Skip to main content

OFAC Warns Companies Again Not to Pay Ransomware Demands and Offers Helpful Hints for Mitigating Risks

Kelly Ruane Melchiondo

Blog ImageOn September 21, 2021, The Department of Treasury’s Office of Foreign Assets Control (“OFAC”) issued an Updated Advisory “to highlight the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities.” The Updated Advisory supersedes OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. In addition to warning companies what not to do, the Updated Advisory also offers companies guidance on what to do. OFAC recommends companies take several proactive steps to mitigate the risks of ransomware attacks. It notes that, in enforcement actions, it would consider those steps to be “mitigating factors” against civil penalties.

The government “strongly discourages” private companies and citizens from paying ransomware or extortion demands. OFAC prohibits U.S. citizens from transacting business, directly or indirectly, with individuals or entities on OFAC’s “Specially Designated Nationals and Blocked Persons List” (“SDN List”) or in countries or regions for which trade and business is specifically under embargo, such as Cuba and North Korea. OFAC may impose criminal sanctions upon anyone who transacts business with these individuals or entities under a strict liability standard—meaning, even if the transaction is inadvertent. Paying a ransomware demand to a malicious actor who may be located within one of these countries, or who may be on the SDN List, is incredibly risky.

The Updated Advisory notes “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider” when it determines an appropriate enforcement response to an apparent violation of U.S. law. OFAC “encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.” OFAC encourages companies to take “meaningful steps” to “reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices.”

OFAC offers the following examples of those “meaningful steps,” which are generally best practices for any company that collects or stores data:

  • Maintaining offline backups of data, to minimize disruption to the business, and thus, reduce the severity of a ransomware attack;
  • Developing thorough incident response plans
  • Instituting cybersecurity training of employees
  • Regularly updating antivirus and other security software
  • Employing multifactor authentication protocols

In addition to implementing these steps, OFAC will look favorably upon companies that report ransomware attacks to the relevant authorities promptly. “Full and ongoing cooperation with law enforcement both during and after a ransomware attack” is a “significant mitigating factor.” (emphasis added).

While nothing in the Updated Advisory is new or groundbreaking, it does evidence the Biden Administration’s attempts to encourage the public to implement enhanced cybersecurity measures to respond to the growing threat of ransomware. The government is paying attention to what companies do—and fail to do—to protect themselves.

YOU MIGHT ALSO LIKE
Blog September 24, 2024
In a recent federal case from New York, the court dealt a blow to plaintiffs suing over data breaches. The plaintiffs had filed a putative class action suit, alleging that they (and others like them) had been harmed by the alleged exposure of their personal and financial information due to a March 2...
Speaking Engagement September 12, 2024
Philip R. Stein speaks on the panel Don’t Be a Dinosaur! Staying Current on Corporate Governance Developmentsat the ACC South Florida 14th Annual CLE Conference. The session focuses on the significant developments in Florida and Delaware corporate governance law, focusing on the most salient n...
Speaking Engagement March 4, 2024
Ryan J. Coyle speaks on the panel Stiff Winds, New Currents and Rough Seas: Navigating the Private Client World in Turbulent Times at the 29th Annual International Private Client Tax Conference. The panel discusses recent changes and salient topics in tax law in different jurisdictions, the use of a...
VIEW MORE