Thought Leadership

As Cybersecurity Incidents Increase, OFAC Revises Policy on Ransomware

September 30, 2021 Advisory

It’s no secret that the frequency and impact of cybersecurity incidents involving ransomware have increased dramatically. In 2020, the Institute for Security + Technology reported that nearly 2,400 U.S.-based governments, health care facilities and schools were victims of ransomware. The average ransomware payment rose 171% to $312,493. In a 2020 survey of 5,000 IT managers, 51% indicated that they had been attacked by ransomware in the last year.

In response, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory which revises their policy on potential sanctions risks for companies that make ransomware payments. In doing so, OFAC emphasizes that the U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands, and instead recommends focusing on strengthening defensive and resilience measures to protect against these attacks.

The Policy and Impact on Companies

The policy prohibits any transactions, directly or indirectly, made to malicious cyber actors who have been designated under OFAC’s cyber-related sanctions program. The advisory indicates that these transactions are prohibited since ransomware payments may allow those who have been sanctioned to “profit and advance their illicit aims.” OFAC further reasons that “such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks.”

The policy empowers OFAC to impose civil penalties for sanctions violations based on strict liability—meaning that a person may be held civilly liable even if the person did not know or have reason to know that the action was prohibited. These enforcement actions can take several different forms, ranging from non-public responses such as a No Action Letter or a Cautionary Letter, to public responses such as civil monetary penalties.

How to Avoid A Civil Penalty

The advisory contains several mitigating factors that OFAC may consider when determining an appropriate enforcement response to an alleged violation. OFAC highlights the importance of compliance programs and cooperation with law enforcement. While the resolution of each potential enforcement is fact-specific, OFAC is more likely to resolve violations involving ransomware attacks with a non-public response when the victim takes the mitigating steps that include:

The above mitigating factors are merely starting points that are considered by OFAC when determining an appropriate enforcement response in the event a sanctions nexus is found in connection with a ransomware payment.

Armstrong Teasdale’s Privacy and Data Security attorneys have significant experience guiding clients in developing and maintaining SCPs, IRPs and WISPs. We also have significant experience building and auditing risk-based compliance programs to mitigate exposure to sanctions- and embargoes-related violations. We will continue to monitor and provide updates regarding OFAC and other cybersecurity developments. Please contact your regular AT attorney or one of the authors listed below for proactive guidance specific to your business.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware