US DEPARTMENT OF THE TREASURY SCOPE OF SANCTIONS NOW INCLUDES RANSOMWARE
This is an Alert for the CYBER MARKET PULSE, a series from eosedge Legal – Strategic Partner of IR Global offering commentary about cyber risks and the marketplace.
In this Alert, we are informing all IR Global members of new regulatory risks arising from ransomware attacks. In October, the Office of Foreign Assets Control (OFAC) issued new guidance concerning the scope of prohibited practices arising from a ransomware attack. In short, paying the ransom – or merely facilitating a payment – to a prohibited entity or to entities “who otherwise have a sanctions nexus” creates exposure to fines and other sanctions risks.
The impact of this new guidance is far-reaching. Law firms, insurance companies, financial institutions, cyber forensics companies, and others involved with assisting an attacked company, including non-US entities involved in facilitating payment, all fall under the scope of the new guidance. Importantly, OFAC enforcement will be strict liability based, meaning that not knowing that the payee is on a sanctions list or has a “sanctions nexus” is not a defense to an imposed fine. Additionally, the guidance instructs that companies should have a risk management plan whereby mechanisms are in place to ensure compliance.
The US Department of the Treasury explained that its basis for utilizing OFAC authorities concerning paying ransoms resulting from ransomware attacks stems from the rapid growth of the cybercrime ecosystem. Payment from ransomware attacks has become commonplace, and in the view of the US Treasury represents a national security risk! That judgment alone signals the magnitude of the problem. The scale of the attacker network, and the sophistication and perniciousness of the ransomware attack scheme has grown at a troubling rate. Whereas demands in 2018 were regularly in the range of tens of thousands of US dollars, in 2019 the average Ryuk ransomware demand was $700,000! The types of malware, the extortion amounts, and the tactics continue to cause havoc on a global scale.
The major take-away from this new OFAC guidance is cyber preparedness. Preparedness implies having capabilities for Prevention / Response / Recovery. Those terms translate to a) improving cyber defenses, b) securing and rehearsing a cyber response team, and c) obtaining cyber insurance and engaging in strategic planning. eosedge Legal and the eosCyber Alliance, in partnership with IR Global, possesses all capabilities. The new landing page under IR Digital also announces the establishment of a Cyber Crisis Team that includes cyber insurance – see OnCall Cyber.
The CYBER MARKET PULSE is a series of informative pieces from Doug DePeppe and colleagues at eosedge Legal. We offer data privacy and data protection services, including consulting, training, incident response, and compliance to the IR Global network and are more than happy to speak with you directly about our services. Please take a look at our website for more information – https://eosedgelegal.com/