On September 21, 2021, the U.S. Department of the Treasury’s
Office of Foreign Assets Control (OFAC) issued an “Updated Advisory on Potential
Sanctions Risks for Facilitating Ransomware Payments.”
While this advisory explicitly supersedes OFAC’s previous
ransomware advisory from October 2020, it
does not fundamentally alter OFAC’s approach towards ransom
payments. Like the prior guidance, OFAC’s recent advisory
reiterates the U.S. policy of “strongly discouraging”
ransom payments, warns that such payments carry sanctions risk, and
lists a number of “significant mitigating factors” that
OFAC will consider when deciding whether to bring an enforcement
response. Still, there are several significant takeaways from the
updated guidance:

1. OFAC Is Targeting Cryptocurrency Exchanges, Not Ransomware
   Victims. In conjunction with the revised OFAC advisory, OFAC
   announced sanctions against SUEX, a Moscow-based cryptocurrency
   exchange that OFAC says caters to criminals. This is the first such
   sanction against a cryptocurrency exchange.




2. CISA’s “Best Practices” Are Becoming More Than
   Mere Suggestions. One new significant mitigating factor that
   appears in the updated guidance is whether the victim company had
   taken meaningful steps to reduce the risk of extortion and
   ransomware by implementing “cybersecurity practices, such as
   those highlighted in the Cybersecurity and Infrastructure Security
   Agency’s (CISA) September 2020 Ransomware
   Guide.” Such practices “could include maintaining
   offline backups of data, developing incident response plans,
   instituting cybersecurity training, regularly updating antivirus
   and anti-malware software, and employing authentication protocols,
   among others.” Accordingly, reducing the risk of an OFAC
   enforcement response is yet another reason that companies should
   take steps to meet at least minimal cybersecurity standards and
   maintain “artifacts of compliance” to prove it to
   regulators in the event of a breach.




3. Notification of Ransomware Attack to Additional Government
   Agencies. Based on OFAC’s 2020 advisory, a company’s
   “self-initiated, timely and complete report of a ransomware
   attack to law enforcement” would be considered a significant
   mitigating factor. OFAC’s recent guidance expanded the list of
   government agencies that companies should consider when voluntarily
   reporting ransomware attacks to law enforcement and/or CISA. OFAC
   suggested that reporting such incident to the relevant government
   agencies will be “[a]nother factor that OFAC will consider
   under the Enforcement Guidelines” and reiterated the
   importance of complete and ongoing cooperation with law enforcement
   and other relevant government agencies during and after such
   ransomware attack, including “providing all relevant
   information, such as technical details, the ransom payment demand
   and ransom payment instructions.”




4. Notification of Ransomware Payments That May Have a Sanctions
   Nexus to Additional Government Agencies. This week’s guidance
   not only expanded the scope of government agencies that companies
   should or may notify in the case of ransomware attacks, but also,
   in the case of ransomware payments that may have a sanctions nexus,
   the guidance suggest that companies should report such potential
   ransomware attack and payment to OFAC and the U.S. Department of
   the Treasury’s Office of Cybersecurity and Critical
   Infrastructure Protection (OCCIP) and, in doing so, the company can
   receive a significant mitigation from OFAC. The revised guidance
   indicates an enlarged role for OCCIP in thwarting ransomware
   attacks and payments to suspects with a potential sanctions nexus;
   OFAC’s previous guidance suggested notifying OCCIP only if an
   attack involved a “U.S. financial institutions or may cause
   significant disruption to a firm’s ability to perform critical
   financial services,” whereas this week’s guidance suggests
   that all companies should report ransomware attacks and payments to
   OCCIP where there is a sanctions nexus.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.