On 21 September 2021, the Office for Financial Assets Control (“OFAC”) released follow-up guidance to its initial advisory of October 2020. The US government has stated that this forms a wider campaign in its battle against cyber threat actors. Since assuming residence in the Oval Office, President Biden has led a campaign against cyber threat actors. This campaign has been managed with the support of the US Treasury, specifically the Office of Financial Control. The most recent action involves providing further information on the sanctions risks associated with paying or facilitating ransom payments arising from a cyber-attack, and the first imposition of sanctions on a cryptocurrency exchange (SUEX).

At the time of issuing its advisory note, OFAC confirmed that it had designated SUEX as a cyber actor associated with cybercrime. With the assistance of law enforcement and specialist forensic providers, OFAC confirmed that over 40% of transactions publicly available were associated with threat actors or other illicit entities. In line with advisory (and to demonstrate the gravity of this announcement), OFAC designated SUEX as having provided ‘material support’ to known ransomware groups. This designation effectively means that all property and proprietary interests are blocked (if subject to U.S. jurisdiction) and US persons should not partake in any transactional engagement with SUEX. Whilst in the U.S. any engagement may result in enforcement action, it is likely that the effects of this decision will reverberate throughout the world, given the weight that OFAC has. It appears that the battleground in the fight against ransomware is now firmly in the world of cryptocurrency.

In the advisory note, OFAC confirmed that any perpetrator will be subject to strict liability regarding enforcement action. Consequently, there is no requirement for the individual to know or to reasonably known that a transaction was in breach of the OFAC guidelines. Whilst the position may appear heavy handed, OFAC has also confirmed specific factors to be taken into consideration in the event of any potential violation. These centre around incident response planning and management, in addition to cooperation with law enforcement.

The first mitigating factor predominantly focusses around law enforcement communications. This is not merely from the victim but from IR providers, negotiators and breach response counsel. OFAC appears to encourage law enforcement engagement at an early stage, rather than mere notification of the incident or notification following payment of any ransom. Whilst we assume this will predominantly be for threat intelligence gathering, OFAC has also tried to sugar coat the position by stating that it will assist in confirming whether a victim is intending to pay a sanctioned entity. 

We also note that OFAC has confirmed that, when considering enforcement action, it will look favourably on an organisation that took steps to protect itself against a cyber incident and broadly to reduce its own cyber exposure. This approach appears to encourage cyber hygiene for all organisations, especially with the carrot that an organisation that falls victim, despite best efforts will, be treated favourably. The same is applicable to a robust sanctions regime.

This announcement will have a far reaching effect for both the insurance and corporate communities and will impact any organisation subject to U.S. jurisdiction. The 2020 advisory substantially impacted the approach taken by insurers to support its insureds in payment of a ransom, and it is likely that this will have an even wider effect. What is commendable is that OFAC acknowledges that an organisation is not infallible. An organisation may suffer an incident despite its best efforts and this is a key factor to consider during the application of any enforcement action.