Updated advisory on potential sanctions risks for facilitating ransomware payments
September 2021
On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to update the sanctions risks associated with ransomware payments and the “mitigating factors” OFAC will consider. The 2021 advisory supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments of October 1, 2020.
While the latest advisory does not create any new requirements, it serves as an important reminder of the potential sanctions risks associated with making and facilitating ransomware payments. It also highlights the relevance of OFAC to the insurance industry in the context of cyber protection insurance products.
OFAC designations of malicious cyber actors
OFAC has identified several threat actors as specially designated nationals (SDNs) under its various sanction programs. In September 2021, OFAC added SUEX OTC, S.R.O. (“SUEX”)—notably, its first virtual currency exchange—to the SDN list. The exchange was added for its role in facilitating financial transactions for malicious actors, involving illegal proceeds from at least eight ransomware variants.
Ransomware payments with a Sanctions Nexus threaten U.S. national security interests
A major concern of the U.S. government is that ransomware payments could be used to fund illicit activities, particularly those that may threaten U.S. national security or foreign policy. The U.S. government strongly discourages the payment of cyber ransom or extortion demands. Disclosure 1 An examination of SUEX transactions revealed that over 40% involved illicit actors. Disclosure 2
Facilitating ransomware payments on behalf of a victim may violate OFAC regulations
OFAC may also impose civil penalties for sanctions violations, meaning that a person subject to U.S. jurisdiction may be held liable even if they did not know or have reason to know they were engaging in an illegal transaction.
The advisory also said that OFAC considers, as part of any enforcement response, that “meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices,” such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide, as significant mitigating factors. Those actions could include offline backups of data, incident response plans, cybersecurity training, antivirus and anti-malware software updates, and authentication protocols, among others. For more details, see Cybersecurity and Infrastructure Security Agency Guidance, Ransomware Guide, September 2020.
Cooperation with OFAC and law enforcement
Additional mitigating factors include the nature and extent of a subject’s cooperation with OFAC, law enforcement, and other relevant agencies. While the resolution of each enforcement matter depends on its own facts and circumstances, OFAC will be more likely to resolve apparent violations with a non-public response if the affected party takes the appropriate mitigating steps.
Victims of ransomware attacks should contact relevant government agencies
In this advisory, OFAC strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to the relevant government agencies. By doing so, victims can receive significant mitigation from OFAC when determining an appropriate enforcement response.
Insurance considerations
- To pay or not to pay? Legal or illegal? On the decision about whether or not to pay, McGriff strongly recommends policyholders confer with their Incident Response teams to ensure that a ransom payment is legally permissible, and that it is being made without the possibility of criminal or civil penalties.
- In a cyber extortion, is it illegal for an insurer to reimburse the insured? While insurance coverage may be available to reimburse an Insured for a ransom payment, insurance coverage is not protection from OFAC sanctions. Nonetheless, policyholders should note that in response to OFAC requirements and the advisory, insurers will continue to broaden OFAC and/or related exclusions in cyber insurance policies.
- Policyholder’s Incident Response Plan should continue to include steps regarding OFAC. When confronting threat actors, and before any ransom payment is considered or paid, the Incident Response team should consider the recommendations in the OFAC advisory and conduct due diligence accordingly.
- Notification and coordination with the insurance broker and carrier is key to a positive claims outcome. Understanding the terms and conditions of the cyber policy will help minimize coverage complications during the claims process, especially with respect to ransom payments and coverage eligibility. Please work closely with your McGriff team to guide and advise you through any ransomware incident.
Learn more
For questions about this advisory, please contact:
Natalia Santiago
SVP, Claims Manager
713.402.1410
nsantiago@mcgriff.com
Aarti Soni
SVP, Director of Cyber
Executive Risk Advisors
470.332.8367
aarti.soni@mcgriff.com
To learn more about McGriff Executive Risk Advisors, please contact:
David Sellars
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7582
DSellars@mcgriff.com
Dusty Cahill
Executive Vice President, Co-Division Leader
Executive Risk Advisors
404.497.7537
DCahill@mcgriff.com
© 2021 McGriff Insurance Services, Inc. All rights reserved. McGriff Insurance Services, Inc. is a subsidiary of Truist Insurance Holdings, Inc. The information, analyses, opinions and/or recommendations contained herein relating to the impact or the potential impact of coronavirus/COVID-19 on insurance coverage or any insurance policy is not a legal opinion, warranty or guarantee, and should not be relied upon as such. This communication is intended for informational use only. Given the on-going and constantly changing situation with respect to the coronavirus/COVID-19 pandemic, this communication does not necessarily reflect the latest information regarding recently-enacted, pending or proposed legislation or guidance that could override, alter or otherwise affect existing insurance coverage.
This communication is intended for informational use only. As insurance agents or brokers, we do not have the authority to render legal advice or to make coverage decisions, and you should submit all claims to your insurance carrier for evaluation. At your discretion, please consult with an attorney at your own expense for specific advice in this regard.
This bulletin is provided for informational purposes only. McGriff is not providing legal advice and recommends you consult with your own counsel for legal guidance/opinion. The information, analyses, opinions and/or recommendations contained herein relating to the impact or the potential impact of coronavirus/COVID-19 on insurance coverage or any insurance policy is not a legal opinion, warranty or guarantee, and should not be relied upon as such. This communication is intended for informational use only. As insurance agents or brokers, we do not have the authority to render legal advice or to make coverage decisions, and you should submit all claims to your insurance carrier for evaluation. Given the on-going and constantly changing situation with respect to the coronavirus/COVID-19 pandemic, this communication does not necessarily reflect the latest information regarding recently-enacted, pending or proposed legislation or guidance that could override, alter or otherwise affect existing insurance coverage. At your discretion, please consult with an attorney at your own expense for specific advice in this regard.
-
1.
This advisory is limited to sanctions risks related to ransomware and is not intended to address issues related to information security practitioners’ cyber threat intelligence-gathering efforts more broadly. For guidance related to those activities, see guidance from the U.S. Department of Justice, Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (February 2020), available at https://www.justice.gov/criminal-ccips/page/file/1252341/download.
-
2.
News Release, U.S. Dept. of the Treasury, Treasury Takes Robust Actions to Counter Ransomware (Sept. 21, 2021), https://home.treasury.gov/news/press-releases/jy0364
Insurance products and services offered through McGriff Insurance Services, LLC, a subsidiary of TIH Insurance Holdings, LLC, are not a deposit, not FDIC insured, not guaranteed by a bank, not insured by any federal government agency and may go down in value.
McGriff Insurance Services, LLC. CA License #0C64544