In a world where the attention in many businesses has focused on keeping their workplaces COVID-free, cyber criminals have begun preying upon the security vulnerabilities created by COVID. For example, ransomware attacks have increased exponentially in 2020; security experts believe a significant portion of the increase is attributable to lack of “work from home” cybersecurity measures.
Prior in person communications are now completed entirely over email––without necessary safeguards. This situation is ripe for nefarious phishing—an attacker sends an email to an unsuspecting employee, the employee clicks on a link or attachment, the act of clicking on the link infects the employee’s computer and ultimately the company’s entire network. After an attacker possesses access to a company’s network, the ransom demand is sent. The attacker demands payment to restore the company’s access to its own files; in some cases, the demand is associated with the release of sensitive data in the company files.
On October 1, 2020t, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an advisory creating even more pitfalls for potential ransomware victims. OFAC investigates and imposes sanctions on known perpetrators of ransomware, particularly those perpetrators funded or backed by “activities adverse to the national security and foreign policy objectives of the United States.” The OFAC advisory provides that an organization that paying certain ransoms, as a result of a ransomware event, is potentially subject to federal civil penalties. More specifically, if a company, financial institution, or cyber incident response organization facilitates payment to an individual prohibited under sanctions laws (for example, individuals on OFAC’s “Specially Designated Nationals and Blocked Persons List” or individuals Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria), the organization may be strictly liable for civil penalties. In other words, the organization could be civilly liable even if there was no reason to suspect the company was engaging with a sanctioned person, organization, or country.
Th OFAC advisory leaves great uncertainty on potential civil liability. However, the advisory does provide that if the organization reports the ransomware attack to law enforcement, and cooperates in the investigation, such reporting and cooperation will be “a significant mitigating factor when evaluating a possible enforcement outcome.” OFAC encourages victims and those organizations involved in mitigating ransomware attacks to contact OFAC immediately if evidence suggests the request for payment may involve an individual or group subject to OFAC sanctions. It further recommends companies implement risk-based compliance programs to prevent engaging with sanctioned groups or individuals.
The OFAC advisory can be accessed at: https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
OFAC’s guide on creating a risk-based sanctions compliance program can be accessed at: