OFAC Ransomware Advisory Warns Companies of Potential Civil Liability

Alysa Austin
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

Thursday, October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued its “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” The advisory begins with the observation that “ransomware attacks have become more focused, sophisticated, costly, and numerous,” citing certain FBI statistics, before making clear what was already well known to experienced practitioners, that is, that paying or facilitating ransomware payments to entities designated by OFAC risks civil penalties. The advisory lists several perpetrators of ransomware attacks that OFAC has previously listed. Importantly, OFAC may impose civil penalties for sanctions violations based on strict liability, “meaning that a person may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

The advisory describes some of the factors OFAC generally considers under its Economic Sanctions Enforcement Guidelines, to determine an appropriate response to an apparent violation, including the amount of civil monetary penalty, if any. These factors include “the existence, nature, and adequacy of a sanctions compliance program.” Generally, OFAC encourages companies “to implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” that “account[s] for the risk that a ransomware payment may involve an [OFAC-listed] person, or a comprehensively embargoed jurisdiction.” Importantly, the advisory explicitly notes that OFAC will consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement” and its “full and timely cooperation with law enforcement both during and after a ransomware attack” as “significant mitigating factor[s]” in determining possible and appropriate enforcement outcomes.

OFAC’s advisory applies to ransomware victims as well as to companies “involved in facilitating ransomware payments on behalf of victims,” such as “cyber insurance, digital forensics and incident response, and financial services” companies, including “depository institutions and money services businesses.” These companies may also have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations. FinCEN issued its own ransomware advisory contemporaneously with OFAC’s. The FinCEN advisory is the subject of a separate blog post.

While companies may apply to pay ransom to listed entities, the advisory warns that such applications “will be reviewed by OFAC on a case-by-case basis with a presumption of denial.” The advisory encourages companies “to contact OFAC immediately if they believe a request for ransomware payment may involve a sanctions nexus.”

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide