On Sept. 21, 2021, the Department of Treasury, Office of Foreign Assets Control (OFAC), updated its published guidance regarding sanctions risks associated with making ransomware payments and its official policy on such payments. This updated guidance, taken in conjunction with OFAC’s recent sanctions designation of a cryptocurrency payment exchange frequently used for ransomware payments, and other ongoing regulatory legislative efforts to address ransomware attacks, further highlights the whole of government effort by the United States to discourage ransomware attacks and address the compliance responsibilities this effort continues to impose upon the business community.
Background on ransomware payments and sanctions
In October 2020, in the wake of a spike of ransomware attacks, OFAC issued guidance regarding sanctions risk associated with making ransomware payments. This guidance emphasized that 1) facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable parties with a sanctions nexus to profit and advance their illicit aims and 2) as a result, there is a risk that a ransomware payment may involve a specially designated national (SDN) or blocked person, blocked account (including cryptocurrency wallets) or a comprehensively embargoed jurisdiction (e.g. Cuba, Iran, N. Korea).
This guidance also highlighted potential reporting requirements with the Financial Crimes Enforcement Network (FinCEN) as well as other expected risk mitigation measures, including coordination with federal law enforcement and, where required, disclosure to OFAC.
The updated 2021 guidance retains directives of the 2020 guidance, including coordination with law enforcement. It also retains OFAC’s policy of denial with respect to granting licenses to authorize transactions related to ransomware payments involving sanctioned parties.
The updated guidance indicates that OFAC’s enforcement posture with respect to businesses that are considering ransomware payments will be impacted by adherence to the September 2020 Cybersecurity and Infrastructure Security Agency (CISA) ransomware guidance.
The updated guidance emphasizes the risk of facilitating or processing payments, specifically noting that OFAC has listed SUEX, a company that allows customers to convert digital currency into cash or other forms of assets, as an SDN. In this designation, OFAC stated that companies operating or facilitating digital currency platforms such as SUEX “are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity.”
Coordination with U.S. government cyberstrategy and legislative efforts
In line with the whole of government approach, this updated OFAC guidance coincides with regulatory and legislative efforts at the federal level to enhance cybersecurity. For example:
- As previously covered in our September Privacy and Security Roundup, the U.S. Securities and Exchange Commission has sanctioned investment advisors and broker-dealers over failures to protect confidential information.
- As briefly covered in our September Privacy and Security Roundup, bipartisan legislation currently before Congress would introduce mandatory reporting requirements for federal agencies, contractors, and critical infrastructure owners and operations in the event of cyber intrusions within 24 hours of discovery.
- On the specific topic of ransomware, Congress is eyeing a similar bipartisan piece of legislation, the Sanction and Stop Ransomware Act. In addition to mandatory owner/operator reporting requirements in the event of ransomware attacks on critical infrastructure, the act would require: (1) the development of cybersecurity standards for critical infrastructure entities; (2) development of cryptocurrency exchange regulations to reduce anonymity in ransomware situations; and (3) the imposition of sanctions/penalties on states designated as “state sponsors of ransomware.”
- The United States Innovation and Competition Act would invest roughly $200 billion into U.S. scientific and technological innovation over the next five years and includes several national security-oriented measures aimed at limiting the exposure of U.S. supply chains to foreign influence and protection of U.S. intellectual property, with particular focus on threats from China, including improvements in cybersecurity infrastructure.
Conclusions on new ransomware payments guidance
The recent OFAC update and ongoing regulatory and legislative efforts noted above should clearly indicate to the business community that the U.S. government expects companies to exercise diligence and due care when seeking to prevent, mitigate or make payments related to ransomware attacks.
The continued emphasis on sanctions in both regulatory actions and legislation indicates that OFAC will remain a key player in addressing the actors responsible for malicious cyber-activities and companies should evaluate their cyber-response policies to ensure that they are appropriately calibrated to comply with OFAC, as well as FinCen, CISA and other regulatory and law enforcement expectations regarding addressing cyberattacks and ransomware.