Data reveals that in 2019, 55% of small and medium-sized enterprises were forced to pay hackers following a ransomware attack. Unfortunately, this trend of rising ransomware risk shows no signs of slowing down. Yet, the practice of paying cyber criminals ransom to recover data remains a gray area for regulatory compliance.
Organizations can mitigate the risk of falling afoul of regulations by partnering with registered money service businesses (MSBs) to respond to ransomware events. MSBs are regulated by the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and are held to a compliance standard for financial transactions. They also pledge to help law enforcement detect and prosecute criminals, including those charged with cyber crimes.
Last year, Kivu, a cybersecurity solutions provider, registered as an MSB—and was reportedly the first full-service ransomware response vendor to do so. We spoke to Global Managing Director Winston Krone about how this status benefits Kivu and their clients, and why we should expect other businesses to follow suit.
What Is an MSB and How Is This Designation Helpful to Ransomware Response?
According to the FinCEN, a money service business is any individual or business that carries out financial transactions at a threshold of more $1,000 per day, per person in any of the following capacities:
- Currency dealer or exchanger
- Check casher
- Issuer of traveler’s checks, money orders, or stored value
- Seller or redeemer of traveler’s checks, money orders, or stored value
- Money transmitter
- U.S. Postal Service
These businesses are regulated by the U.S. Treasury’s FinCEN body and are required to comply with certain banking regulations and anti-money laundering protocols. They also agree to help authorities investigate fraudulent cyber transactions.
“By registering as an MSB,” Krone explained, “we demonstrate our commitment to working with law enforcement to bring bad guys to justice. As consultants, we offer full-service analysis and remediation and stress that paying a ransom is a last resort.”
“Right now, incident response is a gray area,” Krone said. “Many in the industry are paying ransomware, but they need to come out of the shadows. It is now clear that the payment of cryptocurrency ransoms can be defined as a money transaction and is thus covered by U.S. banking laws and compliance requirements.”
In 2018 and 2019, there was an exponential increase in ransomware attacks, both in terms of the number of attacks and the size of ransoms, with the insurance industry scrambling to keep up. Research shows that when the Office of Foreign Assets Control (OFAC) due diligence guidelines were followed, there was no evidence that smaller payments of $50,000 or less were going to sanctioned entities or listed terrorists. However, as ransom payments increased to beyond $1 million, risks increased. And, greater scrutiny from oversight bodies should be expected.
“For this reason,” Krone said, “we determined that it was crucial that Kivu took both the legal and moral high ground [to register as an MSB].”
Registering as an MSB requires a business to shoulder some fairly onerous compliance obligations including:
- Anti-money laundering (AML) compliance
- Know your client (KYC) procedures
- Rigorous vetting of vendors
- Careful investigation of cyber extortion events
- Suspicious activity reports to the government
“We saw that this was a chance to connect our obligation to fight crime with our desire to help clients and their insurers caught in a ransomware situation,” Krone said.
What Is the Review Process for Becoming an MSB?
All MSBs are required to be compliant with the Bank Secrecy Act (BSA) and have an Anti-Money Laundering (AML) program specifically suited to their organization’s risks. To achieve compliance, the following measures are generally required:
- Appointment of a compliance officer
- A registered list of internal compliance staff
- The creation of an AML compliance program in the form of a written manual
- An independent review of BSA and AML compliance programs
- Proof of employee compliance training
- Establishment of effective suspicious activity monitoring and reporting processes
- Adherence to reporting protocols for cash transactions of over $10,000
To prepare for the compliance review process, Kivu relied on a combination of internal and external resources.
“We retained a leading international law firm with expertise in cryptocurrency to review our systems, processes, and due diligence procedures,” Krone explained. “We were fortunate that we’d already developed a robust due diligence process that, I firmly believe, is the gold standard for the cyber insurance industry.”
“We also had key anti-money laundering provisions already in place,” Krone added. “Where compliance forced us to go deeper in knowing our clients and in developing procedures to minimize the risk to our clients. We now have a position solely dedicated to cryptocurrency transactional compliance as stipulated by the Bank Secrecy Act, with responsibility for filing suspicious activity reports (SARs) within 30 days of every ransomware transaction.”
By adhering to these compliance standards, you can position your organization to deter attacks, better mitigate attacks when they occur, and bring criminals to justice in cooperation with the authorities.
How Can This Service Role Benefit a Policyholder Who Has Suffered a Ransomware Attack?
We asked Krone what benefits MSB registration and compliance could bring to cyber insurance policyholders.
“To our knowledge, there is only one other ransomware response vendor registered as an MSB. Our view is that it’s about remaining compliant,’ he said, “and if you’re using cryptocurrency as part of your business model you should be regulated as an MSB.”
The size of ransoms has grown exponentially from tens of thousands to millions of dollars. Given the money involved, there is going to be regulatory and governmental scrutiny. Pending New York legislation is a case in point, where bills are expected to restrict the ability of municipalities to pay ransoms using taxpayers’ money. With constantly changing legislation and legal risks, it’s important to monitor the situation and update your practices to minimize regulatory risk and protect your clients.
“I strongly believe that this is an area where the interests of the response vendor, the insured, and the insurer are aligned —we all benefit from focusing on regulatory compliance,” Krone said. “Just as credible businesses and insurers wouldn’t use a disbarred attorney or turn a blind eye to corporate funds passing through unregulated offshore banks, the same applies to the processes used to make and reimburse ransomware payments.”
Krone makes the point that during a stressful and messy cyber incident, being able to show proper levels of regulatory compliance is a strong selling point for any cyber insurer or response service.
“Becoming an MSB gave us more credibility for the occasions when there is no alternative but to pay a cryptocurrency ransom,” Krone said. “This credibility allows us to develop stronger relationships with cryptocurrency exchanges, which are themselves regulated and thus need to ensure their compliance. In practice, this now means we can pay larger ransoms (up to $10 million) more quickly. With our additional due diligence processes, it’s also less likely that an insurer will refuse reimbursement due to regulatory problems.”
Expect More Cybersecurity Vendors to Register as MSBs
As Krone mentioned, the extortion demands from cyber threat actors show no signs of abating. Ransom demands from several hundred thousand dollars up to $1 million and beyond are now commonplace. As customers are forced to make these bitcoin payments, it’s reasonable to expect that government enforcers are going to scrutinize these transactions.
Regulatory bodies like FinCen will want to see that response vendors are compliant with existing anti-money laundering and anti-terrorism laws. In this context, being registered as an MSB can only be seen as positive.
As a cybersecurity solutions provider, Kivu is ahead of the curve in attaining MSB status and coming into compliance with banking regulations, but expect more to follow.
To learn more about blistering your cyber defenses for a potential ransomware event, check out the NetDiligence Cyber Risk Assessment Tools.