Skip to main content

OFAC Warns Companies Again Not to Pay Ransomware Demands and Offers Helpful Hints for Mitigating Risks

Kelly Ruane Melchiondo

Blog ImageOn September 21, 2021, The Department of Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory “to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities.” The Updated Advisory supersedes OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. In addition to warning companies what not to do, the Updated Advisory also offers companies guidance on what to do. OFAC recommends companies take several proactive steps to mitigate the risks of ransomware attacks. It notes that, in enforcement actions, it would consider those steps to be “mitigating factors” against civil penalties.

The government “strongly discourages” private companies and citizens from paying ransomware or extortion demands. OFAC prohibits U.S. citizens from transacting business, directly or indirectly, with individuals or entities on OFAC’s “Specially Designated Nationals and Blocked Persons List” (“SDN List”) or in countries or regions for which trade and business is specifically under embargo, such as Cuba and North Korea. OFAC may impose criminal sanctions upon anyone who transacts business with these individuals or entities under a strict liability standard—meaning, even if the transaction is inadvertent. Paying a ransomware demand to a malicious actor who may be located within one of these countries, or who may be on the SDN List, is incredibly risky.

The Updated Advisory notes “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider” when it determines an appropriate enforcement response to an apparent violation of U.S. law. OFAC “encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” OFAC encourages companies to take “meaningful steps” to “reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices.”

OFAC offers the following examples of those “meaningful steps,” which are generally best practices for any company that collects or stores data:

  • Maintaining offline backups of data, to minimize disruption to the business, and thus, reduce the severity of a ransomware attack;
  • Developing thorough incident response plans
  • Instituting cybersecurity training of employees
  • Regularly updating antivirus and other security software
  • Employing multifactor authentication protocols

In addition to implementing these steps, OFAC will look favorably upon companies that report ransomware attacks to the relevant authorities promptly. “Full and ongoing cooperation with law enforcement both during and after a ransomware attack” is a “significant mitigating factor.” (emphasis added).

While nothing in the Updated Advisory is new or groundbreaking, it does evidence the Biden Administration’s attempts to encourage the public to implement enhanced cybersecurity measures to respond to the growing threat of ransomware. The government is paying attention to what companies do—and fail to do—to protect themselves.

Speaking Engagement March 4, 2024
Ryan J. Coyle speaks on the panel Stiff Winds, New Currents and Rough Seas: Navigating the Private Client World in Turbulent Times at the 29th Annual International Private Client Tax Conference. The panel discusses recent changes and salient topics in tax law in different jurisdictions, the use of a...
Publication November 30, 2023
Over the past decade, companies have increasingly turned to the collection of consumer personal data to help them better understand and adapt to the habits, preferences, and needs of consumers, engage in targeted marketing, and gain insight into the broader marketplace—that is, to better compe...
Speaking Engagement September 29, 2023
Melissa Pallett-Vasquez speaks on the panel Press Play to Continue: Navigating Legal Ethics in a Digital World at the ACC South Florida 13th Annual CLE Conference. The session focuses on the unique ethical issues brought on by technological changes in the legal field, particularly the increasing pre...