Who’s On the Other Side: OFAC Releases Guidance on Ransomware Payments and Sanctions Enforcement
As we previously reported, companies across the globe increasingly have been targeted by cyber criminals during the COVID-19 pandemic. Just last month, a major U.S. healthcare provider, United Health Services (“UHS”), suffered a ransomware attack, crippling its digital networks and forcing many UHS-owned facilities to rely on offline backups and paper charts to provide health care. The attack on UHS is one of the latest incidents in a trend of increasing , a type of cyberattack in which cyber criminals use malware to block access to the victim’s computer system to extract a monetary payment. Ransomware victims are already faced with difficult decisions regarding payment and business continuity. But the underlying risk associated with such payments runs deeper, in no small part because cyber criminals are almost universally anonymous. A recent advisory (the “Advisory”) from the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) provides guidance on ransomware payments that may implicate U.S. sanctions. The Advisory makes clear that parties that pay or facilitate ransomware payments may face substantial legal consequences if a payment is made to a party subject to U.S. sanctions, whether the payor knows of those sanctions or not.
Sanction violations have long been a concern for those paying cyber criminals. In the Advisory, however, OFAC provides guidance on how it will deal with potential violations involving ransomware payments. The Advisory explains that, as a general matter, under the International Emergency Economic Powers Act (“IEEPA”) and Trading with the Enemy Act (“TWEA”), U.S. individuals and entities are already prohibited from transacting with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by country-specific or region-specific embargoes. Transactions that cause an IEEPA violation are also prohibited.
OFAC also notes that it has already designated a number of cyber criminals as “malicious cyber actors” under its cyber-related and other sanctions programs. Previously-designated malicious cyber actors include individuals and groups associated with the malware SamSam, WannaCry, CryptoLocker, and Dridex. The Advisory warns that OFAC “has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.” According to OFAC, this is critical because ransomware payments (1) could fund activities adverse to U.S. national security and foreign policy interests; (2) may embolden cyber criminals to engage in more attacks; and (3) do not guarantee that the victim will regain access to its data.
Critically, companies should be aware that OFAC will apply a strict liability standard for potential violations, meaning that an individual or entity may be held “civilly liable even if it did not know or have reason to know it was engaging in a transaction with” a sanctioned party. As a practical matter, this suggests that civil liability may attach even if a victim of ransomware had no reason to believe it was paying an entity subject to sanctions.
The Advisory notes that, in determining the appropriate enforcement response to an apparent violation by someone who has paid or facilitated a payment to a sanctioned party, OFAC will consider a number of factors, which are detailed in OFAC’s Economic Sanctions Enforcement Guidelines. Those factors include the following:
- Whether the subject committed a willful or reckless violation of law;
- Whether the subject was aware of the conduct giving rise to the apparent violation;
- The actual or potential harm to sanctions program objectives caused by the conduct giving rise to the apparent violation;
- Individual circumstances and characteristics of the subject, including their commercial sophistication and experience, size of operations and financial condition, annual volume of transactions, and sanctions history;
- The existence, nature and adequacy of a subject’s risk-based OFAC compliance program at the time of the apparent violation;
- Any corrective action taken in response to the apparent violation; and
- The nature and extent of the subject’s cooperation with OFAC.
The Advisory, moreover, highlights two potential mitigating factors when determining OFAC’s enforcement response: (1) “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement”; and (2) “a company’s full and timely cooperation with law enforcement both during and after a ransomware attack.”
Finally, the Advisory encourages financial institutions and other companies that engage with the victims of ransomware attacks to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. Generally, OFAC recommends that such programs incorporate five components:
- Commitment from senior management to supporting the compliance program;
- Routine and ongoing risk assessments;
- Internal controls that identify, interdict, escalate, report, and record potentially prohibited activity;
- Testing and audits to assess the effectiveness of internal controls; and
- Employee training.
OFAC explicitly recommends that sanctions compliance programs “account for the risk that a ransomware payment may involve” an individual subject to sanctions “or a comprehensively embargoed jurisdiction.” The Advisory states that “companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations.”
The Advisory clarifies OFAC’s view of the liability landscape for companies forced to pay cyber criminals to end a ransomware attack. And these issues affect not only the direct victims of ransomware attacks, but also insurers, banks, consultants, and others involved in resolving the attack, negotiating with the cyber criminals, and facilitating any payments. Companies facing a ransomware payment need to conduct appropriate due diligence (in consultation with counsel and other professionals) on who they may be paying and create a robust record of that diligence process. Companies should also carefully consider OFAC’s guidance that timely disclosure and cooperation with law enforcement may mitigate the severity of any penalty if OFAC later determines a payment had a “sanctions nexus,” especially in situations where the timing of a payment may not coincide with reporting to law enforcement. Nonetheless, OFAC’s advisory has injected a degree of additional uncertainty into situations already defined by hard questions and even harder answers.