The US Treasury Department’s Office of Foreign Assets Control (OFAC) published an advisory on October 01, 2020, that reiterates the prohibition of ransomware payments – and their reimbursement under cyber insurance policies – to any person on the “Specially Designated Nationals and Blocked Persons” (SDN) list. Under OFAC’s standard of strict liability, any US company that pays or facilitates the payment of a ransom demand to an SDN can be sanctioned, even if they weren’t aware the transaction was being made to a prohibited entity.
OFAC’s advisory is very timely given the increase in the frequency and severity of ransomware attacks worldwide over the past few years. As explained in a briefing from Marsh’s US Cyber Practice: “Attackers are using ransomware to target businesses of all sizes with greater frequency, and their attacks are growing more severe. Ransom demands of $1 million or more are now routine, and some demands have exceeded $10 million.”
While the OFAC advisory sparked some initial concern, all it is really doing is highlighting the sanction risks and reminding US companies – including cyber insurers and ransom payment facilitators – that a strict regulatory framework exists around ransomware.
Reid Sawyer (pictured), head of US Cyber Risk Consulting at Marsh, commented: “The procedures highlighted by OFAC around SDNs – the list of people we can’t deal with or pay extortion amounts to – have long been in place. What’s significant about this advisory is that the US Treasury Department is starting to designate groups that are executing ransomware attacks. That’s because ransomware has increased with significant velocity in recent years, and we’re dealing with it on a much different scale than ever before. In fact, this advisory is very much a public service, reminding companies of their obligations. It really gives a roadmap for corporations in working with advisors like Marsh or other brokers to be thinking about how to navigate these waters.”
The advisory should not come as a surprise or a challenge to the insurance industry. What OFAC is demanding has long been in place for other policies like kidnap & ransom, and insurers are used to dealing with these types of regulations. But it does potentially put corporations in a trickier spot, according to Sawyer, especially when it comes to determining the attribution of an attack, and then having to think about executing OFAC compliance measures at speed.
To reduce their risk of an OFAC sanctions violation, businesses can conduct an OFAC review, which is often carried out by a ransom payment facilitator, before paying any ransomware demands. This review typically happens quickly and automatically. Similar to anti-money laundering or Foreign Corruption Practices Act checks, corporations can cross-reference the individuals and groups demanding payment against the Treasury’s SDN list.
Following OFAC’s recent advisory, this review and check should now become automatic procedure in a ransomware event, said Sawyer. He added: “It’s also important for organizations to bring the chief information security officer (CISO) to the table to make sure they have a role in the OFAC compliance regime. Typically, when you think about OFAC compliance, the CISO hasn’t had to be at the table in the past, but now it’s all about getting that technical data and that understanding, and the attribution as best as it is known at the time, and making sure that the compliance process is running as a standard operating procedure.”
As well as contemplating ransomware as a potential OFAC exposure and getting the CISO involved with OFAC compliance, there are other actions companies can take to ensure they have a best practice cyber incident response plan that meets OFAC’s demands.
“Companies need to operate at a higher standard now,” Sawyer told Insurance Business. “They must have a compliance plan, and they need to understand how to execute that plan before an event happens. From crisis management, to business continuity, to disaster recovery, to cyber incident response plans – they all have to be aligned so that companies can streamline their response and remain complaint.”
Corporations also need to think about how they might be exposed to third-party risk. As Marsh explains in its briefing: “Beyond ensuring their own compliance with OFAC policies, businesses should be mindful that their payment facilitators, cyber insurers, and participating financial institutions are also subject to OFAC regulations. At the time of an incident, ransom negotiators generally take the lead in this type of analysis and can supplement the OFAC SDN list with their own list of prohibited threat actors; although this step is not specifically required by OFAC, it can offer added protection. Organizations should also seek an OFAC certification from a ransom payment facilitator after any payment is made.”
The insurance brokerage and agency community can play a key role in helping organizations to understand the OFAC advisory and respond accordingly. Sawyer noted: “The brokerage community needs to bring an integrated advisory perspective to our clients, in terms of our ability to talk to them about the comprehensiveness of their incident response plans, their crisis management plans, and their compliance regimes. It’s this complete, integrated solution that our clients require under these times and with this OFAC advisory.”