On September 21, 2021, the US Department of the Treasury’s Office of Foreign Asset Control (OFAC) issued an updated advisory on the sanctions risks of facilitating ransomware payments.  OFAC issued a prior version of its advisory on October 1, 2020. In the months since, attacks have continued and target entities in the United States, including many in sensitive industries, generating increased concern over the scale of the problem. OFAC’s updated advisory is part of the Biden administration’s ongoing efforts to address the national security and economic risks posed by such attacks. The updated advisory emphasizes that OFAC “strongly discourages” victims from making ransom payments and reemphasizes the sanctions risks of doing so, but also seeks to provide victims with greater clarity about the steps that can be taken to reduce the likelihood of a public enforcement response if a company inadvertently makes or facilitates ransom payments that may have a sanctions nexus.

The updated advisory repeats past guidance about the sanctions risks to victims and third party service providers, including US financial institutions, who assist victims in responding to ransomware attacks, but makes a number of important changes, including with respect to its consideration of mitigating factors under the OFAC Enforcement Guidelines, which are outlined below.

For additional detail on OFAC’s approach to ransomware please see our prior blog post on the agency’s initial ransomware guidance here.

 

Companies Should Take Steps to Reduce the Risk of Ransomware Attacks by Adopting or Improving Cybersecurity Practices

The updated advisory marks the first time OFAC has publicly stated that “meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices” will be considered a “significant mitigating factor” under OFAC’s Enforcement Guidelines. According to OFAC, such steps include those highlighted in CISA’s September 2020 Ransomware Guide, such as “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.”

 

Victims are Encouraged to Promptly Report Ransomware Attacks to Law Enforcement

OFAC’s updated advisory emphasizes that OFAC will consider the “nature and extent” of a victim’s cooperation with OFAC, law enforcement, and other relevant agencies in determining an appropriate enforcement response to apparent sanctions violations.

The advisory notes, “OFAC will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant agencies … made as soon as possible after the discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response.” It adds, “OFAC will also consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack—e.g. providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible—to be a significant mitigating factor.”

Additionally, the updated advisory outlines a newly articulated position that a company’s self-initiated and complete report of a ransomware attack to law enforcement made “as soon as possible after the discovery of an attack” will be treated as a voluntary self-disclosure and a “significant mitigating factor” under OFAC’s Enforcement Guidelines. Generally speaking, OFAC does not treat disclosure to another government agency as a voluntary self-disclosure to OFAC. Therefore, this language, which departs from OFAC’s typical approach, strikes a balance between OFAC’s interest in victims’ timely reporting of ransomware attacks with the urgent task faced by such victims in attempting to manage a crisis situation. (The prior version of the advisory stated that mitigation credit would be provided for timely self-reporting to law enforcement, but did not specifically indicate such a report would be considered a voluntary self-disclosure under OFAC’s Enforcement Guidelines.) The updated guidance states that “OFAC would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the affected party” took “mitigating steps,” “particularly reporting the ransomware to attack to law enforcement as soon as possible and providing ongoing cooperation.”

 

Companies Should Specifically Consider Ransomware in Sanctions Compliance Policies

OFAC’s revised guidance echoed its original guidance in stressing the importance of addressing ransomware risks in a sanctions compliance program. In particular, for those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses), it states that they should, as part of their sanctions compliance programs, “account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.”  Therefore, it may be prudent for such entities to review their existing sanctions compliance policies and update those policies accordingly in light of this revised guidance.