Yesterday, October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued its “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” The advisory begins with the observation that “ransomware attacks have become more focused, sophisticated, costly, and numerous,” citing certain FBI statistics, before making clear what was already well known to experienced practitioners, that is, that paying or facilitating ransomware payments to entities designated by OFAC risks civil penalties. The advisory lists several perpetrators of ransomware attacks that OFAC has previously listed. Importantly, OFAC may impose civil penalties for sanctions violations based on strict liability, “meaning that a person may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
The advisory describes some of the factors OFAC generally considers under its Economic Sanctions Enforcement Guidelines, to determine an appropriate response to an apparent violation, including the amount of civil monetary penalty, if any. These factors include “the existence, nature, and adequacy of a sanctions compliance program.” Generally, OFAC encourages companies “to implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” that “account[s] for the risk that a ransomware payment may involve an [OFAC-listed] person, or a comprehensively embargoed jurisdiction.” Importantly, the advisory explicitly notes that OFAC will consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement” and its “full and timely cooperation with law enforcement both during and after a ransomware attack” as “significant mitigating factor[s]” in determining possible and appropriate enforcement outcomes.
OFAC’s advisory applies to ransomware victims as well as to companies “involved in facilitating ransomware payments on behalf of victims,” such as “cyber insurance, digital forensics and incident response, and financial services” companies, including “depository institutions and money services businesses.” These companies may also have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations. FinCEN issued its own ransomware advisory contemporaneously with OFAC’s. The FinCEN advisory is the subject of a separate blog post.
While companies may apply to pay ransom to listed entities, the advisory warns that such applications “will be reviewed by OFAC on a case-by-case basis with a presumption of denial.” The advisory encourages companies “to contact OFAC immediately if they believe a request for ransomware payment may involve a sanctions nexus.”
For further information please contact your attorney on the Alston & Bird Privacy & Cybersecurity Team.