Last year, as employees clicked away at home amid the COVID-19 pandemic lockdown, ransomware attacks surged, with hospitals and other health care providers the top target. This year will be worse—2021 has already seen more suspected ransomware payments reported to the U.S. government by midyear than in all of 2020, and such payments are on pace to reach a higher dollar value than in the previous ten years combined. The threat is real and persistent across all industries. A July 2021 Microsoft report confirms that the health care industry is the top target for ransomware, followed by the entertainment, energy and financial sectors. But it is pervasive: In just one month earlier this year, ransomware debilitated a major U.S. pipeline, a food supplier and—adding insult to injury during a global pandemic—Ireland’s entire health system, forcing substantial cancelation of patient services. U.S. companies need to better plan for, prevent and protect against ransomware attacks. The Office of Foreign Assets Control’s (OFAC’s) September 2020 announcement on ransom payments was a wake-up call for some; its updated announcement on September 21, 2021, should be heeded as well. Is the cyber industry—now worth billions a year—making meaningful changes? Time will tell. But there are indications that slight shifts by major players (cyber insurance, the DOJ) may impact companies’ willingness to reduce their cyber risk.
For years, some companies have covered cyber threats not through investment in cybersecurity programs to mitigate the risk but instead by relying on cyber insurance to cover the risk. But cyber insurers appear to be responding to the increase in ransomware claims. For example, some cyber insurers require more information about companies’ cybersecurity programs during underwriting, down to details of specific controls that could prevent a successful attack, such as whether a company uses multifactor authentication. Policies, if issued, are likely to cost more and cover less. And reports of companies being denied coverage during underwriting are increasing.
In October, the DOJ announced a new civil cyber-fraud initiative targeting government contractors and federal grant recipients who knowingly fail to follow “cybersecurity obligations.” Using the False Claims Act, the DOJ intends to seek civil penalties against errant companies and take advantage of the act’s whistleblower protections. Of course, the success of the program remains to be seen, but time will tell whether this will impact companies’ behavior in addressing known or identifiable risks.
Around the same time, OFAC updated its September 2020 warnings. Then, OFAC reminded companies and insurers that ransomware attackers can be affiliated with sanctioned entities, such as criminal gangs or individuals sponsored by hostile nations, and that paying a ransom could—adding insult to injury—violate U.S. sanctions law. As we wrote last year, companies considering paying their ransomware attacker will need to analyze the attack, the situation and compliance with U.S. economic sanctions.
Meanwhile, developments in the cryptocurrency space and the rise of DeFi (decentralized finance) platforms and exchanges have made it more difficult to determine whether the ransom payment recipient is subject to U.S. sanctions. Most ransomware payments are made using bitcoin or another cryptocurrency to an anonymous wallet address. In theory, opening the wallet should require the account holder to have satisfied an exchange’s know-your-client obligations. If true, a company could take comfort in the fact that the wallet owner is unlikely to be on the U.S. sanctions list even if they possibly are affiliated with a sanctioned entity. But reality is not so simple: The U.S. Treasury recently added a cryptocurrency exchange to the sanctions list for facilitating financial transactions for ransomware attackers. So a company making a ransom payment cannot trust that know-your-client laws will protect it.
OFAC’s September 2020 advisory and the inability to trust that having a cryptocurrency wallet means the owner is on the up-and-up, in short, combine to create significant risk for a company that might need to pay the ransom to get its data or systems back.
Fast-forward a year, and OFAC has updated its advisory. The bottom line stays the same: The U.S. government opposes making ransomware payments, as they encourage further attacks and may violate U.S. sanctions law. OFAC’s updated advisory reiterates that making a payment to a person or entity on a sanctions list is prohibited and that OFAC will presumptively deny license applications seeking to make such payments.
Yet, OFAC’s updated advisory provides helpful context for U.S. companies caught between potentially violating U.S. sanctions law and losing critical data. Under OFAC’s Economic Sanctions Enforcement Guidelines (31 C.F.R. pt. 501, Appendix A), violators of U.S. sanctions can be punished in multiple ways, from private no-action letters to sizeable civil penalties and referrals for criminal prosecution. Criminal prosecution, of course, is a big deal—and is, again, insult added to injury for a ransomware victim that wants its data or systems back, maybe to provide health care to patients in a global pandemic.
The updated advisory can help companies navigate both an unavoidable need to pay the ransom and sanctions compliance, tempering U.S. sanction law’s strict decree. It offers three “significant” mitigating factors that increase the odds that if a ransomware payment violates U.S. sanctions law, OFAC’s response will be a private No Action Letter or Cautionary Letter:
First, a company needs a risk-based compliance program to mitigate exposure to sanctions-related violations. This is not new. It was in OFAC’s September 2020 advisory, and it has long been a factor listed in the Economic Sanctions Enforcement Guidelines. OFAC also published a Framework for OFAC Compliance Commitments.
Second, a company should have a mature cybersecurity program, reducing the risk of extortion by a sanctioned attacker. Every company should understand the cyber threat facing it and how to reduce the attack surface the company presents, but by elevating program maturity to the level of a “significant mitigating factor,” OFAC underscores how important cybersecurity program maturity is. On this, OFAC refers to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Ransomware Guide from September 2020 as offering companies meaningful steps to be considered to mature the program and harden defenses, calling out five: “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols.”
Third, a company should cooperate fully with law enforcement: “[F]ull and ongoing cooperation with law enforcement both during and after a ransomware attack—e.g., providing all relevant information such as technical details, ransom payment demand, and ransom payment instructions as soon as possible—[is] a significant mitigating factor.” The new guidance makes clear that informing law enforcement will be treated as voluntary self-disclosure to OFAC (a long-standing mitigating factor). Those are incentives for companies to work closely with law enforcement and maybe even to rely upon skilled law enforcement’s quietly worded recommendations on responding to a crippling attack.
OFAC also reiterated its position from its 2020 advisory: Entities facilitating ransomware payments on behalf of the victim, such as cyber insurers and incident-response vendors, risk liability if OFAC determines that a payment was made to or through someone on the sanctions list or otherwise in violation of U.S. sanctions law. This position creates significant risk to an industry devoted to aiding U.S. companies crippled by ransomware attacks if that aid facilitates payments that violate U.S. sanctions law. For the time being, all parties involved in facilitating ransomware payments are on notice that they are well advised to conduct a thorough risk assessment and ensure that robust and responsive cybersecurity measures are in place.
Ultimately, OFAC’s updated advisory and the continued surge in ransomware attacks, cyber insurers’ increasing demands for improved and hardened cyber defenses, the growth of DeFi platforms and exchanges, and the threat of federal civil or criminal action make a critical fact plain:
A company cannot harden its defenses in the future to prevent the ransomware attack that has already happened.
The best time to mature a company’s cybersecurity program is today.