A Q&A with Philip Yannella and Greg Szewczyk of Ballard Spahr LLP
As the leading cause of cybercrime, ransomware causes numerous losses for companies—including the looming threat of federal regulatory action for paying ransoms. In our conversation, Philip Yannella, practice leader of Ballard Spahr’s Privacy and Data Security Group, and Greg Szewczyk, partner elect in Ballard’s PDS group, explained these liabilities and how to avoid them.
Can you give us an overview of the federal regulatory issues companies and cyber insurers might face in responding to ransomware emanating from specific threat actors?
PY: The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) administers and enforces economic sanctions against countries and individuals using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals. As part of its efforts, OFAC maintains a consolidated sanctions list (among others), which includes Specifically Designated Nationals and Blocked Persons. OFAC has listed ransomware organizations, and payment to those organizations would be a violation of economic sanctions laws. Fines for violations vary depending on numerous factors and they are updated annually, but civil and criminal penalties can exceed millions of dollars.
Payment of ransoms could also implicate laws relating to designated Foreign Terrorist Organizations (“FTOs”) and “Specifically Designated Global Terrorists” (“SDGTs”). Pursuant to 18 U.S.C. 2339B, monetary contributions are to an FTO are considered material support. Transfers of money to SDGTs are violations of economic sanctions pursuant to the International Emergency Economic Powers Act.
GS: Depending on how a company structures the payment, payment of ransoms might also put the company in violation of anti-money laundering laws; for example, if it’s categorized as a “money service business” (“MSB”) under the Bank Secrecy Act (“BSA”) and Treasury Department regulations. MSBs must register with the Treasury Department, and they are subject to a complex array of laws and regulations designed to combat money laundering. The Treasury Department (through the Financial Crimes Enforcement Network, or “FinCEN”) and the Department of Justice can enforce these through civil and criminal prosecutions.
How does the level of certainty relating to threat actor attribution play into potential liability?
GS: OFAC has not issued guidance specifically addressing what level of certainty applies when assessing attribution of an attack to a threat actor or their affiliation with a blocked entity. However, regulatory framework and guidance indicate that enforcement decisions will be made on a case-by-case basis.
OFAC’s Economic Sanctions Enforcement Guidelines give it the authority to investigate “apparent violations,” defined to mean any conduct that constitutes an “actual or possible violation of U.S. economic sanctions laws.” OFAC therefore likely has the authority to investigate payments to blocked threat actors—even without certainty that the attack is attributable to that blocked group—as it could constitute an “apparent violation.”
PY: A company may be able to mitigate liability through its overall compliance regime. Under its Framework for OFAC Compliance Commitments, OFAC “strongly encourages organizations . . . to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).” Components include risk assessments, sanctions screening software or filters, conducting due diligence on customers/clients, and scrutiny of non-traditional business methods. While none of these components directly speak to threat actor attribution standards, they demonstrate that OFAC will look at whether a company is implementing procedures that lower the likelihood of payments to blocked entities.
With respect to material support statutes, the standard for attribution would likely include an actual “knowledge” component—i.e., a company could only be found to have materially aided the FTO if it had actual knowledge that the threat actor was part of the FTO. It therefore appears that, in order to be liable for providing material support to an FTO, a company must know that an attack is attributable to a threat actor that is designated as or affiliated with an FTO.
What can a company do during the IR negotiation process to avoid regulatory pitfalls?
PY: Even before the incident response process, companies can mitigate OFAC liability risk by implementing a documented SCP. At the very least, having an SCP can help position companies for more favorable treatment by OFAC if the company pays a ransom to a blocked entity. See Framework at 1 (“When applying the Guidelines to a given factual situation, OFAC will consider favorably subject persons that had effects SCPs at the time of an apparent violation. . . . OFAC may consider the existence, nature, and adequacy of an SCP, and when appropriate, may mitigate a [civil monetary penalty] on that basis.”).
GS: Additionally, during the IR negotiation process, companies should ensure that they enlist the help of experienced legal counsel and specialized recovery firms. Recovery firms should be registered with the Treasury Department and capable of paying the ransom without violating the BSA or other anti-money laundering laws. They will also have cryptocurrency readily available to avoid logistical delays, and up-to-date information on the OFAC List and threat actor attribution—including changes in modus operandi, the most recent OFAC List, and mergers between threat actor groups.
In summary…
We want to thank Mr. Yannella and Mr. Szewczyk for their guidance on this issue. They provides a concise summary on OFAC ramifications which unfortunately only add to cyber policyholders’ concerns amid the growing complexities of ransomware attacks.
Given these uncertainties, it’s clear that in addition to having an SCP document, insureds need to lean on the Breach Coach (legal) and technical cybersecurity incident response experts provided to them by their cyber risk insurance carrier more than ever. NetDiligence® will continue to provide updates from Ballard Spahr about any new OFAC enforcement developments pertaining to ransomware threats.