On October 1, both OFAC and the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) published advisory guidance regarding the sanctions and money laundering risks, respectively, of making ransom payments to cybercriminal organizations which use “malware” to immobilize or compromise computer systems. The OFAC and FinCEN guidance signals that US regulators are likely to increase their scrutiny of parties making ransom payments to cyber attackers, and underscores the importance of prompt, early reporting of such attacks to law enforcement as well as self-disclosure of any ransom-related payments. Companies who do business in the United States, or are otherwise subject to US regulations, should review their cybersecurity plans and policies to ensure that appropriate consideration is given to the possible US regulatory complications related to any possible ransomware payment.
OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “OFAC Advisory”) notes that ransomware attacks – in which a company’s data is stolen or rendered inaccessible and the attackers then demand payment to restore the data and/or refrain from releasing it publicly – have increased substantially in recent years. OFAC noted that, according to the Federal Bureau of Investigation’s 2018 and 2019 Internet Crime Reports, the number of such attacks rose 37% between 2018 and 2019, and the expected financial losses rose 147% during that period.
The OFAC Advisory
The OFAC Advisory notes that OFAC has sanctioned a number of cybercrime and “hacking” organizations in recent years, such that there is a risk that a ransom payment could flow to or benefit a US-sanctioned person. The Advisory notes that civil liability for US sanctions violations is “strict” in nature, meaning that knowledge of the involvement of a sanctioned person is not necessary for a payment to constitute a violation of US law. Consequently, companies making ransom payments generally run a risk of violating US sanctions requirements. The Advisory notes that such payments, in some cases even when made by a party that is not itself a US person, may violate US sanctions prohibitions by “materially assisting” US-sanctioned persons (e.g. “Specially Designated Nationals” or “SDNs”), or by “causing” US persons (such as a US bank processing payment) to violate US sanctions law, or by improperly facilitating the making of ransom payments involving SDNs or US-embargoed jurisdictions.
The OFAC Advisory notes that applications for an OFAC license to make ransomware payments will generally be subject to a “presumption of denial,” meaning that such licenses will typically not be granted.
Significantly, the OFAC Advisory notes that OFAC will consider two potentially significant “mitigating factors” in ransomware cases (meaning that a company’s potential penalties may be reduced under OFAC’s enforcement guidelines). First, prompt, complete, self-reporting of a ransomware attack to law enforcement will constitute a mitigating factor, if the situation is later determined to have a US sanctions nexus. This strongly incentivizes companies considering a potential ransomware payment to disclose any sanctions concerns to OFAC. Second, the OFAC Advisory notes that full and timely cooperation with relevant law enforcement agencies “during and after” a ransomware attack will be viewed as a mitigating factor. This underscores that ransomware attacks should be timely and fully reported to law enforcement, a step which improves a company’s position in any subsequent investigation of payments related to the attack.
The full OFAC Advisory is available here.
The FinCEN Advisory
FinCEN’s Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (the “FinCEN Advisory”), addressed to financial institutions, money services businesses, and other entities subject to US requirements to file Suspicious Activity Reports (“SARs”) under the Bank Secrecy Act (“BSA”), complements OFAC’s guidance and includes specific discussion of potential “red flags” which financial institutions should consider as signs of potential ransomware-related payments.
The FinCEN Advisory is focused on when institutions subject to BSA requirements must file SARs informing FinCEN of payments which may involve or relate to the payment of ransoms to cybercriminals. The FinCEN Advisory notes that such payments may involve institutions subject to such requirements, such as banks and Money Services Businesses (“MSB”) involved in handing the payments or facilitating them. The FinCEN Advisory notes that Digital Forensics and Incident Response firms (“DFIR” firms) and Cyber Insurance Companies (“CICs”) may be involved in money transmission activities subject to FinCEN reporting requirements where they, for example, intermediate the making of ransom payments.
The “red flags” identified by the FinCEN advisory largely relate to the involvement of DFIR and CIC firms, as well as the involvement of payments in Convertible Virtual Currencies. The FinCEN Advisory recommends that companies subjected to a ransomware attack, or involved in making related payments, assess whether they are obligated to file SARs, and encourages such parties to take advantage of a “safe harbor” under the Patriot Act, allowing information-sharing between regulated institutions for compliance purposes, following notification to FinCEN.
The full FinCEN Advisory is available here.
Key contacts
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.