Client Advisory: Sanctions Risk in Ransomware
September 2021
On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to update the sanctions risks associated with ransomware payments and the “mitigating factors” OFAC will consider. The 2021 advisory supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments of October 1, 2020.
While the latest advisory does not create any new requirements, it serves as an important reminder of the potential sanctions risks associated with making and facilitating ransomware payments. It also highlights the relevance of OFAC to the insurance industry in the context of cyber protection insurance products.
OFAC has identified several threat actors as specially designated nationals (SDNs) under its various sanction programs. In September 2021, OFAC added SUEX OTC, S.R.O. (“SUEX”)—notably, its first virtual currency exchange—to the SDN list. The exchange was added for its role in facilitating financial transactions for malicious actors, involving illegal proceeds from at least eight ransomware variants.
A major concern of the U.S. government is that ransomware payments could be used to fund illicit activities, particularly those that may threaten U.S. national security or foreign policy. The U.S. government strongly discourages the payment of cyber ransom or extortion demands. Disclosure1 An examination of SUEX transactions revealed that over 40% involved illicit actors. Disclosure2
OFAC may also impose civil penalties for sanctions violations, meaning that a person subject to U.S. jurisdiction may be held liable even if they did not know or have reason to know they were engaging in an illegal transaction.
The advisory also said that OFAC considers, as part of any enforcement response, that “meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices,” such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide, as significant mitigating factors. Those actions could include offline backups of data, incident response plans, cybersecurity training, antivirus and anti-malware software updates, and authentication protocols, among others. For more details, see Cybersecurity and Infrastructure Security Agency Guidance, Ransomware Guide, September 2020.
Additional mitigating factors include the nature and extent of a subject’s cooperation with OFAC, law enforcement, and other relevant agencies. While the resolution of each enforcement matter depends on its own facts and circumstances, OFAC will be more likely to resolve apparent violations with a non-public response if the affected party takes the appropriate mitigating steps.
In this advisory, OFAC strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to the relevant government agencies. By doing so, victims can receive significant mitigation from OFAC when determining an appropriate enforcement response.
For questions about this advisory, please contact:
Natalia Santiago
SVP, Claims Manager
713.402.1410
nsantiago@mcgriff.com
Aarti Soni
SVP, Director of Cyber
Executive Risk Advisors
470.332.8367
aarti.soni@mcgriff.com
To learn more about McGriff Executive Risk Advisors, please contact:
David Sellars
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7582
DSellars@mcgriff.com
Dusty Cahill
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7537
DCahill@mcgriff.com