The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments on the sanctions risks associated with facilitating ransomware payments.
The Updated Advisory explains that OFAC has designated malicious cyber actors under its cyber-related sanctions programs. Cyberattack victims, financial institutions, insurance firms and other companies assisting with ransomware payments are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions.
As a result, companies subject to U.S. jurisdiction and engaging in transactions involving ransomware payments should consider the risk that such activities may violate sanctions prohibitions and expose them to civil liability. Through the Updated Advisory, OFAC continues to demonstrate increased enforcement attention on digital currencies.
Additionally, on September 21, 2021, OFAC, with assistance from the FBI, designated SUEX OTC, S.R.O., (“SUEX”) as a malicious cyber actor, the first such sanctions designation against a virtual currency exchange. According to the Treasury Department’s press release, over 40% of SUEX’s known transactions are associated with illicit actors, and SUEX is being sanctioned for providing material support to the threat posed by criminal ransomware actors. Under OFAC’s sanctions, all of SUEX’s property and interests in property that are subject to U.S. jurisdiction are blocked, and U.S. persons generally are prohibited from engaging in transactions with SUEX. Further, entities that SUEX owns 50% or more of also are blocked. According to the Treasury Department, financial institutions and other persons that engage in certain transactions or activities with SUEX, as well as other sanctioned entities and individuals, may also expose themselves to sanctions or be subject to an enforcement action.
In the last year, OFAC has brought various enforcement actions against digital currency services providers, cautioning persons subject to U.S. jurisdiction of the sanctions risks associated with the provision of digital currency services. This emphasis on digital currencies continues in response to the increased demand for ransomware payments during the COVID-19 pandemic, with actions focused on disrupting virtual currency exchanges that facilitate financial transactions for ransomware actors.
In connection with the Updated Advisory, OFAC has added digital currency addresses to OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN List”) to notify companies of specific digital currency identifiers associated with blocked persons.
OFAC applies a strict liability standard when imposing civil penalties for sanctions violations. Thus, OFAC may hold a U.S. person civilly liable despite such person not knowing or having reason to know that a transaction involved an SDN, other blocked person or embargoed country. Companies assisting with ransomware payments are encouraged to develop and maintain tailored, risk-based sanctions compliance procedures and controls to mitigate the risk of violating U.S. sanctions regulations. In the event of an apparent violation of U.S. sanctions regulations, significant mitigating factors that OFAC considers to determine its enforcement response include: (1) the adequacy of a sanctions compliance program, (2) the steps taken to reduce the risk of extortion by a sanctioned actor, (3) self-initiated, timely and complete reporting of ransomware attacks, and (4) ongoing cooperation with law enforcement. With respect to cooperation with law enforcement, OFAC will consider whether the company provided all relevant information, including technical details, ransom payment demand, and ransom payment instructions, to the appropriate U.S. government agencies as soon as possible.
To mitigate sanctions risks, companies subject to U.S. jurisdiction that assist with ransomware payments should be aware of U.S. sanctions regulations that may expose them to civil liabilities.
Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.