As Cybersecurity Incidents Increase, OFAC Revises Policy on Ransomware

September 30, 2021 Advisory

It’s no secret that the frequency and impact of cybersecurity incidents involving ransomware have increased dramatically. In 2020, the Institute for Security + Technology reported that nearly 2,400 U.S.-based governments, health care facilities and schools were victims of ransomware. The average ransomware payment rose 171% to $312,493. In a 2020 survey of 5,000 IT managers, 51% indicated that they had been attacked by ransomware in the last year.

In response, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory which revises their policy on potential sanctions risks for companies that make ransomware payments. In doing so, OFAC emphasizes that the U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands, and instead recommends focusing on strengthening defensive and resilience measures to protect against these attacks.

The Policy and Impact on Companies

The policy prohibits any transactions, directly or indirectly, made to malicious cyber actors who have been designated under OFAC’s cyber-related sanctions program. The advisory indicates that these transactions are prohibited since ransomware payments may allow those who have been sanctioned to “profit and advance their illicit aims.” OFAC further reasons that “such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks.”

The policy empowers OFAC to impose civil penalties for sanctions violations based on strict liability—meaning that a person may be held civilly liable even if the person did not know or have reason to know that the action was prohibited. These enforcement actions can take several different forms, ranging from non-public responses such as a No Action Letter or a Cautionary Letter, to public responses such as civil monetary penalties.

How to Avoid A Civil Penalty

The advisory contains several mitigating factors that OFAC may consider when determining an appropriate enforcement response to an alleged violation. OFAC highlights the importance of compliance programs and cooperation with law enforcement. While the resolution of each potential enforcement is fact-specific, OFAC is more likely to resolve violations involving ransomware attacks with a non-public response when the victim takes the mitigating steps that include:

The above mitigating factors are merely starting points that are considered by OFAC when determining an appropriate enforcement response in the event a sanctions nexus is found in connection with a ransomware payment.

Armstrong Teasdale’s Privacy and Data Security attorneys have significant experience guiding clients in developing and maintaining SCPs, IRPs and WISPs. We also have significant experience building and auditing risk-based compliance programs to mitigate exposure to sanctions- and embargoes-related violations. We will continue to monitor and provide updates regarding OFAC and other cybersecurity developments. Please contact your regular AT attorney or one of the authors listed below for proactive guidance specific to your business.

Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • New York, NY
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
3770 Howard Hughes Parkway
Suite 200
Las Vegas, NV 89169
Google Maps
Las Vegas, Nevada
London, England
200 Strand
London, WC2R 1DJ
Google Maps
New York, NY
919 Third Ave., 37th Floor
New York, NY 10022
Google Maps
New York City
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
201 South Main Street
Suite 750
Salt Lake City, UT 84111
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Wilmington, DE
300 Delaware Avenue
Suite 210
Wilmington, DE 19801
Google Maps
Wilmington, Delaware