Ransomware and U.S. regulations: Which piper do you pay?

We all remember the cute nursery rhyme “Peter Piper.”  (Try reciting it five times fast!)  But in today’s world of ransomware attacks, many U.S. companies are caught in a troublesome “pickle” trying to figure out what to do.

Here’s the scenario.  Over a weekend (particularly holiday weekends), your company may find itself hit by a cybersecurity attack. The outside attack has invaded your computer network attempting to gain access to your files, financials, technical information, and potentially export-controlled information, among other things.  You are now being held hostage for a monetary value to release your files and information by individuals who may be in Russia, Malaysia, India, or other international locations.  Look no further than the recent case of Colonial Pipeline for this real-world scenario.

Your IT Department scrambles to recoup your data and files, when suddenly the cyber attacker tells you that YOU MUST PAY “X” DOLLARS to release your company network and other systems in order to resume business.  Now what do you do?  Most businesses take the easy way out to get things up-and-running again.  They cave to the extortion demands of their computer attackers.  So, in our hypothetical example, you make that payment to the hackers holding you hostage.  Perhaps you meet their demands and pay the ransom in cryptocurrency.  But is that really the wisest thing to do?

The OFAC and BIS conundrums

Companies who fall victim to ransomware attacks must be aware of the potential consequences of getting into the crosshairs of the Department of Commerce, Bureau of Industry and Security (“BIS”) and Department of Treasury, Office of Asset Controls (“OFAC”).  These attacks are here to stay.  The hackers operate 24/7/365 and they do not take vacations.  In fact, the FBI estimates that from 2019 to 2020, payments to ransomware actors exceeded $400 million dollars.

By making ransom payment, a U.S. company will likely run up against U.S. export regulations as many of the ransomware actors are in countries in that are embargoed or sanctioned entities/individuals.  Current advisement from both BIS and OFAC state that companies must comply with recent export regulations, and other laws such as anti-money laundering and counterterrorist financing … even regarding ransomware payments.  So, what should your company do?  Here are some initial tasks:

• As hard as it is, do not bend to the demands of the ransomware attackers.
• Contact your local law enforcement agency or an FBI Office for assistance.
• Check the OFAC website to understand what sanctions may exist concerning facilitation payments.
• Recognize that making such a payment could cause your company to be penalized by OFAC for violating U.S. sanctions and embargo laws and regulations. (The current civil penalty for one OFAC violation is $311,562).
• Involve your inside or outside legal counsel. You do not want to maneuver through the government requirements without legal advice.

Steps to help prevent ransomware attacks

After addressing some of these urgent issues and as you’re trying to right the ship, what other areas of your company operations can be evaluated to help deal with and prevent such attacks?  Some key points to consider:

Review Your Trade Compliance Plan

• Does it address steps to take when a ransomware attack occurs?
• Is your IT infrastructure adequate to protect your company’s and customer’s export-controlled information?
• What steps should be taken to contact outside third parties to help understand who must be contacted and what must be done to minimize the intrusion?
• Are you required to report the incident? Some contracts or purchase orders may require you to report breaches to your customers and/or suppliers.
• If any breach involved controlled technical data or technology (EAR or ITAR) then you should work with a competent export consultant to file a voluntary disclosure.

Your Disaster Recovery Plan.

• Do you have a data backup infrastructure that is located outside of the main company location where data is stored and can be brought back online to meet business critical needs?
• Does the company need to invest in newer technologies that can help minimize another attack?

Supply Chain Management

• In the ransomware world, the supply chain is considered a weak link. Many companies have provided access to their network for suppliers/vendors to download or upload documentation concerning purchases.
• Due diligence of all suppliers/vendors is important. If they were attacked could they still provide you the goods required to help the company meet its customer demands?  What type of security measures do they have in place?

Institute Cybersecurity Protocols

• Employees need to understand how easy an attack can occur. Providing regular cybersecurity training is worth a pound of prevention.
• Regularly update your antivirus and anti-malware software.
• Employ authentication protocols.

Remember, which Piper do you wish to pay?  The ransomware hackers?  Or the U.S. government for failing to understand you could be creating an export violation without even realizing it.

Do you need help navigating U.S. export controls or sanctions regulations?  Our team of experts can help.  Schedule a no-charge consultation today.

 

Image by Tumisu from Pixabay.