Over the past few weeks, revelations of ransomware cyber-attacks on U.S. businesses have rocked the country’s infrastructure and have held hostage companies’ computer systems that are necessary to provide essential services to the nation.  In a typical ransomware attack, hackers exploit a security vulnerability to gain access to a company’s computer system.  After gaining access, the hacker will encrypt all or part of the system, rendering it inoperable or significantly crippled.  The hackers then demand a ransom payment in exchange for a decryption key that will unlock the computer system.  Recent ransomware attacks have focused on providers of essential products or public infrastructure, such as hospitals and medical providers, food distributors, energy companies, and public transit companies.

Prior to 2019, ransomware attackers mainly targeted data-rich companies, such as retailers or financial companies, relying on the potential loss or threatened exposure of customers’ personal data to incentivize companies to pay a ransom for the decryption key.  Over the last few years, ransomware attacks have become increasingly frequent for other types of businesses lacking in such personal data, including manufacturers or industrial companies.  In these attacks, the goal is to shut down a company’s operations, thereby forcing it to ransom the encryption key to get the business back up and running.

According to FBI Director Christopher Wray, reports of ransomware attacks have tripled over the past year.  The increased frequency and broader scope of ransomware attacks presents not only a business risk for a company, but legal and compliance risks as well.  In October 2020, the Treasury Department’s Office of Foreign Assets Control (“OFAC”) released an advisory statement that explained that many criminals responsible for ransomware appear on OFAC’s Specially Designated Nationals and Blocked Persons List (“SDN list”).  Under U.S. law, American companies and individuals are strictly prohibited from engaging in transactions with a sanctioned person or entity.    This means that if a company ransoms its data from a person who appears on OFAC’s SDN list, it may be held civilly liable under U.S. law, even if it was unaware that the ransomware hacker was identified on the SDN list.  Furthermore, criminal penalties of up to 20 years’ imprisonment are available where there is a reckless or willful violation of the sanctions laws.

Choosing whether or not to make a ransom payment can be a difficult one, but in order to minimize the risk of OFAC fines or penalties in connection with a payment, it is vital that a company have a risk-based compliance program in place that will operate to mitigate the risk that the company may take by making a ransom payment to a potentially sanctioned individual or entity.  An effective sanctions compliance program will include, among other things, a commitment from management, periodic risk assessment, effective internal controls, ongoing monitoring and testing, and training for employees.  Specifically, in circumstances involving ransomware, a compliance program must also assess and account for the risk that the payment may involve an embargoed nation or a person or entity appearing on the SDN list.

Although a company may not wish to publicize that it has been a victim of a ransomware attack, there is a strong incentive to promptly disclose a cyber-attack to law enforcement and to cooperate in any investigation:  OFAC views disclosure and cooperation as significant mitigating factors in the event that any ransom payment is later determined to have a sanctions nexus.  Further, companies that facilitate ransomware payments, including financial intermediaries, have their own anti-money laundering obligations under FinCEN regulations, including detecting, preventing, and filing suspicious activity reports for transactions that are indicative of illegal activity.

In addition to the OFAC and FinCEN rules that may apply to cyber-attacks, President Biden signed an executive order earlier this month designed to strengthen cybersecurity and prevent future ransomware attacks by, among other things, changing the manner in which federal agencies approach cybersecurity.  Although the executive order applies only to certain companies that do business with the federal government, cybersecurity experts have indicated that wide-scale adoption of the standards identified in the executive order would improve security performance and security standards across all industries.  Among other things, the executive order requires the adoption of multi-factor authentication, enhances encryption standards, and requires zero-trust architecture, which means that no device is considered “trusted,” even if it has been previously verified or connected to a managed corporate network.  Additionally, the executive order seeks to ease the current limitations on the sharing of information between federal agencies and directs federal agencies to create a response plan to any future cyber-attacks.

Ransomware attacks are designed to strike at the very core of a company’s operations, and a ransomware victim may be without the benefit of the company’s network while it tries to manage the attack.  As ransomware attacks become more widespread, it is critical that companies adopt and train on an action plan in the event of a cyberattack and have a fully developed sanctions compliance program in place to ensure that a ransomware attack does not balloon from a business and reputational risk to a civil or criminal mishap.