U.S. authorities release guidance on potential sanction violations for facilitating ransomware payments

Increasingly, companies may find themselves at the mercy of cyber-pirates and other hackers who, through improper means, seize control of information technology systems in an effort to extort ransom payments from victims, in exchange for decrypting the information and restoring system access, refraining from disseminating confidential information, or both. The COVID-19 pandemic has led to increased risk in this regard, including a significant increase in the incidence of cyberattacks. In these situations, companies are placed in a challenging situation as they navigate business, privacy and confidentiality concerns as well as established law and regulations.

On October 1, 2020, the U.S. Department of Treasury issued a pair of advisory statements to assist American individuals and businesses in responding to ransomware payment demands following a cyberattack. Specifically, both the Office of Foreign Assets Control [PDF] (“OFAC”) and the Financial Crimes Enforcement Network [PDF] (“FinCEN”) released twin advisory statements (the “Advisories”) alerting companies to the potential sanctions they may face if found to have authorized or facilitated ransomware payments to sanctioned persons.  While the Advisories are of particular concern to U.S. businesses, Canadian businesses should also pay attention to certain aspects that have extra-territorial application.

OFAC and FinCEN Guidance

Ransomware is a form of malicious software designed to block access to data or a computer system. Ransomware often encrypts data or programs on information technology systems in an effort to extort ransom payments from victims in exchange for decrypting the information and restoring system access. These types of attacks have increased in frequency, severity, and sophistication in recent years – further accelerated by the COVID-19 pandemic and the world’s heightened reliance on the use of online systems for the purposes of conducting business. In its advisory statement, FinCEN specifically highlights governmental entities and financial, educational, and healthcare institutions as increasingly popular targets for these types of ransomware attacks.

In an effort to prevent ransomware attacks and consequent ransom payments, OFAC has designated both specific perpetrators of ransomware attacks and facilitators of ransomware transactions under its sanctions program. Targeted persons under the sanctions program include various foreign countries (such as Iran), cybercriminal organizations (such as Cryptolocker) and individuals (such as Cryptolocker’s developer, Evgeniy Mikhailovich Bogachev). Once a person has been named under OFAC’s sanctions program, all transactions with that person, whether direct or indirect, are strictly prohibited.

While in the past OFAC may have considered surrounding circumstances in assessing a victim’s decision to make a ransomware payment, its recent advisory statement suggests that its future position may not be so lenient. If an individual or company makes a ransomware payment to a sanctioned entity, OFAC has clearly indicated that it will impose civil penalties on a strict liability basis. This means that a person subject to U.S. jurisdiction may be held civilly liable for making a ransomware payment, even if it did not know, or have reason to know, that it was engaging in a transaction with a person that is prohibited under OFAC sanctions laws and regulations. In determining the appropriate enforcement outcome, OFAC indicates that self-initiated reporting to, and full and timely cooperation with, law enforcement will be potentially mitigating factors. There is no suggestion that the culpability of the attacker, the commercial consequences associated with non-payment of the ransom or a lack of knowledge on behalf of the victim will be considered in diverting blame from the payor of a ransomware claim.

In addition, OFAC’s guidance indicates that facilitating ransomware payments on behalf of a victim may equally violate OFAC regulations. This applies to companies that engage with victims of ransomware attacks, such as those involved in providing cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments (including depository institutions and money services businesses). OFAC notes that companies involved in facilitating ransomware payments on behalf of victims should also consider whether they have obligations under FinCEN regulations.

This recent guidance by OFAC highlights the challenging position that companies subject to a cybersecurity attack face. Considering the fact that it is often difficult, if not impossible, for companies to conclusively determine the origin of a ransomware attack, companies facing an attack from an unknown cybercriminal are placed in a vulnerable position and are required to decide between refusing payment and suffering potentially devastating commercial consequences or, in the alternative, running the risk of violating applicable sanctions law.

Canadian companies who fall victim to ransomware demands may also be subject to the application of OFAC’s enforcement. Firstly, under the International Emergency Economic Powers Act (“IEPPA”), any transaction by a non-U.S. person which causes a U.S. person to transact with an OFAC sanctioned person is prohibited. This situation could potentially arise in the case of a Canadian entity’s use of a U.S. ransomware protection and mitigation service company, such as those in the industry of digital forensics and incident response, a U.S. insurer who has underwritten a cyber insurance policy for the Canadian company or a financial services institution that may be involved in processing ransomware payments. Secondly, in its advisory, OFAC states that it may impose sanctions on anyone who materially assists, sponsors or provides financial, material or technological support to any sanctioned parties. Theoretically, this broad language suggests that even non-U.S. persons who accede to ransomware demands from OFAC sanctioned persons may be subject to enforcement.

Canada’s approach to ransomware payments

Canada’s regulatory equivalent to OFAC and FinCEN is the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”). Among other things, FINTRAC is responsible for the enforcement of Canadian anti-money laundering and terrorist financing legislation, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (“PCMLTFA”) and its associated regulations, which impose obligations on reporting entities including financial institutions, securities dealers, money services businesses and casinos (among others). FINTRAC has noted in a policy interpretation that while the act of sending ransomware funds, usually in the form of virtual currency, is not contrary to the PCMLTFA, reporting entities may suspect that the transaction is related to money laundering or the financing of terrorist activity because of the destination of the transaction.  In such cases, the sender would be obligated to submit a suspicious transaction report to FINTRAC. In addition, any company providing services in respect of any payment they suspect may be related to money laundering or terrorist financing should seek advice regarding issues related to the proceeds of crime provisions under the Criminal Code.

Like the U.S., Canada also has specific sanctions laws, which apply to all Canadians and Canadian businesses operating outside of Canada.  Unlike the U.S., Canada maintains no standalone list of sanctioned persons.  Rather, Canadian sanctions laws, including various lists of sanctioned persons, are set out in the Criminal Code, the Freeing Assets of Corrupt Foreign Officials Act, the Special Economic Measures Act, the United Nations Act, and the Justice for Victims of Corrupt Foreign Officials Act (Sergei Magnitsky Law).  These statutes prohibit dealings with sanctioned persons, although such prohibitions may include a knowledge qualifier.

Proactive steps

As a proactive consideration, companies should develop and maintain a comprehensive internal data incident response protocol. Through ensuring proper data security and privacy protection measures from the outset, companies can better protect confidential information and proactively avoid the risk of a ransomware attack. Within this broader policy, it is critical to develop a sub-protocol specifically covering ransomware attacks. This sub-protocol should articulate the key considerations that are unique to data extortion, including applicable sanctions and relevant anti-money laundering legislation. Through ensuring full compliance with any applicable sanctions or anti-money laundering legislation, companies can more confidently navigate their ability to respond to a ransomware attack and abide by any necessary reporting obligations. Additionally, companies should ensure that they have appropriate insurance coverage in place for these types of payments – both in terms of a sufficient quantum of funds and an adequate scope of coverage.

If a company becomes the victim of a ransomware attack or is asked to facilitate any transaction that may be connected to a ransomware payment, it should seek the advice of counsel.