86
Insights SPRING2021
companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but may also risk violating OFAC regulations.”
Ransomware has become familiar to all of us, with regular stories in the media about attacks on businesses and government entities large and small across a variety of industries. The OFAC advisory cites to FBI data confirming the widespread nature of ransomware, including a 37% increase in reported ransomware cases and a 147% increase in losses from 2018 to 2019. A dramatic increase in remote work during the COVID-19 pandemic and the vulnerabilities associated with the use of home networks rather than corporate ones seems likely to result in yet more cyber security issues and ransomware threats. In the face of these potential attacks, wise companies were well advised to obtain appropriate cyber insurance coverage and the market for this has exploded in recent years. Unfortunately, this coverage now faces new limitations in paying claims arising from ransomware.
OFAC has specifically designated the developers of certain ransomware as malicious actors and included them in sanctions programs. Among these are the developer of the SamSam ransomware that was used to victimize the City of Atlanta, among others, and appears to be tied to several Iranian citizens who are under sanction, and the developer of the WannaCry ransomware, which has ties to North Korea.
OFAC seeks to prevent payments from enabling future cyber criminals and their activities. The advisory notes that it is at least possible that payments “could be used to fund activities adverse to the national security and foreign policy objectives of the United States.” Paying ransomware encourages future attacks by funding bad actors who can continue and expand their activities and increase the level of sophistication of their attacks.
OFAC can impose civil penalties based on a strict liability standard for violation of US sanctions. Therefore, penalties can be levied even if the ransom payor did not realize that the recipient of its payment was subject to US sanctions. To avoid this fate, OFAC suggests that those paying ransoms should “implement a risk- based compliance program to mitigate exposure to sanctions-related violations.” The guidance specifically mentions insurance companies and any financial institution processing payments to the bad actor.
OFAC will consider a company’s full and timely report of a ransomware attack and full cooperation with law enforcement investigation as a mitigating factor when evaluating a possible penalty against the company, but does not provide a “safe harbor” for companies that do so. It further encourages ransomware victims to immediately contact OFAC if it appears that a payment may violate applicable sanctions.
In February 2021, the New York State Department of Financial Services (“DFS”) added its own support for caution when paying a ransom. DFS data shows that from early 2018 to late 2019 ransomware insurance claims increased by 180% and the average cost of these claims increased by 150%. The number of ransomware attacks nearly doubled in 2020 from 2019. While DFS recognized the risk of cyber incidents and importance of cyber security, noting that “cyber insurance is critical to managing and reducing the extraordinary risk we face from cyber intrusions”, it also cited to the OFAC advisory. Mirroring the OFAC position, DFS recommends against paying ransomware because of the risk that these payments will be used to finance more attacks and increase the cyber criminal’s ability to create more sophisticated software and lead to more severe attacks in the future.
So what can be done? First, victims of ransomware, their insurers and financial institutions, and the professionals (including lawyers) advising them must investigate the likely recipient of any ransomware