November 29, 2021

Volume XI, Number 333

Advertisement
Advertisement

November 29, 2021

Subscribe to Latest Legal News and Analysis

Do You Have a Risk-Based Sanctions Compliance Program?: In the Event of a Ransomware Attack, OFAC Wants to Know

In the wake of increased ransomware attacks over the course of the last several months, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) has updated a guidance it released last year on potential sanction risks if facilitating ransomware payments. As indicated in the original guidance, OFAC has designated several threat actors as “malicious cyber attackers,” including the developers of Cryptolocker, SamSam, WannaCry, and Dridex. OFAC has indicated that it will impose sanctions on those who financially (or otherwise support) these actors, including by making ransomware payments to them. Sanctions can range from non-public (for example No Action Letters or Cautionary Letters) to public actions (including for example payment of civil monetary penalties).

In this new guidance, OFAC has indicated what factors would be “more likely” result in the matter closing with a non-public action. They are improving cyber security practices prior to an incident and working closely with law enforcement in the event of an incident. Improvement measures mentioned by the guidance include keeping backups (offline), having an incident response plan, conducting training, updating virus software, using authentication protocols, and otherwise following the Cybersecurity and Infrastructure Security Agency’s 2020 guide on ransomware. In other words, a risk-based compliance program to mitigate potential exposure if a company finds itself in a position of potential exposure to sanctions’ violations. This guidance came on the heels of OFAC’s sanctions of a cryptocurrency for its involvement in payment to ransomware threat actors (see article on our sister blog).

Putting It Into Practice: Is your organization prepared for a potential cyber incident? The cyber security practices outlined in OFAC’s guide can not only help a company be prepared for a potential incident, but also put it in a better posture in the event a ransomware demand is made.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 277
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement