On September 21, 2021, the Office of Foreign Assets Control (“OFAC”) of the Treasury Department issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Updated Advisory”), which warns of the sanctions risks of making or facilitating ransomware payments and provides expanded guidance on steps that companies may take to mitigate ransomware risk. The Updated Advisory supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (“Advisory”) of October 1, 2020. OFAC simultaneously announced that it was imposing sanctions on Suex OTC, S.R.O. (“SUEX”), a Russia-based cryptocurrency exchange registered in the Czech Republic, for its role in facilitating payments connected with ransomware extortion.
- Although SUEX was a particularly egregious case (OFAC stated that 40% of known transactions on the exchange were associated with illicit actors), its designation as an SDN underscores the need for cryptocurrency companies to adopt and implement an effective sanctions and anti-money laundering compliance program.
- OFAC’s Updated Advisory comes less than one year after its initial advisory on the US sanctions risks of ransomware payments. The Updated Advisory makes several notable additions to the previous guidance, including, but not limited to, (i) an emphasis on the possibility of a broader range of OFAC responses to apparent violations beyond civil penalties, including “non-public responses,” the availability of which is dependent upon company policies, self-disclosure, and cooperation with law enforcement; (ii) new guidance on the kind of cybersecurity defensive measures that should form part of a risk-based sanctions compliance policy; and (iii) new details regarding OFAC’s expectations of companies to self-disclose ransomware attacks and cooperate with law enforcement in exchange for credit from OFAC in assessing potential enforcement measures. Notably, however, while the timeliness of disclosure and scope of cooperation expected of companies appears to have been broadened in the Updated Advisory, cooperation is not a safe harbor, and companies still face significant potential US sanctions risk when making ransomware payments.
The SUEX Designation
OFAC designated SUEX as a specially designated national (“SDN”) under Executive Order 13694, for providing material support to the threat posed by criminal ransomware actors. As a result of SUEX’s designation, Americans are prohibited from engaging in or facilitating business dealings involving SUEX, and all interests of SUEX in assets in the United States or under the control of United States persons are blocked.
In a previous post, we discussed increasing regulatory scrutiny of cryptocurrency that started under the Trump Administration and has continued under the Biden Administration. The SUEX designation follows a number of OFAC designations of ransomware groups themselves; these designations mean that ransomware payments may violate US sanctions laws if the recipients of the payments are sanctioned by the US.
The Treasury Department’s press release identified cryptocurrency as the “principal means of facilitating ransomware payments and associated money laundering activities,” and both the Updated Advisory and the SUEX designation signal a desire by US regulators to disable and disrupt the cryptocurrency payment channels utilized by ransomware schemes to extract payments from a wide range of businesses and other organizations who are targeted by cybercriminals. The Updated Advisory signals a regulatory strategy of strongly discouraging the making of ransomware payments, and the Updated Advisory suggests that companies which do not maintain adequate sanctions compliance policies and cybersecurity protocols will face increased risk of significant liability under US sanctions if they make ransomware payments that are later determined to involve a person or entity sanctioned by the US.
Updated Ransomware Guidance
In conjunction with the sanctions imposed on SUEX, the Treasury Department also announced significant changes to its October 2020 Advisory. The following are some of the key points addressed in the Updated Advisory. Where appropriate, we have noted additions and changes in the Updated Advisory as compared to OFAC’s October 2020 guidance.
- Consistent discussion of “causing” violations and exposure of non-US persons. OFAC’s guidance on the risk of “causing” violations of US sanctions has not changed. OFAC notes that US persons are prohibited from engaging in transactions with SDNs or in comprehensively sanctioned jurisdictions, but that, under the International Emergency Economic Powers Act (“IEEPA”), non-US persons also face sanctions risk if they engage in a transaction that “causes” a US person to violate US sanctions. “Causing” violations may, for example, occur where a non-US person uses US dollars for a payment to a blocked person or jurisdiction and the transaction clears through a correspondent account at a US bank. Given that some of the largest cryptocurrency exchanges are centered in the United States, parties should be mindful of a possible US sanctions nexus in cryptocurrency transactions involving US exchanges or US-hosted digital wallets.
