Ransom Payments Come Under Sanctions Scrutiny

Zac Cregar , Nick Pearson


March 1, 2021

In October, the U.S. Department of Treasury’s Office of Foreign Asset Compliance (OFAC) issued an advisory alerting companies to potential sanctions violations for paying or facilitating ransomware payments to foreign Specially Designated Nationals and Blocked Persons (SDNs). The advisory was largely a reminder that payments to these prohibited individuals or entities may result in civil penalties for sanctions violations based on strict liability. In other words, a person in the United States may be held liable even if they did not know they were engaging in a transaction with a prohibited person under sanctions laws and OFAC regulations.

Espionage, election interference attempts and mounting cybercrimes originating from foreign adversaries—whether explicitly state-sponsored or simply acquiesced—are harming U.S. political and business interests, so the government is working to hamper foreign hackers, including by cutting off funding sources. OFAC appears to be taking an approach to addressing ransomware that is similar to the Foreign Corrupt Practices Act (FCPA), which seeks to reduce foreign corruption by stopping the flow of American money.

Once viewed as a private industry nuisance, the U.S. government has now expressed the position that ransomware payments constitute national security threats. This all but guarantees further scrutiny for businesses responding to ransomware attacks. Some businesses may find themselves simultaneously victimized by foreign hackers and penalized by their own government. 

OFAC’s advisory underlined the potential for civil penalties pursuant to the International Emergency Economic Powers Act (IEEPA) and the Trading With the Enemy Act (TWEA), both of which have been in effect for decades.

The advisory’s primary purpose was to provide clarity on two subjects: First, companies should no longer rely on the reassurance that mitigating factors like the consequences of non-payment can provide safe harbor if a ransom payment ultimately goes to blacklisted persons. Second, the advisory cautioned companies that any payments to blacklisted persons require OFAC’s pre-approval via a “license” that is granted only on a case-by-case basis. OFAC undertakes reviews of ransomware payment licenses with a presumption of denial.

Separately, in “A Framework for OFAC Compliance Commitments,” the Treasury Department advised U.S.-based businesses to have in place a risk-based sanctions compliance program predicated on and incorporating at least five essential components of compliance: 1) management commitment, 2) risk assessment, 3) internal controls, 4) testing and auditing, and 5) training.

Treasury further asserted that a compliance program should be capable of adjusting rapidly to changes published by OFAC, including updates to the SDN list. Sanctions compliance programs are intended to foster OFAC compliance but also serve to mitigate penalties taken by OFAC in the event of a violation.

OFAC enforcement actions are not to be taken lightly. Although there do not appear to have been any actions taken against companies for ransomware payments thus far, OFAC has levied six- and seven-digit fines against companies that paid SDN-listed entities in other contexts. In 2019, OFAC brought 26 actions and civil penalties, totaling over $1.2 billion. While the financial services industry has historically been the focus of sanctions compliance action, an increasing number of actions have been taken against non-financial institutions in recent years, such as fines against e.l.f. Cosmetics, Expedia, and the General Electric Company in 2019.

What This Means for U.S. Businesses

While the OFAC advisory clarifies potential payment implications, it also increases uncertainty about how to respond to ransomware.  

When a company falls victim to a ransomware attack, panic quickly sets in. Ransomware attacks involve threats that data will be destroyed or disclosed after a deadline elapses without payment. The longer a ransomware victim waits to respond, the longer their business is disrupted, their data may become increasingly corrupted and exposed, and if they do not pay, it can become encrypted, lost or exploited forever.

These attacks are increasing in severity and frequency, and the true identities of hackers are not always easy to ascertain. Even if a victim discovers the ransomware attacker is an SDN-listed entity and properly reports to OFAC, chances may be slim that OFAC will grant approval before the attacker’s countdown timer runs out.

Most businesses do not have sufficient compliance programs capable of navigating the IEEPA or TWEA-related regulations, or monitoring OFAC’s SDN list. If they have not already, businesses should put in place sanctions compliance programs. They can also enact immediate, realistic steps to address ransomware risk, including:

  1. Undertake regular backups and reinforce employees’ basic cyber hygiene practices
  2. Obtain robust cyber insurance policies to partner with cyber and compliance experts
  3. Prepare for the possibility that the company is prevented from paying a ransom

When it comes to cyber extortion or ransomware insurance, policies typically cover ransom payments. In light of the OFAC advisory, cyber insurance policies can cover the cost of hiring experts to negotiate with hackers, and the cost of computer forensics experts to determine the nature and duration of the attack, as well as the potential identity of the attackers. Legal counsel provided via an insurer can also help victims get crucial OFAC compliance advice at a critical moment in the attack response process.

And yet, beyond the support of forensics experts and counsel, insurers may not provide a great deal of support in ransom cases. As facilitators, insurers have their own liability under IEEPA and TWEA for facilitating ransomware payments, but they sit in the background and reimburse businesses once the payment has already been made, only offering the approval for payment based on general coverage parameters. Cyber policies often exclude OFAC sanctions and coverage may even be denied if made to an SDN-listed person. Businesses should beware and have appropriate D&O coverage in place for resulting actions stemming from a ransomware payment.

Ransomware’s role in the current national security and geopolitical landscape ensures U.S. businesses will have an increasingly perilous position in the event of an attack. Unfortunately, many businesses do not have the means or expertise to build robust cybersecurity fortifications to prevent these attacks, especially in the case of an advanced state-sponsored hack. Basic steps to prevent, prepare for and respond to these attacks may provide simple yet critical help, however. Now, companies should be sure to consider OFAC’s ransomware enforcement when assessing response plans before getting ensnared in this complex problem.

Zac Cregar, Esq., is general counsel and managing director of claims at Altus Partners.
Nick Pearson is senior analyst at Altus Partners.