Department of the Treasury Issues New Advisory Regarding Ransomware Payments
Friday, September 24, 2021
OFAC Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
Print Mail Download i

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released its Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “Updated Advisory”). The Updated Advisory follows on OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments and provides additional guidance for companies that may make or facilitate ransomware payments. 

In the first portion of the Updated Advisory, OFAC reiterates the reasons why the U.S. government has, and continues to, strongly discourage anyone from paying a ransom demanded in a cyber-attack. In particular, OFAC notes that making a ransom payment does not guarantee that a malicious actor will reprovision a company’s access to data or refrain from further attacks against the company, and that the availability of payments may encourage malicious actors to perpetrate more attacks. OFAC also highlights that paid ransom money can be used to fund activities adverse to U.S. interests, and that the law prohibits any U.S. person from engaging in a transaction, whether directly or indirectly, with a group or individual on its Specially Designated Nationals and Blocked Persons (“SDN”) List (or other block list). Related to this last point, OFAC reminds of its authority to enforce the law through both non-public responses like issuing a warning letter and public responses like imposing civil penalties. OFAC further reminds that, in the latter case, penalties can be imposed on a strict liability basis, meaning without regard to whether the company paying a ransom knew (or even had reason to know) its payment was legally prohibited.

While OFAC has previously expressed its position regarding the payment of ransoms, including reminders that companies who pay blocked individuals or groups risk breaking the law, the Updated Advisory provides some new guidance to those nonetheless making or facilitating payments.  Specifically, in the second portion of the Updated Advisory, OFAC describes certain “mitigating” factors it will take into consideration when determining how to respond to an apparent illegal ransom payment. OFAC explains that where these factors are present, it will be more likely to utilize a non-public resolution (like a letter) than a public resolution (like a monetary penalty). OFAC identifies three (3) mitigating factors:

  • First, OFAC will consider a company’s implementation of a regulatory compliance program. The program, OFAC instructs, should be risk-based and account for the possibility that a ransom demand may involve a malicious actor on the SDN or other block list.

  • Second, OFAC will consider a company’s “meaningful steps” to reduce the risk of cyber extortion.Here, OFAC suggests it will look for measures that decrease the likelihood that a company finds itself in a position where it needs to consider paying a malicious actor, such as regularly updating anti-malware software and maintaining offline backups, and points to the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide as a resource for organizations looking to take such meaningful steps.

  • Third, OFAC will consider a company’s decision to self-report a ransomware attack to OFAC, law enforcement, and other regulatory agencies, and to thereafter fully cooperate with any investigation from these groups. OFAC suggests a company should report an and provide all relevant details as soon as possible.

Given the frequency with which ransomware events are occurring and the difficulty in specifically identifying the perpetrator of the attacks, organizations should strongly consider following the guidance, including taking meaningful steps to adopt or improve cybersecurity practices. Through improved cybersecurity, an organization can hopefully avoid finding itself in a position in which it feels that it must make a ransom payment, but if it becomes necessary, by taking such steps, OFAC may be more likely to forego issuance of a public monetary penalty if it later turns out that payment was made to a blocked person or entity. 

© Polsinelli PC, Polsinelli LLP in California

Current Legal Analysis

More from Polsinelli PC

The Chevron Doctrine: Part I
by: Julius W. Hobson, Jr.
2024 OFCCP Contractor Portal for Affirmative Action Plan Certification Opens April 1, 2024
by: Erin D. Schilling , Stephanie A. Wolters
Equal Employment Opportunity Commission Issues Final Guidance on Workplace Harassment
by: Emily E. Tichenor
Lawsuits Filed Challenging the FTC’s Final Rule Banning Non-Competes
by: Eric E. Packel , Emma R. Schuering
What is the Impact of the FTC’s Final Non-Compete Rule on Franchisors and Franchisees?
by: Leonard (Len) MacPhee , Joyce Mazero
FTC Final Rule Banning Most Non-Competes Passes – What Nonprofits Need to Know
by: Jacob Zerkle , Michael Kuczynski
The 80/20 Rule is Here: CMS Finalizes HCBS Care Worker Payment Requirements
by: Ross E. Sallade , Angelo Spinola
Blockchain+ Bi-Weekly: Week of April 25, 2024
by: Jonathan E. Schmalfeld , Stephen A. Rutenberg
FTC Final Rule Banning Most Non-Competes Passes – What You Need to Know
by: Eric E. Packel , Emma R. Schuering
Finally Final — The DOL Issues Its Long-Expected Final Rule Raising the FLSA Overtime Exemption Salary Thresholds
by: Jason N. W. Plowman , Matthew P.F. Linnabary

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins