We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
09 October 2020
In response to the significant rise in ransomware attacks since the start of the COVID-19 pandemic and just in time for Cybersecurity Awareness Month, the Department of the Treasury's Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) issued advisories on October 1, 2020 on the potential legal risks to making or facilitating ransomware payments.
The OFAC advisory indicates that ransomware payments with a sanctions nexus threaten U.S. national security interests and includes a reminder that OFAC sanctions apply to such transactions as well as guidance for organizations to mitigate potential sanctions-related exposure. In its advisory, FinCEN warns financial institutions of the predominant trends and potential indicators of ransomware and provides guidance on reporting and information sharing related to ransomware incidents. Together, the advisories suggest that additional scrutiny will be applied to organizations that facilitate ransomware payments, such as financial institutions, providers of cybersecurity insurance, and digital forensics and incident response vendors.
In light of this guidance, financial institutions and other organizations should review their existing cybersecurity incident response plans and sanctions compliance procedures to contemplate a rigorous process for vetting ransomware threat actors for a possible sanctions nexus and include protocols for engaging law enforcement and other government entities when appropriate. And facilitators should examine whether their activities in connection with ransom payments might qualify them as "money transmitters" – a species of financial institution under the Bank Secrecy Act (BSA) – which would impose a series of registration, anti-money laundering program, reporting, and recordkeeping requirements.
As noted in both advisories, there has been an enormous uptick in the number, size, and sophistication of ransomware attacks since 2018, with a 147% increase in associated losses from 2018 to 2019. And those who work in this field know that the trends emerging in 2020 are even more disturbing.
While ransom payments are not expressly prohibited under U.S. federal law (when there is no nexus to OFAC sanctioned parties or territories), the ransom legal landscape is complicated and uncertain. Law enforcement agencies – with some notable exceptions – have largely discouraged organizations from making such payments, as they enable cyber criminals "to profit and advance their illicit aims." Nonetheless, many organizations ultimately decide to pay ransoms because, they determine, doing so is the right business decision. And while insurers are increasingly scrutinizing the reimbursement of such payments, historically many have supported the decision to pay a ransom because it is often cheaper than reimbursing the victim company for the lengthy process of restoring its systems on its own (i.e. without the benefit of the threat actor's decryption key).
Moreover, the need to consider potential sanctions liability is nothing new – for some time informed organizations have been conducting thoughtful due diligence on a threat actor prior to paying a ransom. Sanctions are enforced under a strict liability regime, meaning that an individual or victim organization can be held civilly liable for sanctions violations even if they did not know, nor could have reasonably known, that the threat actor recipient of the payment was an organization or individual that is sanctioned, or is from a jurisdiction subject to comprehensive sanctions. Nonetheless, to date, there has been limited enforcement in the context of ransomware incidents; the trend is that U.S. prosecutors and law enforcement rightly treat victim organizations as victims.
The Treasury Department's new advisories add several new twists to the traditional "pay versus don't pay" analysis for victims of ransomware attacks. In its advisory, OFAC warns both victim organizations and organizations that facilitate ransom payments of enforcement if the ransom payee turns out to be sanctioned (such as those identified on OFAC's Specially Designated Nationals and Blocked Persons List (SDNs)) as well as those ordinarily resident in a comprehensively sanctioned territory, which at present includes Cuba, Iran, North Korea, Syria, and the Crimea region. OFAC has imposed sanctions against a number of cyber criminals and organizations over the past several years. Transacting with those subject to sanctions (including not just those on the SDN list but also non-listed entities that are owned at 50% or greater level, directly or indirectly, by one or more SDNs), the advisory reminds U.S. organizations, is a crime.
Importantly, however, the advisory notes that there are certain "mitigating factors" that may inform "an appropriate enforcement outcome" if a victim company's payment of a ransom is later determined to have a sanctions nexus (even though it was not apparent at the time of such payment). Specifically, the advisory suggests that pursuant to the OFAC Enforcement Guidelines, enforcement may be less likely against organizations that:
In addition, the advisory encourages financial institutions and other organizations that facilitate ransom payments (e.g., insurance providers and digital forensics and incident response vendors) to "implement a risk-based compliance program" that specifically addresses "the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction." The Enforcement Guidelines also indicate that "the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response." Notably, the advisory provides that license applications from OFAC authorizing ransomware payments will be determined on a "case-by-case basis with a presumption of denial," given that such payments undermine the foreign policy/national security objectives of the sanctions regime. As such, pursuing a specific license from OFAC does not appear to be a viable option for ransomware attacks involving sanctioned threat actors.
That said, the advisory also encourages victim organizations to immediately contact OFAC directly if there are reasons to suspect a ransom payment may have a sanctions nexus.
The advisory issued by FinCEN addresses the key role that financial intermediaries play in ransomware incidents. Acknowledging the inherent challenge of attribution in cyber space, and highlighting the increasing sophistication of ransomware operations, FinCEN's advisory provides helpful information on recent trends and typologies of ransomware attacks and a list of ten "financial red flag indicators" to help financial institutions detect, prevent, and report suspicious transactions associated with these incidents. FinCEN describes how ransomware schemes typically demand payment in convertible virtual currency (often acquired from a virtual currency exchange); when payment is sent to the perpetrator's virtual currency address, the funds are usually laundered through various means, including the use of mixers and tumblers, structuring transactions through multiple accounts, and moving funds to other exchanges or jurisdictions with less robust anti-money laundering controls. The advisory notes that while no single indicator is determinative of ransomware activity, "financial institutions should consider the relevant facts and circumstances of each transaction, in keeping with their risk-based approach to compliance."
Of course, many victims of cybersecurity incidents (including malware) are not themselves virtual currency companies or possess the specific infrastructure to pay a ransom in response to an attack. FinCEN's advisory notes the proliferation of financial intermediaries that may be involved in ransom payments, such as cyber-insurance companies, digital forensic and incident response companies, as well as money services businesses that offer convertible virtual currencies. Depending upon their role in the payments, FinCEN advisory stresses that in some circumstances their activities "could constitute money transmission" – a broad term in the Bank Secrecy Act's implementing regulations.
If such companies are, in fact, money transmitters under this expansive definition, they would become subject to the BSA rules, requiring them to register with FinCEN as a Money Services Business (MSB) and perform other obligations, including filing suspicious activity reports (SARs) with FinCEN regarding any suspicious transactions, attempted transactions, and patterns of transactions. This is a critical development, as many of these entities do not currently consider themselves subject to this regulatory regime, and may not have registered with FinCEN, developed an anti-money laundering compliance program, or have filed required SARs. Notably, failure to comply with these provisions carries both civil and criminal penalties. Various states also have parallel regulatory and enforcement regimes.
The Treasury Department's advisories add complexity to the existing process for evaluating whether to pay a ransom and suggest enhanced enforcement of potential sanctions and anti-money laundering compliance violations, particularly against financial institutions and other organizations that facilitate ransom payments. In light of this guidance – and well in advance of any possible cybersecurity incident – organizations may want to consider a number of initiatives, including:
For further information on this topic please contact Peter M Marta, Gregory Lisa or Scott T Loughlin at Hogan Lovells by telephone (+1 202 637 5600) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Hogan Lovells website can be accessed at www.hoganlovells.com.
This article has been reproduced in its original format from Lexology – www.Lexology.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.