Tag Archives: Sarah Quirk Smith

OFAC’s Ransomware Advisory – Improved Cybersecurity Can Mitigate Sanctions Risk, and Other Takeaways (Part I of II)

by Luke Dembosky, Avi Gesser, Satish Kini, HJ Brehmer, and Sarah Q. Smith

This is Part I of a two-part post. For Part II, click here.

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an updated advisory (PDF: 252 KB) (the “Advisory”) on sanctions risks associated with payments to threat actors in connection with cyber ransoms. The Advisory reminds companies that all parties associated with the payment of a cyber ransom—including victims, financial institutions, insurance firms and other companies facilitating payment—are responsible for ensuring that they do not violate U.S. law and can be subject to an OFAC enforcement action if they do.

Continue reading

First Resolution by the DFS Under Its Cyber Rules Highlights the Risks of Inadequate Cyber Investigations and the Importance of Satisfying State Breach Notification Obligations

by Luke Dembosky, Avi Gesser, Jim Pastore, Chris Ford, Alexandra Mogul, and Sarah Smith

Last year, we discussed the first enforcement action brought by the New York State Department of Financial Services (“DFS”), which involved charges against First American Title Insurance Company. That hearing is scheduled for March 22.

On March 3, 2021, the DFS reached its first full resolution under its Part 500 Cybersecurity Regulation, a Consent Order with Residential Mortgage Services that imposes a $1.5 million penalty for several violations including:

  • Failure to investigate whether an attacker, who compromised a single email mailbox, accessed private data of individuals.
  • Failure to satisfy various state breach notification obligations.
  • Failure to notify the DFS of the incident.
  • Failure to conduct a cybersecurity risk assessment, as required by Part 500.

In addition to the $1.5 million fine, Residential Mortgage must undertake various risk mitigation measures to prevent future incidents.

Continue reading