The OFAC advisory indicates that ransomware payments with a sanctions nexus threaten U.S. national security interests and includes a reminder that OFAC sanctions apply to such transactions as well as guidance for organizations to mitigate potential sanctions-related exposure. In its advisory, FinCEN warns financial institutions of the predominant trends and potential indicators of ransomware and provides guidance on reporting and information sharing related to ransomware incidents. Together, the advisories suggest that additional scrutiny will be applied to organizations that facilitate ransomware payments, such as financial institutions, providers of cybersecurity insurance, and digital forensics and incident response vendors.
In light of this guidance, financial institutions and other organizations should review their existing cybersecurity incident response plans and sanctions compliance procedures to contemplate a rigorous process for vetting ransomware threat actors for a possible sanctions nexus and include protocols for engaging law enforcement and other government entities when appropriate. And facilitators should examine whether their activities in connection with ransom payments might qualify them as “money transmitters” – a species of financial institution under the Bank Secrecy Act (BSA) – which would impose a series of registration, anti-money laundering program, reporting, and recordkeeping requirements.
Background
As noted in both advisories, there has been an enormous uptick in the number, size, and sophistication of ransomware attacks since 2018, with a 147% increase in associated losses from 2018 to 2019. And those who work in this field know that the trends emerging in 2020 are even more disturbing.
While ransom payments are not expressly prohibited under U.S. federal law (when there is no nexus to OFAC sanctioned parties or territories), the ransom legal landscape is complicated and uncertain. Law enforcement agencies – with some notable exceptions – have largely discouraged organizations from making such payments, as they enable cyber criminals “to profit and advance their illicit aims.” Nonetheless, many organizations ultimately decide to pay ransoms because, they determine, doing so is the right business decision. And while insurers are increasingly scrutinizing the reimbursement of such payments, historically many have supported the decision to pay a ransom because it is often cheaper than reimbursing the victim company for the lengthy process of restoring its systems on its own (i.e. without the benefit of the threat actor’s decryption key).
Moreover, the need to consider potential sanctions liability is nothing new – for some time informed organizations have been conducting thoughtful due diligence on a threat actor prior to paying a ransom. Sanctions are enforced under a strict liability regime, meaning that an individual or victim organization can be held civilly liable for sanctions violations even if they did not know, nor could have reasonably known, that the threat actor recipient of the payment was an organization or individual that is sanctioned, or is from a jurisdiction subject to comprehensive sanctions. Nonetheless, to date, there has been limited enforcement in the context of ransomware incidents; the trend is that U.S. prosecutors and law enforcement rightly treat victim organizations as victims.
OFAC Advisory
The Treasury Department’s new advisories add several new twists to the traditional “pay versus don’t pay” analysis for victims of ransomware attacks. In its advisory, OFAC warns both victim organizations and organizations that facilitate ransom payments of enforcement if the ransom payee turns out to be sanctioned (such as those identified on OFAC’s Specially Designated Nationals and Blocked Persons List (SDNs)) as well as those ordinarily resident in a comprehensively sanctioned territory, which at present includes Cuba, Iran, North Korea, Syria, and the Crimea region. OFAC has imposed sanctions against a number of cyber criminals and organizations over the past several years. Transacting with those subject to sanctions (including not just those on the SDN list but also non-listed entities that are owned at 50% or greater level, directly or indirectly, by one or more SDNs), the advisory reminds U.S. organizations, is a crime.
Importantly, however, the advisory notes that there are certain “mitigating factors” that may inform “an appropriate enforcement outcome” if a victim company’s payment of a ransom is later determined to have a sanctions nexus (even though it was not apparent at the time of such payment). Specifically, the advisory suggests that pursuant to the OFAC Enforcement Guidelines, enforcement may be less likely against organizations that:
- Voluntarily make a “timely and complete report” of a ransomware attack to law enforcement; and
- Provide “full and timely” cooperation with law enforcement both during and after the incident.
