Skip to main content

OFAC Warns Companies Again Not to Pay Ransomware Demands and Offers Helpful Hints for Mitigating Risks

Kelly Ruane Melchiondo

Blog ImageOn September 21, 2021, The Department of Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory “to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities.” The Updated Advisory supersedes OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. In addition to warning companies what not to do, the Updated Advisory also offers companies guidance on what to do. OFAC recommends companies take several proactive steps to mitigate the risks of ransomware attacks. It notes that, in enforcement actions, it would consider those steps to be “mitigating factors” against civil penalties.

The government “strongly discourages” private companies and citizens from paying ransomware or extortion demands. OFAC prohibits U.S. citizens from transacting business, directly or indirectly, with individuals or entities on OFAC’s “Specially Designated Nationals and Blocked Persons List” (“SDN List”) or in countries or regions for which trade and business is specifically under embargo, such as Cuba and North Korea. OFAC may impose criminal sanctions upon anyone who transacts business with these individuals or entities under a strict liability standard—meaning, even if the transaction is inadvertent. Paying a ransomware demand to a malicious actor who may be located within one of these countries, or who may be on the SDN List, is incredibly risky.

The Updated Advisory notes “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider” when it determines an appropriate enforcement response to an apparent violation of U.S. law. OFAC “encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” OFAC encourages companies to take “meaningful steps” to “reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices.”

OFAC offers the following examples of those “meaningful steps,” which are generally best practices for any company that collects or stores data:

  • Maintaining offline backups of data, to minimize disruption to the business, and thus, reduce the severity of a ransomware attack;
  • Developing thorough incident response plans
  • Instituting cybersecurity training of employees
  • Regularly updating antivirus and other security software
  • Employing multifactor authentication protocols

In addition to implementing these steps, OFAC will look favorably upon companies that report ransomware attacks to the relevant authorities promptly. “Full and ongoing cooperation with law enforcement both during and after a ransomware attack” is a “significant mitigating factor.” (emphasis added).

While nothing in the Updated Advisory is new or groundbreaking, it does evidence the Biden Administration’s attempts to encourage the public to implement enhanced cybersecurity measures to respond to the growing threat of ransomware. The government is paying attention to what companies do—and fail to do—to protect themselves.

YOU MIGHT ALSO LIKE
New Miami Blog August 20, 2018
With its roots in the Exon-Florio Amendment to the Defense Production Act, the Committee on Foreign Investment in the United States (CFIUS), is an inter-agency committee that reviews certain foreign investments in the United States that implicate national security concerns. CFIUS generally determine...
Blog September 17, 2021
The House Ways and Means Committee recently approved a multitrillion-dollar tax package, on the heels of the Senate Finance Committee releasing draft legislation seeking to overhaul the U.S. international tax regime. While it is still too early to know if or how quickly the House tax package will be...
Blog September 24, 2024
In a recent federal case from New York, the court dealt a blow to plaintiffs suing over data breaches. The plaintiffs had filed a putative class action suit, alleging that they (and others like them) had been harmed by the alleged exposure of their personal and financial information due to a March 2...
VIEW MORE