Page 89 - Demo
P. 89
Potential Penalties for Ransomware Payments
By Amanda Cialkowski and Sean Griffin
Specifically, the guidance states “companies that facilitate ransomware payments to cyber actors on the half of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but may also risk violating OFAC regulations.”
Amanda Cialkowski
Nilan Johnson & Lewis
Sean Griffin
Dykema
You just received an email from a cybercriminal confirming what you already feared – your company’s computer system has been infected with ransomware and you cannot access critical information. Every comment that goes by is costing your company money. A demand to unlock the system just showed up in your email inbox.
The substantial ransom demanded is payable in Bitcoin, of course, and detailed instructions are included. Even though the price is steep, the good news is that the company took precautions for just this kind of event by obtaining top notch cyber insurance coverage. You communicate with your insurance company to relay the demand expecting quick action, but instead later in the day comes an unexpected response. The insurance company says that it cannot pay this ransom because it appears that the bad actors are in fact well known international criminals who regularly engage in hacking activities for profit and may be sponsored by the government of North Korea. Your insurance company tells you that there is new guidance that bars it from making this kind of payment. Wasn’t the point of getting cyber coverage to protect against just this situation? What in the world is going on?
On October 1, 2020, the Office of Foreign Assets Control, an agency within the Department of the Treasury, issued an advisory on potential civil penalties for facilitating ransomware payments to persons or entities that are subject to US government sanctions.
In the first paragraph of the advisory, OFAC makes clear that paying ransomware may subject the payor to penalties for violating OFAC regulations. Specifically, the guidance states “companies that facilitate ransomware payments to cyber actors on the half of victims, including financial institutions, cyber insurance firms, and
Insights SPRING2021
85