of future attacks.
WEBINAR: The Race to 2024: Politics and Social Media in the Workplace and Employer Rights.
Over the last several years, employers have seen and continue to see increased political activities from their employees at work and on social media platforms, including on business-related social media platforms, like LinkedIn. Managing employee expression causes unique challenges for employers and HR professionals, and in a General Election year, these challenges are likely to increase as the Presidential race, and other races, heat up.
Webinar: A Cookieless Future and Promise of PETs: A Primer on Privacy Enhancing Technologies
This webinar will explore PETs – we will define what they are, what problems PETs exist to address, and emerging PET standards including the National Institute of Standards and Technology (NIST) draft guidance on how to evaluate PET effectiveness. We will provide specific PET use cases and discuss how PETs may be utilized to address the phase out of third party cookies by certain browsers for purposes of targeted advertising.
WEBINAR: Cybersecurity Resilience in Law Firms
This webinar focuses on law firms seeking useful information about robust cybersecurity strategies to protect their clients, maintain ethical and legal compliance, and fortify their digital infrastructure.