OFAC Discourages Payment of Ransom, Suggests Reporting and Steps to Improve Cybersecurity Practices

A link to our previous alert is here.

A copy of the updated OFAC Advisory showing all of the substantive changes from the October 2020 version can be found here. The updated Advisory does not offer anything new on how to identify when a sanctioned person is involved in a ransomware event.  Instead, it generally stakes out a stronger position against paying any ransoms while at the same time encouraging compliance, protective measures, and early and full communication with authorities by offering significant enforcement leniency if those steps are taken. The changes to the original Advisory add the following:

• An explanation that OFAC will now consider steps companies take to protect themselves from ransomware attacks to be mitigating factors, and actual suggestions of what some of those may be (namely maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, employing authentication protocols, and other practices listed in the Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide);
• A clarification that self-initiated and complete reporting of a ransomware event as soon as possible after the discovery of an attack to any of the many relevant USG agencies (which are listed) will be considered a voluntary disclosure and a significant mitigating factor if any OFAC enforcement investigation results. Furthermore, complete and continuing cooperation with those agencies also will be considered a significant mitigating factor. Interestingly, OFAC twice removed the word “timely” from the original Advisory when discussing voluntary disclosures and cooperation with authorities.  Although this may suggest some understanding on OFAC’s part that companies hit by ransomware attacks may be hobbled in ways that could frustrate immediate reporting, we think it is always best for a company to reach out to the authorities as soon as is possible;
• A statement that immediate reporting and cooperation will be more likely to result in a No-Action Letter or a Cautionary Letter (these are non-public and non-penalty responses); and
• A strong request that urges companies not to pay cyber ransoms at all, whether or not a blocked person may be involved.

OFAC also concurrently designated SUEX OTC S.R.O. (a.k.a. “Successful Exchange”) under the Cyber sanctions, with identifying information including several dozen Digital Currency Addresses, which OFAC alleges is a virtual currency exchange that is heavily involved in ransomware and other illicit activities. OFAC indicated that over 40% of SUEX’s known transaction history was associated with illicit actors. SUEX OTC is the first virtual currency exchange blocked by OFAC.
 
OFAC is trying to take significant steps to ferret out and stop ransomware actors and facilitators while at the same time creating a policy of enforcement leniency for those companies that bring information about ransomware attacks to the authorities as soon as possible. This is a laudable goal, and one can only hope OFAC has success. At the same time, it would be good to see OFAC provide some guidance on how to determine whether a sanctions target is involved in a ransomware attack. It also would help if OFAC could do more to address the plight of those who are faced with the follow-on effects of ransomware attacks that may involve blocked actors – the insurers and reinsurers stuck with claims they do not know if they can pay. It is an undeniably difficult issue, but one that needs a resolution from OFAC.