OFAC Warns Companies Again Not to Pay Ransomware Demands and Offers Helpful Hints for Mitigating Risks

On September 21, 2021, The Department of Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory “to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities.” The Updated Advisory supersedes OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. In addition to warning companies what not to do, the Updated Advisory also offers companies guidance on what to do. OFAC recommends companies take several proactive steps to mitigate the risks of ransomware attacks. It notes that, in enforcement actions, it would consider those steps to be “mitigating factors” against civil penalties.

The government “strongly discourages” private companies and citizens from paying ransomware or extortion demands. OFAC prohibits U.S. citizens from transacting business, directly or indirectly, with individuals or entities on OFAC’s “Specially Designated Nationals and Blocked Persons List” (“SDN List”) or in countries or regions for which trade and business is specifically under embargo, such as Cuba and North Korea. OFAC may impose criminal sanctions upon anyone who transacts business with these individuals or entities under a strict liability standard—meaning, even if the transaction is inadvertent. Paying a ransomware demand to a malicious actor who may be located within one of these countries, or who may be on the SDN List, is incredibly risky.

The Updated Advisory notes “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider” when it determines an appropriate enforcement response to an apparent violation of U.S. law. OFAC “encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” OFAC encourages companies to take “meaningful steps” to “reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices.”

OFAC offers the following examples of those “meaningful steps,” which are generally best practices for any company that collects or stores data:

• Maintaining offline backups of data, to minimize disruption to the business, and thus, reduce the severity of a ransomware attack;
• Developing thorough incident response plans
• Instituting cybersecurity training of employees
• Regularly updating antivirus and other security software
• Employing multifactor authentication protocols
  
  

In addition to implementing these steps, OFAC will look favorably upon companies that report ransomware attacks to the relevant authorities promptly. “Full and ongoing cooperation with law enforcement both during and after a ransomware attack” is a “significant mitigating factor.” (emphasis added).

While nothing in the Updated Advisory is new or groundbreaking, it does evidence the Biden Administration’s attempts to encourage the public to implement enhanced cybersecurity measures to respond to the growing threat of ransomware. The government is paying attention to what companies do—and fail to do—to protect themselves.