TLDR – Treasury’s OFAC Advisory will likely fundamentally change ransomware payments response and the cyber insurance industry. Prevention will gain renewed focus in enterprise cyber security programs and I expect we will see funds shift as priorities change. The Advisory’s overall goal is to deter attacks by reducing enterprise payments made to nation states through a novel application of sanctions law. In parallel, DoJ’s FinCEN released its own Advisory to financial institutions regarding their AML obligations in the ransomware context.
I’m looking forward to the industry response to OFAC’s 1 October 2020 Advisory and what the downstream effects will be for vendors focused on prevention as well as incident response providers.
Unclear as of yet is the impact to criminal use of cryptoassets, the primary payment mechanism for ransomware attacks and one that Evertas will be watching closely.
Missed the announcements? The Advisory notices linked here:
Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (FIN-2020-A006, 1 October 2020)
The key introductory phrase from the OFAC Advisory is:
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
More specifically, OFAC cites its rationale for this novel application by making the connection to existing authorities:
“Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited.
U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
Finally, OFAC will consider how early and how fully affected enterprises cooperate with relevant law enforcement and regulatory authorities in determining civil liability.
As for the FinCEN Advisory, a key paragraph is:
“The prevalence of ransomware attacks has led to the creation of companies that provide protection and mitigation services to victims of ransomware attacks. Among these entities are digital forensics and incident response (DFIR) companies and cyber insurance companies (CICs). Some DFIR companies and CICs, as well as some MSBs that offer CVCs, facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts.
Depending on the particular facts and circumstances, this activity could constitute money transmission.
Entities engaged in money services business activities (such as money transmission) are required to register as an MSB with FinCEN, and are subject to BSA obligations, including filing suspicious activity reports (SARs).”
What are your thoughts on the paired notices and their potential collective impact on curbing the growth in ransomware attacks?