On September 21, 2021, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued an updated ransomware advisory (“Updated Advisory”) highlighting the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action. OFAC concurrently designated SUEX OTC, S.R.O. (“SUEX”) as a Specially Designated National (“SDN”), the first designated virtual currency exchange. For information on OFAC’s original advisory, which has now been superseded by the Updated Advisory, please see our blog post here.

Ransomware Updated Advisory

As noted in the Updated Advisory, there was a nearly 21% increase in reported ransomware cases and a 225% increase in associated losses from 2019 to 2020. While the Updated Advisory does not materially depart from the original advisory in terms of discouraging the payment of such ransoms, the Updated Advisory specifically notes that a significant mitigating factor in its enforcement response against companies will be whether the company has adopted appropriate cybersecurity practices, referred to in the guidance as “defensive and resilience measures”. OFAC went so far as to specifically mention the practices highlighted in the Cybersecurity and Infrastructures Security Agency’s September 2020 Ransomware Guide (“CISA Ransomware Guide”), including steps to:

  • Maintain offline backups of data;
  • Develop incident response plans;
  • Institute cybersecurity training;
  • Regularly update antivirus and anti-malware software, and
  • Employ authentication protocols.

As part of preparing for ransomware attacks, companies should review their information security programs against the recommendations in the CISA Ransomware Guide, as well as other applicable standards, such as NIST and CMMC, and consider adopting enhancements aligned with such guidance and frameworks.

An additional change in the Updated Advisory is OFAC’s further emphasis on cooperation with law enforcement in the event of a ransomware attack as a significant mitigating factor for enforcement decisions. OFAC appears to have gone one step further than its original advisory by affirmatively stating that a company’s timely, voluntary and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies — other than OFAC — such as CISA or the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), will be treated as a voluntary self-disclosure and a significant mitigating factor in determining its own enforcement response. In its original advisory, such disclosures to other law enforcement agencies were simply viewed as a significant mitigating factor. As a practical matter, the Updated Advisory may provide some additional comfort — namely, the penalty mitigation and other enforcement benefits offered by OFAC in response to voluntary self-disclosures — to companies that (i) cooperate early, continuously and completely with other law enforcement agencies; (ii) make ransomware payments after confirming (through appropriate due diligence) that a payment has no apparent sanctions nexus; and (iii) later (post-payment) learn there was or may have been a sanctions nexus.

Taken together, the Updated Advisory emphasizes proactive steps companies can take to enhance the likelihood of obtaining a non-public response (i.e., a No Action Letter or a Cautionary Letter) in the event of a sanctions violation arising from payments made in response to a ransomware attack.

Designation of SUEX as an SDN

SUEX was designated by OFAC as an SDN pursuant to Executive Order 13694 for facilitating financial transactions for ransomware actors, including illicit proceeds from at least eight ransomware variants. The Treasury Department’s press release noted virtual currency exchanges such as SUEX are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity. US persons are generally prohibited from engaging in transactions with an SDN. In addition, under OFAC’s “50% Rule,” the prohibition extends to dealings by US persons with any other entities in which the SDN owns, directly or indirectly, 50% or greater interest.

The Treasury Department is expected to continue to use its authority to designate potentially problematic players in the virtual currency industry, which is otherwise viewed as playing a critical role in implementing appropriate AML/CFT (i.e., anti-money laundering/combating the financing of terrorism) and sanctions controls to prevent sanctioned persons and other illicit actors from exploiting virtual currencies.

The increase in cybersecurity incidents and ransomware attacks globally highlights a continuing problem of inadequate internal controls, not only from a technical standpoint but also an organizational standpoint. For further guidance on how to navigate this complex landscape and build appropriate compliance programs, we encourage you to join Deciphering Data, Baker McKenzie’s global webinar series on data privacy and security, which aims to help companies decode global developments in cybersecurity, data protection, workplace privacy, regulatory updates, litigation and enforcement. More information can be found here.