The U.S. Treasury Department updated its guidance on sanctions that might be levied if a company pays a ransom as a result of a ransomware attack and the payment makes its way to persons on the Specially Designated Nationals and Blocked Persons List (the SDN List) or to embargoed countries (such as Cuba and North Korea). The Treasury Department first emphasized in October 2020 that such payments could violate the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA). The updated advisory provides guidance as to how to minimize the chances a severe monetary penalty will be imposed in favor of less severe sanctions such as a warning letter.
Here’s how the sanctions might come into play (caution – the story you are about to read is not pleasant):
Local company realizes that all of its systems have been encrypted and those holding the keys demand payment of a large sum of money. The hackers also threatened to publish sensitive portions of the data (social security numbers, trade secrets, customer information) if the ransom is not paid. The hackers do not give away their location, but they provide instructions for making the cryptocurrency payment. After the local company realizes that their backup does not fully restore all of the necessary systems and that the company lacks adequate cyber insurance for this event, the company figures out how to make the cryptocurrency payment to the hackers. The hackers provide the encryption key (because there is honor among thieves, after all), but make no real promises about refraining from publishing the sensitive data they stole.
Six months after the ordeal, the Treasury Department delivers a letter to the local company imposing civil fines because the cryptocurrency payment was made to a person identified with a terrorist organization. On top of the losses suffered as a result of the downtime, the IT costs incurred to fix and shore up systems, and the ransom payment, the local company now faces a civil penalty from the federal government.
At its base, federal law prohibits making payments to persons on the SDN List or to embargoed countries. Note that the statutes impose “strict liability,” which means one can be punished even if they do not know that the recipient of the ransom payment is on the SDN List or is in an embargoed country. Because the federal government wants to prevent the funding of activities adverse to national security, the Treasury Department has the authority to levy sanctions for providing financial assistance to sanctioned persons or embargoed countries.
The Treasury Department’s amended guidance, issued on September 21, 2021, emphasizes that companies can mitigate the risk of severe sanctions by implementing a risk-based compliance program that includes tasks such as maintaining offline backups, developing an incident response plan, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols. These are steps all companies should implement regardless of whether they perceive any risk of Treasury sanctions, as these are good defenses to security compromises. According to the amended guidance, companies can also mitigate risk of severe sanctions by self-reporting ransomware incidents and payments (as opposed to the Treasury Department’s finding out as a result of its own investigation). So, in addition to notifying the FBI or the Secret Service, the entities most commonly notified in the event of a security incident, companies should now also consider notifying the Treasury Department’s Office of Foreign Assets Control (OFAC). These notifications can (and probably should) be made while the forensic work is underway to get systems back online.
The digital world already carries its own set of risks. As if the world was not already complicated enough, companies of all sizes need to add to their list of worries the possibility of compromising national security. A little planning, however, can mitigate at least the most severe sanctions.