- New discussion of a broader range of possible “enforcement responses” beyond strict liability. The Updated and prior Advisory both note that violations of US sanctions may incur civil penalties on a “strict liability” basis, e., knowledge that you are engaging in a transaction with a blocked person or a transactions that is otherwise in violation of US sanctions is not required for liability to attach under US law. The strict liability nature of US sanctions is especially relevant in the ransomware context, where the identity of the counterparty is not known and/or cannot be known. Sanctions compliance concerns are therefore an increasing obstacle for companies or organizations who may be considering making a ransomware payment. In the Updated Advisory, however, OFAC has supplemented its discussion of strict liability by stating that “[e]nforcement responses range from non-public responses, including issues a No Action Letter or a Cautionary Letter, to public responses, such as civil monetary penalties.” This addition, noting the broader range of possible “enforcement responses” beyond civil penalties, may be designed to highlight OFAC’s augmented recommendations on cybersecurity and cooperation with law enforcement (discussed below), and the credit that companies may receive for such measures from OFAC.
- New guidance on cybersecurity and “defensive/resilience measures.” Since its publication of its Framework for OFAC Compliance Commitments (the “Framework”) in May 2019, OFAC has consistently “encourage[d]” companies to adopt a risk-based sanctions compliance policy (“SCP”), where appropriate. OFAC notes that an SCP is relevant to a company’s response to ransomware attacks, and may mitigate penalties imposed for a violation. However, the Updated Advisory indicates for the first time that “[m]eaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices . . . will be considered a significant mitigating factor in any OFAC enforcement response.” (emphasis added). The Updated Advisory goes on to suggest that “[m]eaningful steps” may include the following: (i) offline backups of data, (ii) developing incident response plans, (iii) instituting cybersecurity training, (iv) regularly updating antivirus and anti-malware software, and (v) employing authentication protocols, among other measures. In addition, the Updated Advisory directs companies to the Cybersecurity and Infrastructure Security Agency’s (“CISA”) September 2020 Ransomware Guide, which contains information on technical measures that companies may implement to protect against ransomware attacks.
- Significant revisions to guidance on cooperation and self-disclosure credit. The previous Advisory noted that OFAC would consider a company’s “self-initiated and complete report” of a ransomware attack to law enforcement would be deemed a “significant mitigating factor” in OFAC’s assessment of appropriate enforcement measures. The Updated Advisory notes that OFAC will be “more likely” to resolve apparent violations of US sanctions with a non-public response (e., a No Action Letter or Cautionary Letter) “when the affected party took the mitigating steps [described in the Updated Advisory], particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation.” (emphasis added). Cooperation with OFAC and US law enforcement therefore does not appear to be a clear safe harbor under the Updated Advisory. Other additions of note include: (i) a broader range of US federal agencies and offices are listed as points of contact for reporting purposes (including, but not limited to, CISA, the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), the company’s “local FBI office,” the FBI Internet Crime Complaint Center, or the company’s “local U.S. Secret Service office”), which may require updating ransomware response protocols; (ii) OFAC will consider a “voluntary self-disclosure” to be a disclosure made “as soon as possible after discovery of an attack,” ostensibly linking the cooperation credit granted by OFAC (if any) to the timeliness of the disclosure; and (iii) OFAC details the kind of information that companies should provide, including “technical details [on the attack], ransom payment demand, and ransom payment instructions.”
Finally, OFAC states in the Updated Advisory that it will continue to review license applications for ransomware payments under a “presumption of denial” standard of review. This is consistent with the Updated Advisory’s statements that US authorities “strongly discourage all private companies and citizens from paying ransom or extortion demands . . . .”
* * *
We will continue to monitor developments in this area, and encourage you to subscribe to be kept informed of latest developments. Please contact the authors or your usual Herbert Smith Freehills contacts for more information.