by John Barker, Ronald Lee, Soo-Mi Rhee, Tal Machnes, and Christine Choi
This is part I of a two-part post. For Part II, click here.
In the last few months, the Office of Foreign Assets Control (OFAC) of the US Department of Treasury (Treasury) has issued two advisories that highlight the heightened US sanctions risk associated with cyber related activities, including ransomware attacks and the virtual currency platforms that ransomware payers often use to facilitate payments.
As the scale of cyber related—and, specifically, ransomware—attacks has steadily increased over the past several years, they are now at an all-time high, prompting the Biden Administration to make cybersecurity an increasing focus. According to Treasury, ransomware payments in the first half of 2021 totaled $590 million, exceeding the reported value of $416 million for the entirety of 2020. To this point, Treasury, in releasing its 2021 Sanctions Review, observed that “while sanctions remain an essential and effective policy tool, they also face new challenges” that include “rising risks from new payments systems, the growing use of digital assets, and cybercriminals.”[1]
As virtual currency is often the principal means of facilitating these payments, and many virtual currency platforms allow users to operate anonymously, it may be difficult for victims of a cyber attack to even determine whether or not a sanctioned person or jurisdiction may be involved. Moreover, even where it is possible to determine that a sanctioned person or entity is involved in a cyber attack, a US business that has been crippled by a ransomware attack may conclude that it has no other choice but to engage with that sanctioned party.
In short, cyber related attacks pose an increasing source of risk—for victims themselves, for virtual currency exchanges, and even for third-parties, such as insurers, attorneys, and finance personnel—for violating US sanctions laws.
Treasury’s guidance attempts to put these actors on notice of such risks. It also provides specific guidelines aimed at mitigating or avoiding the risk of implicating US sanctions laws as an initial matter; as well as guidelines aimed at mitigating the risk—in the event that US sanctions laws are implicated—that OFAC will take pursue a formal enforcement action. As Deputy Treasury Secretary Wally Adeyomo noted, “Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity.” These critical “partners in the private sector” include virtual currency platforms, which are not only being used to facilitate transactions by sanctioned parties, but are also vulnerable as direct targets of cyber-attacks themselves (i.e., where a sanctioned party may seek to take control of a virtual currency exchange mechanism as the target of a ransomware attack). In other words, as “sanctioned persons and countries become more desperate for access to the US financial system, it is vital that the virtual currency industry prioritize cybersecurity and implement effective sanctions compliance controls to mitigate the risk of sanctioned persons and other actors exploiting virtual currencies to undermine US foreign policy interests and national security.”[2]
Indeed, concurrent with the first of the two advisories discussed below, OFAC announced its first designation of a virtual currency platform pursuant to its cyber related sanctions program, citing the platform’s facilitation of transactions involving at least eight different ransomware variants. This action likely signals increased enforcement by OFAC in this area going forward, particularly against complicit actors within the virtual currency industry.
OFAC’s September 21, 2021 Updated Ransomware Advisory
Identifying Ransomware Attacks
Ransomware attacks, as explained by OFAC’s September 21, 2021 Updated Advisory,[3] occur when a cyber-attacker encrypts the data or programs of a victim, rendering them inaccessible. In exchange for a digital “key” that decrypts these data or programs, cyber-attackers demand that victims provide a ransom payment, often in the form of virtual currency.
Individuals and entities in all business sectors are vulnerable to such attacks. Potential victims include school districts, hospitals, smaller businesses, and local government agencies, as well as operators of critical infrastructure facilities. Entities that have not yet implemented “resilience” measures, aimed at preventing a cyberattack as an initial matter, remain particularly vulnerable.
OFAC’s Updated Advisory clearly identifies the US national security risk implicated by ransomware attacks: payments to stop such an attack ultimately provide financial support to illicit activity. To the extent such payments implicate US sanctions laws, any persons or entities who made or facilitated the payment could be subject to civil penalties on a strict liability basis—that is, even without knowledge that such transactions involve sanctioned entities or jurisdictions—or criminal penalties to the extent the payment was made knowing it would violate US law. That said, OFAC’s recent guidance acknowledges that victims of cyberattacks may be left with no good options: decline to succumb to the attacker’s demands, thus avoiding any US legal violations but perhaps crippling one’s business; or meet the attacker’s demands, thus regaining control of one’s business but perhaps violating US law. OFAC’s guidance not only sets out best practices in this environment, but also reassures companies that—as long as they have implemented risk-based compliance programs and cooperate with law enforcement in the face of a cyberattack—OFAC will likely resolve any related sanctions issues with a (non-public) no-action or cautionary letter, rather than a public enforcement action and penalty.
OFAC Mitigating Factors to Avoid Enforcement Actions
Similar to the October 2020 advisory that it replaced,[4] OFAC’s Updated Advisory stresses that persons and entities—including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response—that facilitate ransomware payments implicating US sanctions laws may be subject to OFAC enforcement actions. That said, the Updated Advisory provides greater detail on mitigating factors that the agency will consider in such a scenario. Specifically, OFAC identifies the following as mitigating factors, where a company has implicated US sanctions laws in connection with a cyberattack:
- Compliance programs. The company has implemented a risk-based compliance program to mitigate exposure to sanctions related violations.[5] Importantly, this factor extends not only to the victims of ransomware attacks, but also third parties that might be engaged by the victim itself (such as insurers, financial services companies, etc.). In all cases, these companies should develop and implement compliance programs that account for the risk that a cyber-attack may involve a person or entity on OFAC’s list of Specially Designated Nationals (SDN List) or from a sanctioned country or region. Compliance policies should also address situations that may implicate anti-money laundering obligations under the Financial Crimes Enforcement Network’s regulations.
- “Defensive/Resilience Measures.” The company has undertaken “meaningful steps to reduce the risk of extortion” by a sanctioned actor, including various measures that will make the company less vulnerable to a cyber-attack as an initial matter.[6] OFAC provides the following examples of baseline resilience measures: (1) maintaining offline backups of data; (2) developing incident response plans; (3) instituting cybersecurity training; (4) regularly updating antivirus and anti-malware software; and (5) employing authentication protocols.
- The company “report[s] the ransomware attack to law enforcement as soon as possible and provides ongoing cooperation.”[7] OFAC emphasizes that in the case of ransomware payments with a potential sanctions nexus, OFAC will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or agencies like the Cybersecurity & Infrastructure Security Agency “to be a voluntary self-disclosure and significant mitigating factor in determining an appropriate enforcement response.”[8]
By outlining such mitigating factors and the possibility of such a response, the US government is attempting to incentivize businesses to adopt stronger cybersecurity, compliance, and cooperation programs. Critically, if they do, OFAC advises: “While the resolution of each potential enforcement matter depends on the specific facts and circumstances, OFAC would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the affected party took the mitigating steps described above, particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation.”[9]
Footnotes
[1] Dep’t of Treasury, U.S. Department of the Treasury Releases Sanctions Review (Oct. 18, 2021); see also Dep’t of Treasury, The Treasury 2021 Sanctions Review (Oct. 2021) at 2 (“We are mindful of the risk that, if left unchecked, . . . digital assets and payments systems could harm the efficacy of our sanctions.”).
[2] OFAC, Sanctions Compliance Guidance for the Virtual Currency Industry (Oct. 2021).
[3] Dep’t of Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sept. 21, 2021).
[4] Dep’t of Treasury, Advisory on Potential Sanctions Risk for Facilitating Ransomware Payments (Oct. 1, 2020).
[5] OFAC’s September 21, 2021 Updated Advisory, at 4-5.
[6] Id.
[7] Id. at 5.
[8] Id.
[9] Id.
John Barker, Ronald Lee, and Soo-Mi Rhee are partners, Tal Machnes is a senior associate, and Christine Choi is an associate, at Arnold & Porter. Law clerk Maya Kouassi also contributed to this post. She is not admitted to the practice of law.
Disclaimer
The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.