Author Archives: William Walant

OFAC’s Ransomware Advisory – How Banks Can Reduce Their Sanctions Risk for Client Cyber Ransom Payments (Part II of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Scott Caravello

This is Part II of a two-part post. For Part I, which provides a general overview of OFAC’s updated ransomware advisory and the ways that victim companies can reduce their sanctions risks, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Asset Control (“OFAC”) released an updated advisory (PDF: 252 KB) (the “Advisory”) on the sanctions risks associated with facilitating ransomware payments. The Advisory applies to victims of ransomware attacks, as well as companies that facilitate payments to threat actors, including financial institutions. In Part 1, we discussed the Advisory generally, and ways that victim companies can reduce their sanctions risks. In this Part 2, we discuss the measures that financial institutions can adopt to mitigate their ransomware sanctions risks, and why those compliance controls differ from the steps being taken by victims.

Continue reading

OFAC’s Ransomware Advisory – Improved Cybersecurity Can Mitigate Sanctions Risk, and Other Takeaways (Part I of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Sarah Q. Smith

This is Part I of a two-part post. For Part II, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory (PDF: 252 KB) (the “Advisory”) on sanctions risks associated with payments to threat actors in connection with cyber ransoms. The Advisory reminds companies that all parties associated with the payment of a cyber ransom—including victims, financial institutions, insurance firms and other companies facilitating payment—are responsible for ensuring that they do not violate U.S. law and can be subject to an OFAC enforcement action if they do.

Continue reading

Recent SEC Enforcement Action Against App Annie Signals Continuing Focus on Data-related Disclosure and Policy Violations

by Avi Gesser, Charu Chandrasekhar, Eric SilverbergMengyi Xu, and Adrian Gonzalez

As part of our ongoing series on enforcement actions by the Securities and Exchange Commission (“SEC”) in data- and cybersecurity-related matters (here, here, and here), we have been closely tracking regulatory developments and gathering insights on enforcement trends.  Last week, the SEC announced that App Annie and its former CEO and Chairman, Bertrand Schmitt, (“App Annie”) had agreed to a $10.3 million payment to settle charges for engaging in fraudulent practices and making material misrepresentations about its data use from 2014 to 2018 (the “Relevant Period”) in violation of Section 10(b) of the Securities Exchange Act of 1934 (“Exchange Act”) and Rule 10b-5 thereunder (“SEC Order”). Although not explicitly articulated in the SEC Order, the SEC’s basis for jurisdiction was ostensibly the fact that the app aggregated public company data.  This is the SEC’s first enforcement action against an alternative data provider.  As was the case in the BlueCrest settlement late last year, the App Annie enforcement action underscores the importance of making accurate disclosures regarding data collection and use, and the regulatory risk for companies that do not follow their data policies and procedures.

Continue reading