October 16, 2021

Volume XI, Number 289

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis

October 13, 2021

Subscribe to Latest Legal News and Analysis

OFAC Again Says Beware of Sanctions When Making Ransomware Payments and Designates Virtual Currency Exchange as Malicious Cyber Actor

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “Updated Advisory”) on the sanctions risks associated with facilitating ransomware payments.

The Updated Advisory explains that OFAC has designated malicious cyber actors under its cyber-related sanctions programs. Cyberattack victims, financial institutions, insurance firms and other companies assisting with ransomware payments are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions. As a result, companies subject to U.S. jurisdiction and engaging in transactions involving ransomware payments should consider the risk that such activities may violate sanctions prohibitions and expose them to civil liability. Through the Updated Advisory, OFAC continues to demonstrate increased enforcement attention on digital currencies.

Additionally, on September 21, 2021, OFAC, with assistance from the FBI, designated SUEX OTC, S.R.O., (“SUEX”) as a malicious cyber actor, the first such sanctions designation against a virtual currency exchange. According to the Treasury Department’s press release, over 40% of SUEX’s known transactions are associated with illicit actors, and SUEX is being sanctioned for providing material support to the threat posed by criminal ransomware actors. Under OFAC’s sanctions, all of SUEX’s property and interests in property that are subject to U.S. jurisdiction are blocked, and U.S. persons generally are prohibited from engaging in transactions with SUEX. Further, entities that SUEX owns 50% or more of also are blocked. According to the Treasury Department, financial institutions and other persons that engage in certain transactions or activities with SUEX, as well as other sanctioned entities and individuals, may also expose themselves to sanctions or be subject to an enforcement action.

In the last year, OFAC has brought various enforcement actions against digital currency services providers, cautioning persons subject to U.S. jurisdiction of the sanctions risks associated with the provision of digital currency services. This emphasis on digital currencies continues in response to the increased demand for ransomware payments during the COVID-19 pandemic, with actions focused on disrupting virtual currency exchanges that facilitate financial transactions for ransomware actors.

In connection with the Updated Advisory, OFAC has added digital currency addresses to OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”) to notify companies of specific digital currency identifiers associated with blocked persons.

OFAC applies a strict liability standard when imposing civil penalties for sanctions violations. Thus, OFAC may hold a U.S. person civilly liable despite such person not knowing or having reason to know that a transaction involved an SDN, other blocked person or embargoed country.  Companies assisting with ransomware payments are encouraged to develop and maintain tailored, risk-based sanctions compliance procedures and controls to mitigate the risk of violating U.S. sanctions regulations. In the event of an apparent violation of U.S. sanctions regulations, significant mitigating factors that OFAC considers to determine its enforcement response include: (1) the adequacy of a sanctions compliance program, (2) the steps taken to reduce the risk of extortion by a sanctioned actor, (3) self-initiated, timely and complete reporting of ransomware attacks, and (4) ongoing cooperation with law enforcement. With respect to cooperation with law enforcement, OFAC will consider whether the company provided all relevant information, including technical details, ransom payment demand, and ransom payment instructions, to the appropriate U.S. government agencies as soon as possible.

To mitigate sanctions risks, companies subject to U.S. jurisdiction that assist with ransomware payments should be aware of U.S. sanctions regulations that may expose them to civil liabilities.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 265
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement