It's no secret that the frequency and impact of
cybersecurity incidents involving ransomware have increased
dramatically. In 2020, the Institute for Security + Technology reported
that nearly 2,400 U.S.-based governments, health care facilities
and schools were victims of ransomware. The average ransomware
payment rose 171% to $312,493. In a 2020 survey of 5,000 IT managers, 51%
indicated that they had been attacked by ransomware in the last
year.
In response, the Department of the Treasury's Office of
Foreign Assets Control (OFAC) recently
issued an advisory which revises their policy on potential
sanctions risks for companies that make ransomware payments. In
doing so, OFAC emphasizes that the U.S. government strongly
discourages all private companies and citizens from paying ransom
or extortion demands, and instead recommends focusing on
strengthening defensive and resilience measures to protect against
these attacks.
The Policy and Impact on Companies
The policy prohibits any transactions, directly or indirectly,
made to malicious cyber actors who have been
designated under OFAC's cyber-related sanctions program.
The advisory indicates that these transactions are prohibited since
ransomware payments may allow those who have been sanctioned to
“profit and advance their illicit aims.” OFAC further
reasons that “such payments not only encourage and enrich
malicious actors, but also perpetuate and incentivize additional
attacks.”
The policy empowers OFAC to impose civil penalties for sanctions
violations based on strict liability—meaning that a person
may be held civilly liable even if the person did not know or have
reason to know that the action was prohibited. These enforcement
actions can take several different forms, ranging from non-public
responses such as a No Action Letter or a Cautionary Letter, to
public responses such as civil monetary penalties.
How to Avoid A Civil Penalty
The advisory contains several mitigating factors that OFAC may
consider when determining an appropriate enforcement response to an
alleged violation. OFAC highlights the importance of compliance
programs and cooperation with law enforcement. While the resolution
of each potential enforcement is fact-specific, OFAC is more likely
to resolve violations involving ransomware attacks with a
non-public response when the victim takes the mitigating steps that
include:
The above mitigating factors are merely starting points that are
considered by OFAC when determining an appropriate enforcement
response in the event a sanctions nexus is found in connection with
a ransomware payment.
Armstrong Teasdale's Privacy and Data Security attorneys
have significant experience guiding clients in developing and
maintaining SCPs, IRPs and WISPs. We also have significant
experience building and auditing risk-based compliance programs to
mitigate exposure to sanctions- and embargoes-related violations.
We will continue to monitor and provide updates regarding OFAC and
other cybersecurity developments. Please contact your regular AT
attorney or one of the authors listed below for proactive guidance
specific to your business.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss