Client Advisory: Sanctions Risk in Ransomware

Updated advisory on potential sanctions risks for facilitating ransomware payments

September 2021

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to update the sanctions risks associated with ransomware payments and the “mitigating factors” OFAC will consider. The 2021 advisory supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments of October 1, 2020. 

While the latest advisory does not create any new requirements, it serves as an important reminder of the potential sanctions risks associated with making and facilitating ransomware payments. It also highlights the relevance of OFAC to the insurance industry in the context of cyber protection insurance products.

OFAC designations of malicious cyber actors

OFAC has identified several threat actors as specially designated nationals (SDNs) under its various sanction programs. In September 2021, OFAC added SUEX OTC, S.R.O. (“SUEX”)—notably, its first virtual currency exchange—to the SDN list. The exchange was added for its role in facilitating financial transactions for malicious actors, involving illegal proceeds from at least eight ransomware variants.

Ransomware payments with a Sanctions Nexus threaten U.S. national security interests

A major concern of the U.S. government is that ransomware payments could be used to fund illicit activities, particularly those that may threaten U.S. national security or foreign policy. The U.S. government strongly discourages the payment of cyber ransom or extortion demands. Disclosure1  An examination of SUEX transactions revealed that over 40% involved illicit actors. Disclosure2

Facilitating ransomware payments on behalf of a victim may violate OFAC regulations

OFAC may also impose civil penalties for sanctions violations, meaning that a person subject to U.S. jurisdiction may be held liable even if they did not know or have reason to know they were engaging in an illegal transaction.

The advisory also said that OFAC considers, as part of any enforcement response, that “meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices,” such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide, as significant mitigating factors. Those actions could include offline backups of data, incident response plans, cybersecurity training, antivirus and anti-malware software updates, and authentication protocols, among others. For more details, see Cybersecurity and Infrastructure Security Agency Guidance, Ransomware Guide, September 2020.

Cooperation with OFAC and law enforcement

Additional mitigating factors include the nature and extent of a subject’s cooperation with OFAC, law enforcement, and other relevant agencies. While the resolution of each enforcement matter depends on its own facts and circumstances, OFAC will be more likely to resolve apparent violations with a non-public response if the affected party takes the appropriate mitigating steps.

Victims of ransomware attacks should contact relevant government agencies

In this advisory, OFAC strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to the relevant government agencies. By doing so, victims can receive significant mitigation from OFAC when determining an appropriate enforcement response.

Insurance considerations

  • To pay or not to pay? Legal or illegal? On the decision about whether or not to pay, McGriff strongly recommends policyholders confer with their Incident Response teams to ensure that a ransom payment is legally permissible, and that it is being made without the possibility of criminal or civil penalties.
  • In a cyber extortion, is it illegal for an insurer to reimburse the insured? While insurance coverage may be available to reimburse an Insured for a ransom payment, insurance coverage is not protection from OFAC sanctions. Nonetheless, policyholders should note that in response to OFAC requirements and the advisory, insurers will continue to broaden OFAC and/or related exclusions in cyber insurance policies. 
  • Policyholder’s Incident Response Plan should continue to include steps regarding OFAC. When confronting threat actors, and before any ransom payment is considered or paid, the Incident Response team should consider the recommendations in the OFAC advisory and conduct due diligence accordingly.
  • Notification and coordination with the insurance broker and carrier is key to a positive claims outcome. Understanding the terms and conditions of the cyber policy will help minimize coverage complications during the claims process, especially with respect to ransom payments and coverage eligibility. Please work closely with your McGriff team to guide and advise you through any ransomware incident.

Learn more

For questions about this advisory, please contact:

Natalia Santiago
SVP, Claims Manager
713.402.1410
nsantiago@mcgriff.com

Aarti Soni
SVP, Director of Cyber
Executive Risk Advisors
470.332.8367
aarti.soni@mcgriff.com

To learn more about McGriff Executive Risk Advisors, please contact:

David Sellars
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7582
DSellars@mcgriff.com

Dusty Cahill
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7537
DCahill@mcgriff.com