ARTICLE
4 November 2020

U.S. Government Says Ransomware Payments May Violate The Financial Sanctions Regime

PC
Pearl Cohen Zedek Latzer Baratz

Contributor

Pearl Cohen Zedek Latzer Baratz logo
Pearl Cohen is an international law firm with offices in Israel, the United States, and the United Kingdom. Our strength is derived from decades of legal experience and an intimate knowledge of the cutting edge technological, legal, and transactional issues facing our clients in local and cross border matters. This combination of experience and knowledge allows us to provide sound and innovative advice to clients worldwide.
The U.S. Department of Treasury's Office of Foreign Assets Control ("OFAC") published an advisory regarding the risks entailed in facilitating ransomware payments related to malicious cyber-enabled
United States International Law

The U.S. Department of Treasury's Office of Foreign Assets Control ("OFAC") published an advisory regarding the risks entailed in facilitating ransomware payments related to malicious cyber-enabled activities. The advisory explains that companies that facilitate ransomware payments to cyber actors on behalf of victims, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.

The OFAC explains that under the International Emergency Economic Powers Act (IEEPA), U.S. persons are prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC's Specially Designated Nationals and Blocked Persons List (SDN List). Additionally, any transaction that causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. Violation of the sanctions regime may give rise to civil penalties imposable by the OFAC as a strict liability offense, even if the person or entity involved did not know or had reason to know it was engaging in a transaction with a person that is prohibited under the SDN List.

The OFAC recommends that financial institutions and organizations that engage with victims of ransomware attacks apply a risk-based compliance program to mitigate exposure to sanctions-related violations. The OFAC states that in the event of a violation, the OFAC may consider mitigating factors in determining the violating organization's liability, such as the organization's self-initiated, timely, and complete report of a ransomware attack to law enforcement as well as the organization's cooperation with law enforcement.

The OFAC also mentions that victims and those involved with addressing ransomware attacks may contact the OFAC and request a license to pay or facilitate the payment demand. However, such applications will be reviewed on a case-by-case basis with a presumption of denial.

CLICK HERE  to read the OFAC's advisory.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More