Office of Foreign Assets Control Guidance on Ransomware Payments
The United States Department of Treasury’s Office of Foreign Assets Control (OFAC) is broadly tasked with administering and enforcing economic trade sanctions based on United States foreign policy and national security goals. On October 1, 2020, OFAC issued an “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” to companies providing services to victims of ransomware attacks. In the Advisory, OFAC warned that it would impose sanctions on entities that “materially assist, sponsor, or provide financial, material, or technological support” for the activities of certain cyber threat actors designated by OFAC.
The Advisory is based, at least in part, on OFAC’s recognition that the facilitation of payments to certain ransomware threat actors may pose a threat to United States national security interests, as such payments may be used to fund the operations of criminals and adversaries. OFAC has listed a number of ransomware threat actors as sanctioned entities, thereby prohibiting ransom payments from being made to them. OFAC also recommended that companies implement a “risk-based compliance program to mitigate exposure to sanctions-related violations.” This would apply to companies that provide services to victims of ransomware attacks, including cyber insurers, digital forensics firms, ransom negotiation and payment firms, and financial services firms that may involve the processing of ransom payments.
Under OFAC’s Enforcement Guidelines, OFAC represents that it will consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining the initiation and/or outcome of an enforcement action. Similarly, OFAC represents that it will consider a company’s full and timely cooperation with law enforcement both during and subsequent to a ransomware attack to be a significant mitigating factor in determining the initiation and/or outcome of an enforcement action.
The Advisory implicates the International Economic Powers Act (IEPA) and the Trading With the Enemy Act (TWEA), both of which explicitly prohibit private entities from engaging in trading activities with individuals or enterprises listed on OFAC’s Specially Designated Nationals and Blocked Person’s List (the Sanctions List). The Advisory states that even individuals who “did not know or have reason to know” that they were dealing with a sanctioned entity may still be sanctioned.
The Advisory, nonetheless, still tacitly recognizes that making ransomware payments may be necessary. As reflected below, if a victim of ransomware finds it necessary to pay a ransom, it should consider early reporting of the matter to law enforcement, and it must ensure that any ransom payment made by or on its behalf comply with an OFAC due diligence protocol to ensure that the threat actor is not identified on the Sanctions List. Regarding the due diligence protocol, OFAC’s Enforcement Guidelines provide a list of factors to consider in assessing the risk that a ransom payment may later be deemed sanctionable. These include the following:
- whether the payment by or on behalf of the company is a willful or reckless violation of law;
- whether the company and/or the ransom payor is aware that its conduct may be a violation of the law;
- whether the conduct of the company and/or the ransom payor may cause harm to the sanctions program objectives;
- the individual characteristics of the company making payment or on whose behalf the ransom payment is made, including its commercial sophistication, its size and financial condition, the volume of ransom payments, and its sanctions history;
- the existence, nature, and adequacy of the company’s and/or ransom payor’s risk-based OFAC compliance program at the time of the ransom payment that may be deemed a violation;
- any corrective action taken by the company and/or the ransom payor in response to a ransom payment that may be deemed a violation;
- extent of the company’s and/or the ransom payor’s cooperation with OFAC, in response to a ransom payment that may be deemed a violation;
- timing of what may be deemed a violation in relation to OFAC’s changes to its sanctions list;
- other enforcement actions by federal, state, or local agencies relevant to what may be deemed a violation;
- the effect that future compliance and deterrence may have; and
- any other relevant facts on a case-by-case basis.
Due to the risk of data loss, along with potential reputational risks, ransomware events are usually a crisis situation. However, the Advisory makes clear that there are delineated steps to be taken and factors to be considered before making payment to a threat actor. As such, having experienced legal counsel and forensic investigators/ransom negotiators engaged in the process, who are familiar with and in compliance with OFAC regulations, is crucial to ensuring that businesses can navigate these incidents within the bounds of the law.