Cyber incident? Get Help
Log In

Coalition | The Coalition Blog.

OFAC advisory update: How does this impact ransomware payments
Catherine Lyle
Note: This blog addresses general ransomware trends that Coalition has observed amongst its policyholders. The information contained may not be applicable for all organizations or in all situations, and should not be used as the basis for legal advice. We recommend that organizations consult with their legal counsel for recommendations specific to their circumstances.

Ransomware has reshaped the cyber landscape, victimizing businesses small and large and capturing the attention of governments worldwide. Coalition’s own H1 2021 Cyber Insurance Claims Report analyzed claims data through June 2021 from customers in the United States and Canada, and the results were staggering. Specifically, Coalition observed the average ransom demand made against its policyholders increase nearly threefold, from $450,000 to $1.2 million per claim. To make matters worse, smaller companies – those with under 250 employees – experienced a 57% increase in attacks.

September 2021 Office of Foreign Asset Control (OFAC) advisory

On September 21, 2021, The U.S. Department of Treasury’s Office of Foreign Asset Control (OFAC) issued an Updated advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, highlighting potential sanctions risks associated with making ransom/extortion payments in response to a ransomware event. While this advisory supersedes previous guidance issued in October 2020, it does not fundamentally alter the stance OFAC takes regarding ransomware payments. Victims of ransomware attacks who opt to make payments are responsible for ensuring that they do not engage in unauthorized transactions prohibited by OFAC sanctions to ensure that money doesn’t end up in the wrong hands. So what are companies to do when they fall victim to a ransomware attack? Below are some of the key takeaways that Coalition has garnered from the recent advisory.

OFAC advisory designation of malicious cyber actors

The vast majority of ransom payments are made via a virtual currency and regulators have taken note. For the first time, OFAC, with assistance from the FBI, designated a virtual currency exchange SUEX OTC, S.R.O. (“SUEX”) as a malicious cyber actor, adding this virtual currency exchange entity to the OFAC sanctions list. This means that victims of ransomware attacks can no longer use the SUEX exchange when transmitting payment.

According to the Treasury Department, over 40% of SUEX’s known transactions are associated with illicit actors. In the last year, OFAC has brought various enforcement actions against digital currency service providers and this scrutiny will likely continue with the rise in ransomware payments.

Ransomware payments

The U.S. Government has not banned ransomware payments. However, the updated advisory reiterates OFAC’s position strongly discouraging ransomware payments that enable criminals and adversaries to profit from their activities and encourage future attacks. Companies subject to OFAC regulations must recognize the sanctions risk in making or facilitating ransomware payments and the potential exposure for civil penalties.  

Additionally, OFAC reiterated its "strict liability" enforcement posture. Essentially, a person or entity may find themselves legally liable for ransomware payments to a sanctioned person or embargoed country. In fact, OFAC can hold a person or entity liable despite having no way of knowing that a transaction — in this case, a ransomware payment — involved a specially designated national (SDN), blocked person, or embargoed country.  

Thus, the advisory strongly advises companies to report any ransomware payments to the appropriate agencies. Additionally, companies can implement cybersecurity preventive measures.

Recommendations

While the U.S. government strongly discouraged ransomware/extortion payments, it did encourage victims of ransomware to consider taking the following action:

  1. Contact OFAC immediately if you believe a request for ransomware payment may involve an entity or person on OFAC’s SDN List to receive voluntary self-disclosure credit. Failure to do so may result in substantial fines and penalties.
  2. Cooperate with OFAC and law enforcement agencies, including CISA, Department of Treasury, and the FBI, by filing an IC3 report or reaching out to a local office. This self-initiated reporting will be taken into consideration if it is later found that the payment was made in violation of OFAC.
  3. Should you discover a person or entity you are going to pay is on the SDN List, you may seek a license from OFAC before making any payment.
  4. OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations.

The advisory directs companies to use “risk-based compliance” measures. This includes improving a company’s security posture by implementing cybersecurity best practices found in CISA’s Ransomware Guide. By improving your company’s cyber security awareness and compliance, it is understood that Treasury will look favorably upon the company and see these actions as a “significant mitigating factor in any OFAC enforcement response.”

What this means for you and how Coalition can help

You may be wondering what this means for you, a broker partner, or a business with a cyber insurance policy through Coalition. For our policyholders and brokers, nothing has changed. Coalition maintains a robust compliance program that includes measures and procedures to ensure any transactions are performed in accordance with all applicable laws and regulations, including OFAC regulations.

Coalition understands that no technology is 100% secure; attack tactics and techniques are constantly evolving, and a sophisticated ransomware attack can result from just one wrong click. That’s why we believe in incentivizing our policyholders’ use of cybersecurity best practices that demonstrably decrease the risk of ransomware and other cyber threats. Attack surface management is the first step in proactive cybersecurity, and Coalition Control offers advanced attack surface monitoring and alerting to any organization. Sign up for free today and get unmatched visibility into your organization’s I.T. infrastructure, including detailed recommendations for fixing discovered security vulnerabilities. Also inside Coalition Control is our partner ecosystem, which provides policyholders with access to discounts on services such as phishing training, two-factor authentication, and other cybersecurity tools.

Coalition’s mission to solve cyber risk is unchanged. We are committed to working with our policyholders on every step of their cybersecurity journey, including working with our insurers and other third parties to facilitate ransomware payments as appropriate in accordance with applicable laws, including OFAC regulations. If you have questions about ransomware prevention and security measures, feel free to contact our team.

Coalition’s products are offered with the financial security of Swiss Re Corporate Solutions* legal entities (A.M. Best A+ rating), Lloyd’s of London (A.M. Best A rating), Arch Specialty Insurance Company (A.M. Best A+ rating), and Argo Pro US** (A.M. Best A- rating).
WHAT WE DO
© 2021 Coalition, Inc. | Licensed in all 50 states and D.C. | CA License # 0L76155
*Insurance products may be underwritten by North American Capacity Insurance Company, North American Specialty Insurance Company, or an affiliated company, which are members of Swiss Re Corporate Solutions. **Insurance products may be underwritten by Peleus Insurance Company, Colony Specialty Insurance Company, or an affiliated company, which are members of Argo Group US, Inc.