In addition, the advisory encourages financial institutions and other organizations that facilitate ransom payments (e.g., insurance providers and digital forensics and incident response vendors) to “implement a risk-based compliance program” that specifically addresses “the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.” The Enforcement Guidelines also indicate that “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response.” Notably, the advisory provides that license applications from OFAC authorizing ransomware payments will be determined on a “case-by-case basis with a presumption of denial,” given that such payments undermine the foreign policy/national security objectives of the sanctions regime. As such, pursuing a specific license from OFAC does not appear to be a viable option for ransomware attacks involving sanctioned threat actors.
That said, the advisory also encourages victim organizations to immediately contact OFAC directly if there are reasons to suspect a ransom payment may have a sanctions nexus.
FinCEN Advisory
The advisory issued by FinCEN addresses the key role that financial intermediaries play in ransomware incidents. Acknowledging the inherent challenge of attribution in cyber space, and highlighting the increasing sophistication of ransomware operations, FinCEN’s advisory provides helpful information on recent trends and typologies of ransomware attacks and a list of ten “financial red flag indicators” to help financial institutions detect, prevent, and report suspicious transactions associated with these incidents. FinCEN describes how ransomware schemes typically demand payment in convertible virtual currency (often acquired from a virtual currency exchange); when payment is sent to the perpetrator’s virtual currency address, the funds are usually laundered through various means, including the use of mixers and tumblers, structuring transactions through multiple accounts, and moving funds to other exchanges or jurisdictions with less robust anti-money laundering controls. The advisory notes that while no single indicator is determinative of ransomware activity, “financial institutions should consider the relevant facts and circumstances of each transaction, in keeping with their risk-based approach to compliance.”
Of course, many victims of cybersecurity incidents (including malware) are not themselves virtual currency companies or possess the specific infrastructure to pay a ransom in response to an attack. FinCEN’s advisory notes the proliferation of financial intermediaries that may be involved in ransom payments, such as cyber-insurance companies, digital forensic and incident response companies, as well as money services businesses that offer convertible virtual currencies. Depending upon their role in the payments, FinCEN advisory stresses that in some circumstances their activities “could constitute money transmission” – a broad term in the Bank Secrecy Act’s implementing regulations.
If such companies are, in fact, money transmitters under this expansive definition, they would become subject to the BSA rules, requiring them to register with FinCEN as a Money Services Business (MSB) and perform other obligations, including filing suspicious activity reports (SARs) with FinCEN regarding any suspicious transactions, attempted transactions, and patterns of transactions. This is a critical development, as many of these entities do not currently consider themselves subject to this regulatory regime, and may not have registered with FinCEN, developed an anti-money laundering compliance program, or have filed required SARs. Notably, failure to comply with these provisions carries both civil and criminal penalties. Various states also have parallel regulatory and enforcement regimes.
Key Next Steps
The Treasury Department’s advisories add complexity to the existing process for evaluating whether to pay a ransom and suggest enhanced enforcement of potential sanctions and anti-money laundering compliance violations, particularly against financial institutions and other organizations that facilitate ransom payments. In light of this guidance – and well in advance of any possible cybersecurity incident – organizations may want to consider a number of initiatives, including:
- Reviewing existing cybersecurity incident response plans to ensure that the compliance function evaluates the possibility of a sanctions nexus;
- Reviewing the organization’s existing policies on law enforcement engagement before, during, and after an incident;
- Identifying key limitations in the organization’s cybersecurity insurance policy, such as the required use of pre-selected external advisers;
- For facilitators of ransomware payments, conducting a thorough legal analysis of whether they may be considered money transmitters (and thus subject to BSA rules) in certain circumstances; and
- Evaluating the adequacy of the organization’s policy on filing SARs in connection with all types of cybersecurity incidents. (Note that SAR filing carries with it various follow-on requirements, including confidentiality restrictions, record retention requirements, and similar obligations.)
Authored by Peter Marta, Gregory Lisa, Scott Loughlin, Aleksandar Dukic, and Asmaa Awad-Farid.
