Client Advisory: Sanctions Risk in Ransomware

September 2021

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to update the sanctions risks associated with ransomware payments and the “mitigating factors” OFAC will consider. The 2021 advisory supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments of October 1, 2020. 

While the latest advisory does not create any new requirements, it serves as an important reminder of the potential sanctions risks associated with making and facilitating ransomware payments. It also highlights the relevance of OFAC to the insurance industry in the context of cyber protection insurance products.

OFAC has identified several threat actors as specially designated nationals (SDNs) under its various sanction programs. In September 2021, OFAC added SUEX OTC, S.R.O. (“SUEX”)—notably, its first virtual currency exchange—to the SDN list. The exchange was added for its role in facilitating financial transactions for malicious actors, involving illegal proceeds from at least eight ransomware variants.

A major concern of the U.S. government is that ransomware payments could be used to fund illicit activities, particularly those that may threaten U.S. national security or foreign policy. The U.S. government strongly discourages the payment of cyber ransom or extortion demands. Disclosure 1 1 This advisory is limited to sanctions risks related to ransomware and is not intended to address issues related to information security practitioners’ cyber threat intelligence-gathering efforts more broadly. For guidance related to those activities, see guidance from the U.S. Department of Justice, Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (February 2020), available at https://www.justice.gov/criminal-ccips/page/file/1252341/download.  An examination of SUEX transactions revealed that over 40% involved illicit actors. Disclosure 2 2 News Release, U.S. Dept. of the Treasury, Treasury Takes Robust Actions to Counter Ransomware (Sept. 21, 2021), https://home.treasury.gov/news/press-releases/jy0364

OFAC may also impose civil penalties for sanctions violations, meaning that a person subject to U.S. jurisdiction may be held liable even if they did not know or have reason to know they were engaging in an illegal transaction.

The advisory also said that OFAC considers, as part of any enforcement response, that “meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices,” such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide, as significant mitigating factors. Those actions could include offline backups of data, incident response plans, cybersecurity training, antivirus and anti-malware software updates, and authentication protocols, among others. For more details, see Cybersecurity and Infrastructure Security Agency Guidance, Ransomware Guide, September 2020.

Additional mitigating factors include the nature and extent of a subject’s cooperation with OFAC, law enforcement, and other relevant agencies. While the resolution of each enforcement matter depends on its own facts and circumstances, OFAC will be more likely to resolve apparent violations with a non-public response if the affected party takes the appropriate mitigating steps.

In this advisory, OFAC strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to the relevant government agencies. By doing so, victims can receive significant mitigation from OFAC when determining an appropriate enforcement response.

• To pay or not to pay? Legal or illegal? On the decision about whether or not to pay, McGriff strongly recommends policyholders confer with their Incident Response teams to ensure that a ransom payment is legally permissible, and that it is being made without the possibility of criminal or civil penalties.
• In a cyber extortion, is it illegal for an insurer to reimburse the insured? While insurance coverage may be available to reimburse an Insured for a ransom payment, insurance coverage is not protection from OFAC sanctions. Nonetheless, policyholders should note that in response to OFAC requirements and the advisory, insurers will continue to broaden OFAC and/or related exclusions in cyber insurance policies. 
• Policyholder’s Incident Response Plan should continue to include steps regarding OFAC. When confronting threat actors, and before any ransom payment is considered or paid, the Incident Response team should consider the recommendations in the OFAC advisory and conduct due diligence accordingly.
• Notification and coordination with the insurance broker and carrier is key to a positive claims outcome. Understanding the terms and conditions of the cyber policy will help minimize coverage complications during the claims process, especially with respect to ransom payments and coverage eligibility. Please work closely with your McGriff team to guide and advise you through any ransomware incident.

For questions about this advisory, please contact:

Natalia Santiago
SVP, Claims Manager
713.402.1410
nsantiago@mcgriff.com

Aarti Soni
SVP, Director of Cyber
Executive Risk Advisors
470.332.8367
aarti.soni@mcgriff.com

To learn more about McGriff Executive Risk Advisors, please contact:

David Sellars
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7582
DSellars@mcgriff.com

Dusty Cahill
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7537
DCahill@mcgriff.com