There is an unprecedented rise of ransomware attacks against companies and financial institutions who are trying to cope with the global impact of COVID-19. As a result, many companies are finding themselves victims to cyber-attackers demanding monumental payments to avoid shutting down their business operations. OFAC (Office of Foreign Asset Control) concerns that must be addressed before any company decides to facilitate payment to cyber-attackers.
So, what do you do if you become a victim of one of these computer attacks? One of the first things to do is STOP. Do not immediately comply with the cyber-attackers demands. While time is of the essence as your business is at stake, you need to first contact the Federal Bureau of Investigation (“FBI”) and the Department of the Treasury.
Why should you interface with either of these government agencies? The short answer is to give information to help these government agencies identify the nefarious attackers and to also help avoid any potential payments to the cyber-attackers by your company; which may cross the line with payment to an OFAC-sanctioned entity.
WHOA, the government will help me? Yes, they will but you need to be willing to follow the directives issued by the agencies.
Below are a few considerations before you fold under the cyber-attacker’s demands:
- What are the cyber-attackers trying to retrieve?
- How are the cyber-attackers affecting my ability to ship product or maintain my business?
- Are the cyber-attackers demanding payment?
Once you have some sense of what the cyber-attacker is trying to achieve and what you may choose to do to block their ability to access your information, you will also need to consider what the compliance plan is to protect yourself from this happening again. In addition, if and when access does occur, you will need to ensure that you do not cross the Office of Foreign Access Controls (OFAC) line for payments to parties subject to U.S. sanctions/Specially Designated Persons. OFAC has imposed a strict liability to comply with the regulations. Remember, the government agencies will look at what you did to notify them of the cyber attack and whether or not there was a timely filing of a disclosure with the agencies.
OFAC has laid out their expectations under a recently released compliance plan that includes the following:
- Commitment form Senior Management to support the additional OFAC compliance assessment/program
- Routine and ongoing assessment of all orders for OFAC concerns
- Internal controls that identify prohibited activities
- Auditing of internal controls
- Employee training
The above lays out the OFAC liability landscape for a ransomware attack that companies must bear in mind when determining whether they will pay the requested payment. Companies must carefully consider a disclosure and cooperation with the law enforcement agencies to mitigate an OFAC penalty.
So, the key takeaways from all the information outlined are as follows:
- Remember this is not a hypothetical risk to any company. The agencies know that both North Korean, Russian and Iran are players in this arena.
- Your compliance program matters.
- Cooperation with the authorities is a must.
- Any license application to provide ransomware payment will likely be denied by the agency.
If you need assistance in reviewing OFAC regulations, please contact us for a free consultation.
Beverly Demma is a Sr. Consultant for Export Solutions -- a full-service consulting firm specializing in U.S. import and export regulations.