Search for:

On September 21, 2021, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued an updated ransomware advisory (“Updated Advisory”) highlighting the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action.   OFAC concurrently designated SUEX OTC, S.R.O. (“SUEX”) as a Specially Designated National (“SDN”), the first designated virtual currency exchange. For information on OFAC’s original advisory, which has now been superseded by the Updated Advisory, please see our blog post here.

Ransomware Updated Advisory

As noted in the Updated Advisory, there was a nearly 21% increase in reported ransomware cases and a 225% increase in associated losses from 2019 to 2020. While the Updated Advisory does not materially depart from the original advisory in terms of discouraging the payment of such ransoms, the Updated Advisory specifically notes that a significant mitigating factor in its enforcement response against companies will be whether the company has adopted appropriate cybersecurity practices, referred to in the guidance as “defensive and resilience measures”. OFAC went so far as to specifically mention the practices highlighted in the Cybersecurity and Infrastructures Security Agency’s September 2020 Ransomware Guide (“CISA Ransomware Guide”), including steps to:

  • Maintain offline backups of data;
  • Develop incident response plans;
  • Institute cybersecurity training;
  • Regularly update antivirus and anti-malware software, and
  • Employ authentication protocols.

As part of preparing for ransomware attacks, companies should review their information security programs against the recommendations in the CISA Ransomware Guide, as well as other applicable standards, such as NIST and CMMC, and consider adopting enhancements aligned with such guidance and frameworks.

An additional change in the Updated Advisory is OFAC’s further emphasis on cooperation with law enforcement in the event of a ransomware attack as a significant mitigating factor for enforcement decisions. OFAC appears to have gone one step further than its original advisory by affirmatively stating that a company’s timely, voluntary and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies — other than OFAC — such as CISA or the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), will be treated as a voluntary self-disclosure and a significant mitigating factor in determining its own enforcement response. In its original advisory, such disclosures to other law enforcement agencies were simply viewed as a significant mitigating factor. As a practical matter, the Updated Advisory may provide some additional comfort — namely, the penalty mitigation and other enforcement benefits offered by OFAC in response to voluntary self-disclosures — to companies that (i) cooperate early, continuously and completely with other law enforcement agencies; (ii) make ransomware payments after confirming (through appropriate due diligence) that a payment has no apparent sanctions nexus; and (iii) later (post-payment) learn there was or may have been a sanctions nexus. 

Taken together, the Updated Advisory emphasizes proactive steps companies can take to enhance the likelihood of obtaining a non-public response (i.e., a No Action Letter or a Cautionary Letter) in the event of a sanctions violation arising from payments made in response to a ransomware attack.

Designation of SUEX as an SDN

SUEX was designated by OFAC as an SDN pursuant to Executive Order 13694 for facilitating financial transactions for ransomware actors, including illicit proceeds from at least eight ransomware variants. The Treasury Department’s press release noted virtual currency exchanges such as SUEX are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity. US persons are generally prohibited from engaging in transactions with an SDN. In addition, under OFAC’s “50% Rule,” the prohibition extends to dealings by US persons with any other entities in which the SDN owns, directly or indirectly, 50% or greater interest.

The Treasury Department is expected to continue to use its authority to designate potentially problematic players in the virtual currency industry, which is otherwise viewed as playing a critical role in implementing appropriate AML/CFT (i.e., anti-money laundering/combating the financing of terrorism) and sanctions controls to prevent sanctioned persons and other illicit actors from exploiting virtual currencies.

The increase in cybersecurity incidents and ransomware attacks globally highlights a continuing problem of inadequate internal controls, not only from a technical standpoint but also an organizational standpoint. For further guidance on how to navigate this complex landscape and build appropriate compliance programs, we encourage you to join Deciphering Data, Baker McKenzie’s global webinar series on data privacy and security, which aims to help companies decode global developments in cybersecurity, data protection, workplace privacy, regulatory updates, litigation and enforcement. More information can be found here.

Author

Janet Kim is a partner in Baker McKenzie's Washington, DC office. Ms. Kim advises clients — including US and foreign companies —on outbound compliance issues arising from the US Foreign Corrupt Practices Act, as well as in criminal and regulatory proceedings, internal investigations and compliance reviews relating to these areas of law. She also advises on the application of these laws in cross-border transactions, including mergers and acquisitions, divestitures and joint venture arrangements. Additionally, Ms. Kim helps develop and implement workable, risk-based compliance programs for companies in a wide range of industries.

Author

Lise Test, an associate in Baker & McKenzie’s International Trade Group in Washington, DC, practices in the area of international trade regulation and compliance — with emphasis on US export control laws, trade sanctions, anti-boycott laws and the Foreign Corrupt Practices Act. Prior to joining Baker & McKenzie, Ms. Test served as a lawyer at the Danish Ministry of Defence where she focused on international public law and Danish torts, administrative law and military criminal law. In addition to her practice, Ms. Test also taught international humanitarian law and contract law at the Danish Royal Naval Academy.